Geisinger patients could see payouts if $5M data breach settlement is approved
AI-generated summary reviewed by our newsroom.
- A $5M settlement could compensate 1.26M Geisinger patients after 2023 breach.
- Patients may claim up to $5,000, opt for credit monitoring or cash payment.
- Former software employee faces criminal charges.
Geisinger patients whose personal information was exposed in a 2023 data breach could see payments months from now under a proposed $5 million class-action settlement.
U.S. District Judge Matthew W. Brann was asked Wednesday to grant preliminary approval of the settlement, which covers about 1.26 million people.
None of the settlement would be paid for by Geisinger or its insurance, the health system said Friday in a statement.
Multiple lawsuits were brought against the health system and a Microsoft-owned computer software company after a former employee improperly accessed Geisinger’s patient records in November 2023.
It included patients’ names, birthdates, addresses, movement codes, medical record numbers, race, gender, phone numbers and facility name abbreviations. Geisinger and the software company said it did not appear to include Social Security numbers.
The two companies did not admit any wrongdoing or liability. The former employee has been charged with a crime and is awaiting trial.
It’s not immediately known how much patients could expect to receive from the pro rata settlement, though it likely wouldn’t be a bonanza. Attorneys who brought the lawsuit said they plan to ask the judge for one-third of the settlement, which must also cover administrative expenses, litigation costs and taxes.
Under the deal, class members would have two payment options. They could be reimbursed up to $5,000 for documented out-of-pocket losses that are “more likely than not attributable” to the data breach or a more straightforward cash payment.
Members could also enroll in a credit monitoring and identity theft protection service for a year or opt out of the settlement. Five people who filed lawsuits against the companies would each receive $2,000.
Members would have about three months to submit a claim — either by mail or online — once notice of the settlement is sent through the Postal Service.
Geisinger said it discovered in November 2023 that former Nuance Communications employee Max Vance accessed patient information two days after he was fired for unrelated misconduct. His access to Geisinger’s records was then permanently disconnected.
The health system did not notify patients until June 2024, saying the delay was at the behest of law enforcement investigating the alleged crime.
Vance, aka Andre J. Burk, is charged with obtaining information from a protected computer and has pleaded not guilty. In a court filing, a federal prosecutor described him as a sophisticated software engineer and identity fraudster.
Vance is representing himself and is incarcerated at the Lycoming County Prison. His trial is scheduled for Jan. 5.
This story was originally published September 12, 2025 at 2:17 PM.