The Geisinger Health and Nuance class action settlement is a cautionary tale for healthcare organizations.

For HIPAA compliance professionals, the risk landscape is constantly shifting. While regulatory enforcement actions by the Office for Civil Rights (OCR) remain a primary concern, a more immediate and financially damaging threat is on the rise: the data breach class action lawsuit.

The proposed $5.1 million settlement involving Geisinger Health and Nuance Communications is the latest example of this evolving dynamic. Arising from a 2023 data breach affecting more than a million patients, this settlement offers vital lessons on third-party risk, insider threats, and the increasingly aggressive nature of the plaintiffs’ bar in the aftermath of Protected Health Information (PHI) exposure.

For those navigating the complex intersection of HIPAA regulations, cybersecurity, and corporate law, understanding this settlement is a necessary step in fortifying organizations against a similar fate.

The Anatomy of the Geisinger/Nuance Incident

To understand the implications of the settlement, we must first understand the breach itself. The incident was not a sophisticated ransomware attack against Geisinger’s core infrastructure. Instead, it was a classic, yet devastating, example of third-party vendor risk compounded by an insider threat.

Nuance Communications, a Microsoft company that provides conversational AI and ambient intelligence solutions to healthcare providers (including Geisinger), revealed that a former employee had accessed patient information without authorization. The access occurred over a brief period in late 2023, shortly before the employee’s termination. Nuance was a HIPAA business associate contracted to Geisinger.

The compromised data included names, dates of birth, medical record numbers, and information regarding dates of service and facilities visited. Crucially—and this point is significant regarding the ensuing litigation—the breach reportedly did not involve Social Security numbers, financial account information, or credit card data.

Despite the absence of “financial” data theft, the exposure of demographic and clinical PHI for over a million individuals was enough to trigger immediate legal action.

Deconstructing the $5.1 Million Settlement

Following the breach notification, multiple lawsuits were filed and later consolidated in July 2024. The plaintiffs alleged, among other things, negligence in failing to secure patient data properly and in failing to provide timely notification.

In November 2025, the judge in a Pennsylvania district court gave preliminary approval of the proposed $5.1 million settlement. While Geisinger and Nuance have denied any wrongdoing or liability, agreeing to settle is a common strategic decision aimed at avoiding the uncertainty, prolonged expense, and reputational damage associated with protracted litigation.

The settlement fund is designated to cover cash payments to class members who submit valid claims, as well as attorneys’ fees and administrative costs. Based on typical participation rates in such settlements, individual claimants might receive modest sums, ranging from $50 to $150. However, the aggregate cost to the defendants extends well beyond the settlement fund when accounting for internal investigation costs, crisis communications, and remediation efforts.

The Rising Tide: Class Actions as a Compliance Risk

The Geisinger/Nuance settlement underscores a critical reality for healthcare organizations: compliance failures do not just lead to OCR corrective action plans; they also lead to costly civil litigation.

Class action lawsuits following health data breaches are increasing exponentially. Plaintiffs’ attorneys have developed highly efficient workflows, often filing complaints within days—sometimes hours—of a public breach notification.

A vital point for legal and compliance teams to grasp is the evolving legal theory behind these suits. HIPAA does not contain a private right of action; individuals cannot sue an organization directly for violating the Privacy or Security Rules.

Instead, plaintiffs’ attorneys rely on state common law theories, such as negligence, breach of an implied contract, and unjust enrichment, as well as various state consumer protection statutes.

They use HIPAA standards as the benchmark for establishing the “duty of care” allegedly breached. If an organization fails to comply with the HIPAA Security Rule—for instance, by having inadequate access controls or insufficient vendor oversight—that non-compliance becomes the foundation for a negligence claim in state court.

Furthermore, courts are increasingly willing to accept “loss of privacy” and the “diminished value of PHI” as cognizable damages, even in the absence of concrete identity theft or financial fraud. The Geisinger settlement is proof that exposing medical record numbers and service dates is sufficient to generate multi-million-dollar liability.

This is the Second Expensive Class Action for Nuance this Year

In August 2025, Nuance settled a class action lawsuit for $8.5 million to resolve claims arising from a separate May 2023 healthcare data breach.

In that case, Nuance had used Progress Software’s MOVEit Transfer software solution for file transfers. Hackers targeted the file transfer systems, exploiting a vulnerability to access data stored in the MOVEit environment. Nuance, a HIPAA business associate, had previously confirmed that thirteen of its covered entity customers had been affected by the hack.

Key Takeaways for Healthcare Professionals

The path forward requires moving beyond checkbox compliance and addressing the operational realities that drive these lawsuits.

1. Rigorous Third-Party Risk Management: Do your due diligence. The Geisinger incident highlights that business associates are tied to covered entity customers, operationally and reputationally. Make sure you have an up-to-date business associate agreement (BAA) in place. Compliance and IT must collaborate on active vendor governance. This includes completing regular security questionnaires, reviewing SOC 2 reports with a critical eye, and holding vendors accountable for how they manage their employee access lifecycles.

2. The Insider Threat and Offboarding Protocols: The Nuance breach was caused by a former employee accessing data just before leaving. This directly addresses the HIPAA Security Rule requirements for workforce security and information access management. IT and HR must have ironclad, immediate protocols for terminating access privileges the moment an employee is identified for separation. A delay of even a few hours can be catastrophic.

3. Incident Response Includes Litigation Readiness: Your incident response plan must integrate legal counsel immediately. Although the business associate should conduct a breach risk assessment, the covered entity should conduct its own to determine whether the breach is reportable and which specific data was compromised. The steps taken in the first 48 hours of discovering a breach—how it’s documented, how the scope is determined, and how the notification is drafted—will be scrutinized during discovery in a class action lawsuit. Assuming you will be sued is now a necessary component of breach preparedness.

Conclusion

The $5 million Geisinger/Nuance settlement is not an anomaly; it is part of a clearly defined trend. For HIPAA professionals, in-house counsel, and IT leaders, the message is unambiguous: the risk of non-compliance is no longer just about regulatory fines. It is about defending against an aggressive, well-organized plaintiffs’ bar ready to capitalize on any failure to protect patient data.

Strengthening defenses against this wave of litigation requires the same steps as achieving robust HIPAA compliance—a vigilant, proactive, and holistic approach to data security.