A federal judge has granted preliminary approval to a $5 million settlement resolving a class-action lawsuit over the 2023 insider breach at Geisinger Health.
According to Bank Info Security, a federal judge has granted preliminary approval to a $5 million proposed settlement resolving a class-action lawsuit over a data breach tied to a former employee of Nuance Communications who accessed Geisinger Health patient records in late 2023 after his termination. The court certified a class of between 1.2 and 1.3 million people and set a claims deadline in mid-March 2026; a final approval hearing is scheduled for March 16, 2026.
According to HealthIT News, the breach occurred on November 29, 2023. Geisinger then discovered that a former Nuance employee had accessed Geisinger patient information two days after the worker had been terminated. Law enforcement asked Nuance to delay public notification while investigators worked the case; the employee was arrested and later federally charged. Initial notices and court filings describe exposed fields that varied by patient, including names, dates of birth, and addresses, as well as medical record numbers and certain treatment/admission codes. At the time, both Geisinger and Nuance stressed that some financial and insurance fields initially were not thought to be exposed, though subsequent filings indicated Social Security numbers and insurance information may also have been accessed for some individuals.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
An insider breach occurs when someone within an organization, such as an employee, contractor, or anyone with authorized access, misuses that access to view, steal, or disclose sensitive information. Unlike external attacks, insider breaches can be harder to detect because the activity often appears legitimate on the surface.
Read more: Insider threats in healthcare
In a separate but similar case, Akumin, a U.S. outpatient radiology and imaging services provider, agreed in October 2025 to settle a class action lawsuit for US$1.5 million stemming from a ransomware-driven data breach that occurred on October 11, 2023. Sensitive patient data potentially exposed included names, dates of birth, Social Security numbers, driver’s license or passport numbers, medical record numbers, insurance information, medical history, and more.
Under the settlement, affected individuals may file for cash payments (up to US$2,500 for documented losses such as identity theft or fraud-related costs) and receive one year of free medical data monitoring. The claims must be submitted by November 30, 2025. The settlement has received preliminary approval, and a final hearing is scheduled for December 15, 2025.
This case demonstrates the growing trend of large healthcare data breach settlements following ransomware attacks and inadequate cybersecurity safeguards.
Go deeper: Akumin agrees to $1.5 million settlement over 2023 data breach
The settlement does not determine whether HIPAA was violated. However, insider access after employee termination often raises compliance concerns around:
Not necessarily. Settlement benefits depend on claim type:
Some of the most frequent issues include:
Ideally, access should be revoked immediately, as former employees with active credentials pose a serious security threat.