Former Nuance Engineer Charged in 2023 Geisinger Health Data Breach Affecting 1.3 Million Patients
A California man, Max Vance (formerly Andre Burk), faces additional charges in connection with the 2023 data breach of Geisinger Health System, which exposed the personal and medical records of over 1.3 million patients. A superseding indictment filed in the U.S. Middle District Court on Tuesday accuses Vance of making false statements to FBI agents in January 2024, denying he had downloaded unauthorized data onto personal devices.
Vance, a former principal healthcare interface engineer at Nuance Communications a Microsoft subsidiary providing IT services to hospitals was initially indicted in January 2024 for unauthorized access to a protected computer. Authorities allege that after being fired by Microsoft on November 27, 2023, for unrelated misconduct, Vance used his Nuance credentials to query Geisinger’s servers two days later. He extracted sensitive patient data, including names, dates of birth, addresses, medical record numbers, and treatment details, downloading it into two files before uploading them to his Microsoft Azure cloud account. The files were later transferred to his personal laptop and a Samsung hard drive, with evidence recovered during a search of his El Cajon apartment.
Geisinger detected the breach on November 29, 2023, but delayed notifying affected patients until June 24, 2024, citing the need to avoid interfering with a federal investigation. The breach has since led to multiple civil lawsuits, including a class-action suit with preliminary approval of a $5 million settlement covering 1,308,363 individuals. Plaintiffs argue the delayed notification increased risks of identity theft.
Vance, who legally changed his name in 2021 and relocated to California in 2022, is currently detained at Lycoming County Prison in Pennsylvania. Representing himself, he has filed motions challenging his detention and evidence admissibility. The case remains under federal investigation.
Geisinger cybersecurity rating report: https://www.rankiteo.com/company/geisinger
Nuance Communications cybersecurity rating report: https://www.rankiteo.com/company/nuance-communications
Microsoft Dynamics 365 cybersecurity rating report: https://www.rankiteo.com/company/microsoft-dynamics
"id": "GEINUAMIC1770196655",
"linkid": "geisinger, nuance-communications, microsoft-dynamics",
"type": "Breach",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '1,308,363 patients',
'industry': 'Healthcare',
'location': 'Pennsylvania, USA',
'name': 'Geisinger Health System',
'type': 'Healthcare Provider'}],
'attack_vector': 'Unauthorized access using compromised credentials',
'customer_advisories': 'Notification sent to affected patients on June 24, '
'2024',
'data_breach': {'data_exfiltration': 'Yes (transferred to personal devices '
'and cloud storage)',
'number_of_records_exposed': '1,308,363',
'personally_identifiable_information': 'Yes (names, dates of '
'birth, addresses, '
'medical record '
'numbers)',
'sensitivity_of_data': 'High (names, dates of birth, '
'addresses, medical record numbers, '
'treatment details)',
'type_of_data_compromised': ['Personal Identifiable '
'Information (PII)',
'Medical records']},
'date_detected': '2023-11-29',
'date_publicly_disclosed': '2024-06-24',
'description': 'A California man, Max Vance (formerly Andre Burk), faces '
'additional charges in connection with the 2023 data breach of '
'Geisinger Health System, which exposed the personal and '
'medical records of over 1.3 million patients. Vance, a former '
'principal healthcare interface engineer at Nuance '
'Communications, used his credentials to access Geisinger’s '
'servers after being fired by Microsoft, downloading sensitive '
'patient data and transferring it to personal devices and '
'cloud storage.',
'impact': {'brand_reputation_impact': 'Yes (delayed notification, identity '
'theft risks)',
'customer_complaints': 'Multiple civil lawsuits, including a '
'class-action suit',
'data_compromised': 'Personal and medical records of 1.3 million '
'patients',
'financial_loss': '$5 million (settlement amount)',
'identity_theft_risk': 'Increased risk due to exposure of PII and '
'medical records',
'legal_liabilities': 'Class-action lawsuit, potential regulatory '
'fines',
'systems_affected': 'Geisinger Health System servers'},
'investigation_status': 'Ongoing (federal investigation)',
'motivation': 'Unauthorized data exfiltration (potential financial gain or '
'malicious intent)',
'post_incident_analysis': {'root_causes': 'Unauthorized use of credentials '
'post-employment, lack of immediate '
'credential revocation'},
'references': [{'source': 'U.S. Middle District Court Indictment'}],
'regulatory_compliance': {'legal_actions': 'Class-action lawsuit, federal '
'charges against the threat actor',
'regulations_violated': ['HIPAA (potential)']},
'response': {'communication_strategy': 'Delayed notification to avoid '
'interfering with federal '
'investigation',
'law_enforcement_notified': 'Yes (FBI)'},
'threat_actor': 'Max Vance (formerly Andre Burk)',
'title': 'Former Nuance Engineer Charged in 2023 Geisinger Health Data Breach '
'Affecting 1.3 Million Patients',
'type': 'Data Breach',
'vulnerability_exploited': 'Misuse of legitimate access credentials '
'post-employment'}