Ex-Nuance IT Worker Faces More Charges in Geisinger Breach

A former Nuance Communications insider is facing additional federal charges in a criminal case alleging he downloaded and stored on a personal external hard drive more than one million patient records of Geisinger Health two days after he was terminated from his job in 2023.

In a  superseding indictment  filed recently in a Pennsylvania federal court, prosecutors charged Max Vance, who is also known as Andre Burk, with two counts of making false statements to FBI agents.

The new indictment alleges Vance lied to FBI agents in January 2024 when he denied downloading more than one million patient records he was not authorized to download after he was terminated from his job at Nuance in 2023, and then lied again about transferring that patient information onto a personal external hard drive.

During the time of the incident, Nuance-now part of Microsoft-provided a variety of IT services to Geisinger Health, a regional health system in Pennsylvania.

The superseding indictment, like the original indictment against Vance in January 2024, seeks Vance to forfeit his "personal external drive (USB drive), Samsung model PSSD T7," which prosecutors allege contains the illegally obtained patient information. Both indictment documents also seek Vance to turn over any proceeds obtained directly or indirectly from his alleged offenses.

The new charges are in addition to the one count of "obtaining information from a protected computer."

The criminal complaint against Vance is sealed by the court. Vance is in custody in a county jail as he awaits trial and is defending himself in the case with assistance from a public defender, who did not immediately respond to Information Security Media Group's request for comment.

Vance's trial had been slated for August 2024 but has been postponed by the court several times. It is now scheduled for April 20.

Prosecutors likely decided to add the extra charges against Vance—two years after their first indictment—due to gathering more evidence, said regulatory attorney Rachel Rose, who is not involved in the Vance case.

"The timing is prosecutorial discretion and may be strategic, especially since the trial was moved," Rose stated.

Even without Vance's USB drive, prosecutors likely have other strong evidence of the alleged crimes, she said.

"Geisinger is sophisticated, and if the download has been tracked either by Nuance or Geisinger, or tracked on the dark web to an IP address tied to the defendant, then that would also be actual direct evidence," said Rose.

Nuance reported the data breach on Sept. 15, 2023, to federal regulators, as the hacking incident affected more than 1.2 million individuals.

Patient information compromised in the breach included name, birthdate, address, medical record number, race, gender, phone number, and facility name abbreviation, Geisinger  said  in a January 2024 statement.

Geisinger said that on November 29, 2023, it discovered and immediately notified Nuance that a former Nuance employee had accessed certain Geisinger patient information two days after the employee had been terminated.

Nuance permanently disconnected its former employee's access to Geisinger's records. Law enforcement was notified, and Vance was later arrested, Geisinger said.

Last November, a federal court approved a $5 million  settlement  in consolidated class action litigation filed against Nuance and Geisinger.

A final approval court hearing for the settlement is set for March 16.

The Nuance-Geisinger incident offers important lessons for other health sector entities and their IT vendors. Rose emphasized"It underscores that both covered entities and business associates need to conduct thorough background checks and have adequate technical, administrative, and physical safeguards, as well as an adequate and effective compliance program.”

Rose also stressed that employees who leave a company must honor their ongoing confidentiality obligations, and employers should have formal offboarding procedures in place.

That includes not only immediately terminating ex-workers' access to computer systems but also their physical access to the data center and secure rooms.

Marianne Kolbasuk McGee is Executive Editor at Information Security Media Group (ISMG)'s HealthcareInfoSecurity.com media site. She has 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

This article was originally published on February 5, 2026, by Healthcare Info Security® and is republished with permission from ISMG.

Source: https://www.healthcareinfosecurity.com/ex-nuance-worker-face-more-charges-in-geisinger-breach-a-30693

https://ismg-cdn.nyc3.cdn.digitaloceanspaces.com/asset_files/external/maxvance-superseding-indictment-2-3-26.pdf

https:// www.healthcareinfosecurity.com/nuance-ex-employee-indicted-for-breach-affecting-1-million-a-25626

https://www.healthcareinfosecurity.com/5m-settlement-in-geisinger-health-nuance-insider-breach-a-30085