Cybercrime,
Fraud Management & Cybercrime,
Healthcare
Former Employee Accused of Theft of 1 Million Patient Records
A former employee of Nuance Communications is facing heightened federal charges for allegedly downloading and storing over one million patient records from Geisinger Health on a personal external hard drive shortly after his termination in 2023. This incident points to severe security vulnerabilities within data handling practices in the healthcare sector.
On February 5, 2026, a superseding indictment filed in a Pennsylvania federal court charged Max Vance, also known as Andre Burk, with multiple counts of making false statements to FBI agents. The claims are particularly alarming, as Vance allegedly misled investigators regarding unauthorized access to sensitive patient data after being dismissed from his position at Nuance, which is now part of Microsoft.
According to the indictment, Vance denied downloading the records and subsequently lied about transferring the data to an external drive. This raises concerns about potential gaps in data governance and oversight in healthcare IT services during his time with Nuance, which was tasked with delivering IT solutions to Geisinger Health.
The evidence against Vance appears substantial, as both the original and superseding indictments seek the forfeiture of a personal USB drive allegedly containing the stolen patient information. Notably, this situation may reflect broader issues of data protection that many organizations could potentially face.
The new charges come alongside an initial indictment featuring a count of “obtaining information from a protected computer,” emphasizing the critical importance of robust security measures in healthcare environments. The sealed criminal complaint suggests that law enforcement continues to explore the extent of Vance’s unauthorized access, with further investigations likely focusing on potential tracking methods employed by either Nuance or Geisinger.
Healthcare organizations are advised to consider this case a cautionary tale about the necessity of rigorous access controls and ongoing monitoring. The MITRE ATT&CK framework highlights potential adversary tactics utilized in such breaches, such as initial access and persistence, which can serve as a roadmap for companies assessing their security posture.
Geisinger reported the data breach on September 15, 2023, identifying it as a hacking incident impacting more than 1.2 million individuals. The compromised information included sensitive data such as names, birth dates, addresses, and medical records, underscoring the high stakes involved in protecting patient data.
Regarding compliance, the incident reinforces that organizations must establish comprehensive offboarding procedures for terminated employees, ensuring that access to computer systems, physical locations, and sensitive data is revoked immediately upon termination. Thorough background checks and adequate technical safeguards are essential in mitigating risks associated with insider threats.
Legal experts suggest that the additional charges may reflect an accumulation of compelling evidence gathered by prosecutors over the past two years since the initial indictment. This situation serves as a reminder that ongoing vigilance and proactive cybersecurity measures are key to thwarting similar breaches in the future.
In light of these developments, businesses within the health sector and their IT partners must prioritize defining effective compliance strategies and robust security frameworks. Protecting sensitive patient data is not merely a regulatory requirement but a critical component of maintaining trust in the digital age.