Centre County man files $5 million class action lawsuit against Geisinger | Centre County Gazette

CENTRE COUNTY – A Centre County man has filed a class action lawsuit against Geisinger Health and Nuance Communications Inc. following a data breach.

According to court documents from the Middle District of Pennsylvania, James Wierbowski filed the lawsuit on Friday, June 28, personally and on behalf of all others affected by the data breach. The class action lawsuit seeks a total of $5 million in compensation for the estimated more than one million patients affected by the data breach.

Geisinger patients were informed in a statement from Geisinger on Monday, June 24, that a patient data security breach occurred on November 29, 2023, when it was discovered that Nuance Communications Inc., the third-party vendor that provides information technology services to Geisinger, had been breached by a former employee. The employee, Max Vance, was accused of accessing certain Geisinger patient information two days after his employment with Nuance Communications was terminated.

Law enforcement authorities launched an investigation and asked Nuance Communications at the time not to inform patients about the breach so as not to hinder the investigation. Vance was arrested two months after the breach was discovered and now faces felony charges.

According to the lawsuit, “Plaintiff, on behalf of himself and all other members of the class, asserts claims for negligence, negligence per se, breach of fiduciary duty, breach of implied contract, unjust enrichment, and violation of Pennsylvania’s unfair competition and consumer protection laws, and seeks declaratory relief, injunctive relief, compensatory damages, statutory damages, punitive damages, equitable damages, and all other relief permitted by law.”

Wierbowski argued in his lawsuit that the time between the security breach and the notification of patients provided criminals with an opportunity to access and illegally distribute stolen health data.

“The privacy of our patients and members is our top priority and we take protecting it very seriously,” Jonathan Friesen, Geisinger’s privacy officer, said in the statement. “We continue to work closely with authorities in this investigation and while I am grateful that the perpetrator was caught and is now facing charges in federal court, I am sorry that this happened.”

Geisinger noted that the information accessed in the breach varied from patient to patient, but “included patient names in combination with one or more of the following: date of birth, address, admission and discharge or transfer code, medical record number, race, gender, telephone number, and facility name abbreviation.”

However, Geisinger found that “the former company employee did not unlawfully access any claim or insurance data, credit card or bank account numbers, other financial information, or Social Security numbers.”

Nevertheless, the lawsuit alleges that Nuance Communications should have immediately blocked Vance’s data access after his termination and that both Nuance and Geisinger were negligent in this breach.