A former employee of Nuance Communications has been sentenced for illegally accessing and copying the sensitive data of approximately 1.2 million Geisinger Health System patients after he was terminated from employment.
Max Vance, 46 years old, now known as Andre J. Burk of El Cajon, California, worked as a principal healthcare engineer for Nuance Communications, which provided IT and conversational artificial intelligence services to Geisinger Health System. The unauthorized access incident occurred after Vance was terminated from employment and attempted to continue accessing Nuance systems using credentials that remained active for two days after his termination.
To prevent unauthorized access attempts, business associate Nuance Communications should have revoked Vance’s credentials immediately after being fired from work. During the time that Vance’s credentials remained active, he downloaded approximately 1.2 million patient records. The data included patient names, contact information, birth dates, race and gender information, admission and discharge dates, and transfer codes, and medical record numbers.
Geisinger Health System notified Nuance Communications about the unauthorized removal of data after discovering the data breach. Nuance then revoked Vance’s credentials. Law enforcement authorities were also notified, and Vance was subsequently arrested.
Vance pleaded guilty to obtaining information from a protected computer. The offense carried a potential sentence of up to five years. The sentencing guidelines suggested a prison term ranging from 27 to 30 months, in addition to a possible financial penalty.
Geisinger Health System claimed the incident resulted in approximately $550,000 in breach costs. Geisinger just settled a class action lawsuit related to the data breach for $5 million in the previous year.
Vance represented himself during the legal proceedings and had remained incarcerated since early 2024. Chief Judge Matthew W. Brann of the United States District Court for the Middle District of Pennsylvania imposed a sentence of time served and three years of supervised release.
The sentence also requires participation in a mental health treatment program. The court did not impose a fine or required Vance to make restitution payments to Geisinger Health System.
This incident involving unauthorized access to patient information by a terminated employee and consequent indictment demontrates the potential penalties of HIPAA violation.
Image credit: Evgen, AdobeStock / logo©NuanceCommunications
