$5 Million Settlement Approved in Geisinger-Nuance Medical Data Breach Affecting 1.3 Million Patients
A Pennsylvania judge has approved a $5 million settlement resolving a class-action lawsuit against Geisinger Health and Nuance Communications following the theft of 1.3 million patient records by a former Nuance employee. The breach, which exposed sensitive data including names, birthdates, addresses, medical record numbers, treatment details, and insurance information stemmed from Geisinger’s partnership with Nuance, a Microsoft subsidiary specializing in AI-driven clinical documentation tools.
The lawsuit was filed on June 28, 2024, with the settlement finalized earlier this month. While the agreement does not require either company to admit wrongdoing, it includes $30,000 in additional payments to cover litigation costs and awards for the five plaintiffs who initiated the case. Victims have until March 18 to file claims, though the exact payout per individual will depend on how many of the 1.3 million affected patients participate.
As of March 5, only 97,000 victims had registered for direct cash compensation. Affected individuals may also opt for complimentary credit monitoring, though participation in the settlement class is required to access the benefit. Notably, there is no evidence that the stolen data has surfaced on the dark web or been misused.
Geisinger, a nonprofit health system serving 45 Pennsylvania counties, operates 10 hospitals and 126 care sites, treating over 3 million patients annually. The breach highlights ongoing risks in third-party data handling within the healthcare sector.
Nuance Communications cybersecurity rating report: https://www.rankiteo.com/company/nuance-communications
Geisinger cybersecurity rating report: https://www.rankiteo.com/company/geisinger
"id": "NUAGEI1773772921",
"linkid": "nuance-communications, geisinger",
"type": "Breach",
"date": "6/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '1.3 million patients',
'industry': 'Healthcare',
'location': 'Pennsylvania, USA',
'name': 'Geisinger Health',
'size': '10 hospitals, 126 care sites, 3 million '
'patients annually',
'type': 'Healthcare Provider'},
{'customers_affected': '1.3 million patients',
'industry': 'Healthcare IT / AI',
'name': 'Nuance Communications',
'type': 'Technology Provider'}],
'attack_vector': 'Insider Threat',
'customer_advisories': 'Victims have until March 18 to file claims; '
'complimentary credit monitoring offered.',
'data_breach': {'number_of_records_exposed': '1.3 million',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Names',
'Birthdates',
'Addresses',
'Medical record numbers',
'Treatment details',
'Insurance information']},
'date_publicly_disclosed': '2024-06-28',
'description': 'A Pennsylvania judge has approved a $5 million settlement '
'resolving a class-action lawsuit against Geisinger Health and '
'Nuance Communications following the theft of 1.3 million '
'patient records by a former Nuance employee. The breach '
'exposed sensitive data including names, birthdates, '
'addresses, medical record numbers, treatment details, and '
'insurance information.',
'impact': {'brand_reputation_impact': 'Yes',
'data_compromised': '1.3 million records',
'financial_loss': '$5,000,000 (settlement)',
'identity_theft_risk': 'Yes',
'legal_liabilities': 'Class-action lawsuit'},
'initial_access_broker': {'data_sold_on_dark_web': 'No evidence'},
'post_incident_analysis': {'root_causes': 'Insider threat due to third-party '
'data handling risks'},
'references': [{'source': 'Cyber Incident Description'}],
'regulatory_compliance': {'legal_actions': 'Class-action lawsuit'},
'threat_actor': 'Former Nuance Employee',
'title': '$5 Million Settlement Approved in Geisinger-Nuance Medical Data '
'Breach Affecting 1.3 Million Patients',
'type': 'Data Breach'}