Former Nuance Employee Pleads Guilty to Stealing 1.2 Million Patient Records
A former employee of Nuance Communications has pleaded guilty to accessing and removing the protected health information of 1.2 million patients of Geisinger Health System after he was terminated. Nuance Communications was a business associate of Geisinger and had access to systems containing protected health information.
Max Vance, 46, of El Cajon, California, was terminated by Nuance for unrelated reasons; however, his access rights were not immediately revoked. Two days after his termination, Vance used his access to copy data from Geisinger’s systems. The breach was detected by Geisinger, which notified Nuance, and Vance’s access rights were terminated. Data copied by Vance included patient names, contact information, birth dates, admission/discharge/transfer codes, medical record numbers, and race/gender information. The copied data did not include financial information, Social Security numbers, or health insurance information.
Law enforcement was notified about the unauthorized access and copying of data, and an investigation was launched. The data breach was identified by Geisinger on November 29, 2023, and Vance was arrested in February 2024. During a search of his property, law enforcement found two unregistered firearms, fake and blank IDs, a machine for creating fake ID cards, and electronic equipment containing the stolen data.
Vance’s trial was scheduled for August 2024 but was postponed by the court on several occasions, and was due to take place on April 20, 2026. Vance agreed to enter a guilty plea to one count of obtaining data from a protected computer without authorization, which carries a maximum jail term of 5 years, up to three years of supervised release, and a fine of up to $250,000.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
In court on February 27, 2026, Vance entered a guilty plea, although there are certain provisions attached. The plea agreement will see two charges of making false statements to the FBI dropped, with Vance receiving a sentence of time served, followed by three years of supervised release. Vance has already spent more than two years in jail following his arrest, which is longer than the minimum sentence. Under the plea agreement, Vance has agreed to pay restitution, although there is still disagreement on how much should be paid. Vance wanted to be released prior to sentencing; however, the judge refused, pending a review of the plea agreement.
If the judge does not agree to the provisions of the plea agreement, the guilty plea will be withdrawn, and the case will go to trial. Should that happen, Vance will be tried on all charges, including making false statements to the FBI. A sentencing hearing date has not yet been set.
