A former Nuance Communications employee pleaded guilty in federal court to obtaining information from a protected computer without authorization after accessing and copying data associated with more than 1.2 million Geisinger Health System patient records.
Guilty Plea in Federal Court
Max Vance, 46, of El Cajon, California, entered a guilty plea on February 27, 2026 in the United States District Court for the Middle District of Pennsylvania. The plea relates to a charge of obtaining information from a protected computer without authorization.
Court records state that Vance withdrew a previous not guilty plea and admitted the offense in federal court proceedings connected to the 2023 data breach involving Geisinger patient records. The charge carries a statutory maximum penalty of five years in prison and a fine of up to $250,000.
The plea agreement filed in the case provides for a sentence of time served, followed by three years of supervised release and no fine. Vance has already spent more than two years in custody following his arrest. The agreement also includes provisions that would dismiss two charges related to making false statements to the FBI. A sentencing hearing date had not been set at the time of reporting.
Unauthorized Access to Geisinger Patient Data
HIPAA-compliant Nuance Communications served as a business associate providing information technology services that required access to systems containing protected health information (PHI). The company terminated Vance for reasons unrelated to the breach. Access rights associated with his employment were not immediately revoked. Two days after the termination, Vance used the existing access to copy patient information from Geisinger systems.
Geisinger detected the unauthorized activity and notified Nuance Communications. Access rights were then terminated and an investigation began. The unauthorized activity occurred on November 29, 2023.
Breached Data Involved
The copied information belong to more than 1.2 million Geisinger patients’ data. The following information was copied excluding financial information, Social Security numbers, or health insurance information:
- Patient names
- Contact information
- Dates of birth
- Admission, discharge, or transfer codes
- Medical record numbers
- Race and gender information
Investigation and Evidence Collection
Geisinger reported the unauthorized access to law enforcement authorities after detecting the activity. An investigation was initiated and Vance was arrested in February 2024. Law enforcement officers conducted a search of Vance’s property during the investigation. Authorities reported the discovery of electronic equipment containing the copied data. Investigators also located two unregistered firearms, fake and blank identification documents, and equipment used to create identification cards. A storage device containing data from the prior employer was also located during the investigation.
Related Civil Litigation
Civil litigation followed the breach involving Geisinger Health and Nuance Communications. The organizations agreed to establish a $5,000,000 settlement fund to resolve consolidated class action litigation associated with the incident. A hearing on the settlement was scheduled for March 16 in Williamsport.
Image credit: Justlight, Adobestock
