Former Nuance Engineer Charged in 2023 Geisinger Health Data Breach Affecting 1.3 Million Patients A California man, Max Vance (formerly Andre Burk), faces additional charges in connection with the 2023 data breach of Geisinger Health System, which exposed the personal and medical records of over 1.3 million patients. A superseding indictment filed in the U.S. Middle District Court on Tuesday accuses Vance of making false statements to FBI agents in January 2024, denying he had downloaded unauthorized data onto personal devices. Vance, a former principal healthcare interface engineer at Nuance Communications a Microsoft subsidiary providing IT services to hospitals was initially indicted in January 2024 for unauthorized access to a protected computer. Authorities allege that after being fired by Microsoft on November 27, 2023, for unrelated misconduct, Vance used his Nuance credentials to query Geisinger’s servers two days later. He extracted sensitive patient data, including names, dates of birth, addresses, medical record numbers, and treatment details, downloading it into two files before uploading them to his Microsoft Azure cloud account. The files were later transferred to his personal laptop and a Samsung hard drive, with evidence recovered during a search of his El Cajon apartment. Geisinger detected the breach on November 29, 2023, but delayed notifying affected patients until June 24, 2024, citing the need to avoid interfering with a federal investigation. The breach has since led to multiple civil lawsuits, including a class-action suit with preliminary approval of a $5 million settlement covering 1,308,363 individuals. Plaintiffs argue the delayed notification increased risks of identity theft. Vance, who legally changed his name in 2021 and relocated to California in 2022, is currently detained at Lycoming County Prison in Pennsylvania. Representing himself, he has filed motions challenging his detention and evidence admissibility. The case remains under federal investigation.

Ryuk Ransomware Affiliate Extradited to U.S. After Global Cyberattacks In a coordinated international operation, a 33-year-old man linked to the Ryuk ransomware group was extradited to the U.S. from Ukraine on June 18, 2025. The suspect, arrested in Kyiv in April at the FBI’s request, specialized in gaining initial access to corporate networks and is accused of participating in attacks targeting companies across France, Norway, Germany, the Netherlands, Canada, and the U.S. Ukrainian cyber police, alongside the National Police and global law enforcement partners, launched the investigation in 2023 following a wave of ransomware incidents tied to the group. The extradition marks a significant step in disrupting Ryuk’s operations, which have long been associated with high-profile cyber extortion campaigns. The case underscores the persistent threat of ransomware gangs and the growing collaboration between nations to counter cybercrime. No further details on the suspect’s identity or the specific companies affected have been disclosed.

$5 Million Settlement Approved in Geisinger-Nuance Medical Data Breach Affecting 1.3 Million Patients A Pennsylvania judge has approved a $5 million settlement resolving a class-action lawsuit against Geisinger Health and Nuance Communications following the theft of 1.3 million patient records by a former Nuance employee. The breach, which exposed sensitive data including names, birthdates, addresses, medical record numbers, treatment details, and insurance information stemmed from Geisinger’s partnership with Nuance, a Microsoft subsidiary specializing in AI-driven clinical documentation tools. The lawsuit was filed on June 28, 2024, with the settlement finalized earlier this month. While the agreement does not require either company to admit wrongdoing, it includes $30,000 in additional payments to cover litigation costs and awards for the five plaintiffs who initiated the case. Victims have until March 18 to file claims, though the exact payout per individual will depend on how many of the 1.3 million affected patients participate. As of March 5, only 97,000 victims had registered for direct cash compensation. Affected individuals may also opt for complimentary credit monitoring, though participation in the settlement class is required to access the benefit. Notably, there is no evidence that the stolen data has surfaced on the dark web or been misused. Geisinger, a nonprofit health system serving 45 Pennsylvania counties, operates 10 hospitals and 126 care sites, treating over 3 million patients annually. The breach highlights ongoing risks in third-party data handling within the healthcare sector.

A former employee of Nuance Communications (a Microsoft-owned IT services vendor) accessed Geisinger Health’s patient records without authorization two days after their employment termination on November 29, 2023. The breach exposed the personal and health information of over 1.3 million patients, including full names, dates of birth, addresses, medical record numbers, race, gender, phone numbers, facility abbreviations, Social Security numbers (SSNs), and health insurance details. Initially, Geisinger stated no financial or credit card data was compromised, but court documents later confirmed SSNs and sensitive medical information were exposed. The incident led to a $5 million class-action settlement, with affected patients eligible to file claims until March 2026. The former employee faces federal criminal charges for the unauthorized access, which occurred after law enforcement concluded its investigation. The breach severely undermined patient trust and triggered legal, financial, and reputational repercussions for Geisinger Health.

A Pennsylvania district court approved a $5 million settlement for a 2023 data breach at Geisinger Health, involving a former Nuance Communications employee (Nuance is now owned by Microsoft). The breach exposed over 1 million patients' sensitive data, including names, dates of birth, addresses, medical record numbers, race, gender, phone numbers, admit/discharge codes, and facility abbreviations. The employee, terminated just two days before the incident, accessed and potentially exfiltrated the data, leading to criminal charges and an ongoing federal investigation. Notification to affected patients was delayed per law enforcement’s request. The breach underscored insider threat risks in healthcare, with the consolidated class-action lawsuit highlighting reputational, financial, and legal repercussions. The final approval hearing is set for March 2026, with claims submissions due shortly after.

Geisinger was targeted in a data breach incident by a former employee in a non-permitted manner. The breach compromised the medical records and other personal information including patient names, date of birth, and other details of over 700 patients. The company immediately took strict actions and fired the employee and informed the affected patients to be alerted.

Geisinger was targeted in a data breach incident that exposed 2,800 members and 220 employers Protected Health Information (PHI) in an unauthorized manner. Members of Geisinger Gold, GHP Family, or GHP Kids were unaffected by this incident. The attack compromised member name, date of birth, health insurance premium information, member identification number and smoking status. No medical treatment or financial information, such as social security number, was included. The company immediately took strict actions and informed the affected patients and employee to be alerted.