Former Nuance Engineer Charged in 2023 Geisinger Health Data Breach Affecting 1.3 Million Patients A California man, Max Vance (formerly Andre Burk), faces additional charges in connection with the 2023 data breach of Geisinger Health System, which exposed the personal and medical records of over 1.3 million patients. A superseding indictment filed in the U.S. Middle District Court on Tuesday accuses Vance of making false statements to FBI agents in January 2024, denying he had downloaded unauthorized data onto personal devices. Vance, a former principal healthcare interface engineer at Nuance Communications a Microsoft subsidiary providing IT services to hospitals was initially indicted in January 2024 for unauthorized access to a protected computer. Authorities allege that after being fired by Microsoft on November 27, 2023, for unrelated misconduct, Vance used his Nuance credentials to query Geisinger’s servers two days later. He extracted sensitive patient data, including names, dates of birth, addresses, medical record numbers, and treatment details, downloading it into two files before uploading them to his Microsoft Azure cloud account. The files were later transferred to his personal laptop and a Samsung hard drive, with evidence recovered during a search of his El Cajon apartment. Geisinger detected the breach on November 29, 2023, but delayed notifying affected patients until June 24, 2024, citing the need to avoid interfering with a federal investigation. The breach has since led to multiple civil lawsuits, including a class-action suit with preliminary approval of a $5 million settlement covering 1,308,363 individuals. Plaintiffs argue the delayed notification increased risks of identity theft. Vance, who legally changed his name in 2021 and relocated to California in 2022, is currently detained at Lycoming County Prison in Pennsylvania. Representing himself, he has filed motions challenging his detention and evidence admissibility. The case remains under federal investigation.

$5 Million Settlement Approved in Geisinger-Nuance Medical Data Breach Affecting 1.3 Million Patients A Pennsylvania judge has approved a $5 million settlement resolving a class-action lawsuit against Geisinger Health and Nuance Communications following the theft of 1.3 million patient records by a former Nuance employee. The breach, which exposed sensitive data including names, birthdates, addresses, medical record numbers, treatment details, and insurance information stemmed from Geisinger’s partnership with Nuance, a Microsoft subsidiary specializing in AI-driven clinical documentation tools. The lawsuit was filed on June 28, 2024, with the settlement finalized earlier this month. While the agreement does not require either company to admit wrongdoing, it includes $30,000 in additional payments to cover litigation costs and awards for the five plaintiffs who initiated the case. Victims have until March 18 to file claims, though the exact payout per individual will depend on how many of the 1.3 million affected patients participate. As of March 5, only 97,000 victims had registered for direct cash compensation. Affected individuals may also opt for complimentary credit monitoring, though participation in the settlement class is required to access the benefit. Notably, there is no evidence that the stolen data has surfaced on the dark web or been misused. Geisinger, a nonprofit health system serving 45 Pennsylvania counties, operates 10 hospitals and 126 care sites, treating over 3 million patients annually. The breach highlights ongoing risks in third-party data handling within the healthcare sector.

A former employee of Nuance Communications (a Microsoft-owned IT services vendor) accessed Geisinger Health’s patient records without authorization two days after their employment termination on November 29, 2023. The breach exposed the personal and health information of over 1.3 million patients, including full names, dates of birth, addresses, medical record numbers, race, gender, phone numbers, facility abbreviations, Social Security numbers (SSNs), and health insurance details. Initially, Geisinger stated no financial or credit card data was compromised, but court documents later confirmed SSNs and sensitive medical information were exposed. The incident led to a $5 million class-action settlement, with affected patients eligible to file claims until March 2026. The former employee faces federal criminal charges for the unauthorized access, which occurred after law enforcement concluded its investigation. The breach severely undermined patient trust and triggered legal, financial, and reputational repercussions for Geisinger Health.

Nuance, a Microsoft subsidiary specializing in medical transcription and speech recognition, was ensnared in the 2023 Clop ransomware gang’s mass exploitation of the MOVEit Transfer vulnerability, a supply-chain attack affecting over 2,600 organizations and 77M+ individuals globally. The breach exposed 1.225 million people’s personal data from Nuance’s MOVEit environment, supplied by downstream healthcare providers. Plaintiffs in a class-action lawsuit alleged Nuance’s negligence in failing to implement 'reasonable security measures,' though the company denied liability, citing reliance on Progress Software’s widely used (but flawed) product and lack of direct contracts with affected individuals.Nuance settled for $8.5 million—covering compensation and credit-monitoring—despite insisting it acted swiftly (patching systems, taking MOVEit offline, and investigating). The healthcare sector’s heightened regulatory scrutiny and media attention amplified the fallout. While Nuance framed itself as a victim of the Clop campaign, the breach underscored systemic risks in third-party supply-chain dependencies. The settlement, though modest compared to other MOVEit-related payouts, reflects the growing legal and reputational costs of ransomware-driven data exfiltration in critical industries.

A Pennsylvania district court approved a $5 million settlement for a 2023 data breach at Geisinger Health, involving a former Nuance Communications employee (Nuance is now owned by Microsoft). The breach exposed over 1 million patients' sensitive data, including names, dates of birth, addresses, medical record numbers, race, gender, phone numbers, admit/discharge codes, and facility abbreviations. The employee, terminated just two days before the incident, accessed and potentially exfiltrated the data, leading to criminal charges and an ongoing federal investigation. Notification to affected patients was delayed per law enforcement’s request. The breach underscored insider threat risks in healthcare, with the consolidated class-action lawsuit highlighting reputational, financial, and legal repercussions. The final approval hearing is set for March 2026, with claims submissions due shortly after.

Nuance Communications Inc., a Microsoft subsidiary specializing in clinical support for healthcare organizations, experienced a data breach in May 2023 due to a vulnerability in the MOVEit file transfer software. Cybercriminals exploited this flaw, gaining unauthorized access to sensitive personal and protected health information (PHI) of an estimated 1,225,054 individuals between May 27 and May 31, 2023. The breach exposed data such as medical records, financial details, and personally identifiable information (PII), leading to risks of identity theft, fraud, and financial harm.The company agreed to an $8.5 million class-action settlement, offering affected individuals credit monitoring, identity theft protection, and reimbursements (up to $10,000 for documented losses). The incident highlighted Nuance’s alleged negligence in securing third-party software, resulting in prolonged legal and financial repercussions. The breach’s impact extended beyond financial losses, eroding trust in Nuance’s data protection capabilities, particularly in the healthcare sector, where PHI confidentiality is critical.