Former Nuance Engineer Charged in 2023 Geisinger Health Data Breach Affecting 1.3 Million Patients A California man, Max Vance (formerly Andre Burk), faces additional charges in connection with the 2023 data breach of Geisinger Health System, which exposed the personal and medical records of over 1.3 million patients. A superseding indictment filed in the U.S. Middle District Court on Tuesday accuses Vance of making false statements to FBI agents in January 2024, denying he had downloaded unauthorized data onto personal devices. Vance, a former principal healthcare interface engineer at Nuance Communications a Microsoft subsidiary providing IT services to hospitals was initially indicted in January 2024 for unauthorized access to a protected computer. Authorities allege that after being fired by Microsoft on November 27, 2023, for unrelated misconduct, Vance used his Nuance credentials to query Geisinger’s servers two days later. He extracted sensitive patient data, including names, dates of birth, addresses, medical record numbers, and treatment details, downloading it into two files before uploading them to his Microsoft Azure cloud account. The files were later transferred to his personal laptop and a Samsung hard drive, with evidence recovered during a search of his El Cajon apartment. Geisinger detected the breach on November 29, 2023, but delayed notifying affected patients until June 24, 2024, citing the need to avoid interfering with a federal investigation. The breach has since led to multiple civil lawsuits, including a class-action suit with preliminary approval of a $5 million settlement covering 1,308,363 individuals. Plaintiffs argue the delayed notification increased risks of identity theft. Vance, who legally changed his name in 2021 and relocated to California in 2022, is currently detained at Lycoming County Prison in Pennsylvania. Representing himself, he has filed motions challenging his detention and evidence admissibility. The case remains under federal investigation.