Former Nuance IT Employee Faces Additional Charges in Geisinger Breach

A former Nuance Communications employee has been indicted on additional federal charges linked to a data breach involving over 1 million patient records from Geisinger Health. This criminal case centers on allegations that the individual downloaded and stored these records on a personal external hard drive just two days following his termination in 2023.

In a recent superseding indictment filed in a Pennsylvania federal court, Max Vance, also known as Andre Burk, faces two counts of making false statements to federal investigators. The indictment asserts that Vance misled FBI agents in January 2024 about downloading unauthorized patient records after his dismissal and subsequently transferring the information to a personal device.

At the time of the breach, Nuance, now under Microsoft’s umbrella, was providing IT services to Geisinger Health, a prominent regional healthcare system in Pennsylvania. The superseding indictment seeks the forfeiture of Vance’s personal external drive, which prosecutors claim contains the unlawfully obtained patient information, alongside any financial gains he may have accrued from his alleged actions.

This new indictment is in addition to an existing charge against Vance for allegedly “obtaining information from a protected computer.” Although court documents related to the criminal complaint remain sealed, Vance is currently being held in a county jail, where he awaits trial with representation from a public defender.

Initially scheduled for August 2024, the trial has been postponed multiple times and is now set for April 20. Regulatory attorney Rachel Rose, not involved in the case, speculates that the timing of these new charges may suggest that prosecutors have gathered additional evidence since the first indictment.

Vance’s actions provide a stark reminder that healthcare organizations must bolster their data security measures. The incident reveals the potential misuse of authorized access and the importance of swiftly revoking access to sensitive information upon an employee’s departure. Services like those provided by Nuance require robust oversight to guard against insider threats.

The breach affected over 1.2 million individuals, with compromised information including names, birthdates, addresses, and medical records. In response to the incident, Geisinger disclosed the breach to federal regulators on September 15, 2023, following its discovery of the unauthorized access on November 29, 2023. This breach further underlines the necessity for rigorous background checks and effective compliance programs in the healthcare sector.

The incident may have leveraged tactics from the MITRE ATT&CK framework, such as initial access through stolen credentials and a persistence phase by maintaining unauthorized access to the patient database. Organizations should recognize the evolving tactics in data breaches and ensure that both covered entities and their third-party vendors implement stringent data security protocols.