Former Nuance Employee Sentenced for 1.2 Million-record Geisinger Health System Data Breach
A former employee of Nuance Communications, a business associate of Geisinger Health System that provided IT and conversational AI services, has been sentenced for unlawfully accessing and copying the data of 1.2 million patients. Max Vance (now Andre J. Burk), 46, of El Cajon, California, a former principal healthcare engineer, was disgruntled after being terminated by Nuance Communications and attempted to use his login credentials to access Nuance’s systems after termination.
His credentials should have been immediately revoked upon termination to prevent any attempt at unauthorized access, but his credentials were still valid two days after termination. Vance proceeded to download a huge volume of patient data – 1.2 million patient records, including names, contact information, birth dates, admission/discharge/transfer codes, medical record numbers, and race/gender information.
The removal of the data was detected by Geisinger, who notified Nuance, which immediately revoked Vance’s credentials. Law enforcement was alerted, and Vance was arrested. Vance pleaded guilty to obtaining information from a protected computer and faced a sentence of up to 5 years, although current guidelines suggest a sentence of between 30 and 27 months, plus a fine. He could also have been ordered to pay restitution to Geisinger Health System, which has claimed incurred costs of around $550,000 as a result of Vance’s actions. Geisinger also settled a class action lawsuit over the data breach for $5 million last year.
Vance, who represented himself, has been in jail since early 2024. At sentencing, Judge Matthew W. Brann, Chief Judge for the United States District Court for the Middle District of Pennsylvania, chose to issue a sentence of time served, three years of supervised release, and Vance is required to participate in a mental health treatment program. The sentence did not include a fine or an order to pay restitution.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
March 5, 2026: Former Nuance Employee Pleads Guilty to Stealing 1.2 Million Patient Records
A former employee of Nuance Communications has pleaded guilty to accessing and removing the protected health information of 1.2 million patients of Geisinger Health System after he was terminated. Nuance Communications was a business associate of Geisinger and had access to systems containing protected health information.
Max Vance, 46, of El Cajon, California, was terminated by Nuance for unrelated reasons; however, his access rights were not immediately revoked. Two days after his termination, Vance used his access to copy data from Geisinger’s systems. The breach was detected by Geisinger, which notified Nuance, and Vance’s access rights were terminated. Data copied by Vance included patient names, contact information, birth dates, admission/discharge/transfer codes, medical record numbers, and race/gender information. The copied data did not include financial information, Social Security numbers, or health insurance information.
Law enforcement was notified about the unauthorized access and copying of data, and an investigation was launched. The data breach was identified by Geisinger on November 29, 2023, and Vance was arrested in February 2024. During a search of his property, law enforcement found two unregistered firearms, fake and blank IDs, a machine for creating fake ID cards, and electronic equipment containing the stolen data.
Vance’s trial was scheduled for August 2024 but was postponed by the court on several occasions, and was due to take place on April 20, 2026. Vance agreed to enter a guilty plea to one count of obtaining data from a protected computer without authorization, which carries a maximum jail term of 5 years, up to three years of supervised release, and a fine of up to $250,000.
In court on February 27, 2026, Vance entered a guilty plea, although there are certain provisions attached. The plea agreement will see two charges of making false statements to the FBI dropped, with Vance receiving a sentence of time served, followed by three years of supervised release. Vance has already spent more than two years in jail following his arrest, which is longer than the minimum sentence. Under the plea agreement, Vance has agreed to pay restitution, although there is still disagreement on how much should be paid. Vance wanted to be released prior to sentencing; however, the judge refused, pending a review of the plea agreement.
If the judge does not agree to the provisions of the plea agreement, the guilty plea will be withdrawn, and the case will go to trial. Should that happen, Vance will be tried on all charges, including making false statements to the FBI. A sentencing hearing date has not yet been set.
