Penn Live reports an update to a case where a former employee of IT vendor Nuance Communications downloaded Geisinger patient data in November 2023 two days after the employee had been terminated by Nuance. Geisinger detected the suspicious downloading and notified Nuance, who then permanently terminated his access. Max Vance, aka Andre J. Burk, was indicted on January 30, 2024. Notification to patients was delayed at the request of law enforcment.
As DataBreaches.net reported in June, Vance had a criminal history that raised questions about how he ever got employed by Nuance:
In reading some of the available court documents, DataBreaches noted that Vance had significant indicators of past and intended criminal conduct. The detention order issued by the Southern District of California noted that law enforcement found firearms and ammunition in his home despite a restraining order prohibiting him from owning any firearms. They also found numerous false IDs with his photo and a variety of names, blank ID forms and machines to create IDs, paperwork related to prior crimes and the requirement to appear in court. Vance’s history also revealed arrest warrants for failure to appear in court. Law enforcement also found a thumb drive in his car that contained “information from his former employer after he was fired.” The description does not indicate whether that former employer was Nuance or another former employer.
This past week, Vance had a bail hearing. Penn Live reports that investigators had found information on more than 1.2 million Geisinger Health System patients on his laptop:
The following is what Moreno in court and in a document alleges Vance did after Microsoft on Nov. 27, 2023, fired him for unrelated misconduct:
· Two days later using his Nuance credentials he ran several queries of Geisinger’s servers for numerous categories of private patient information.
· He downloaded protected information of more than 1.2 million patients into two computer files. He then uploaded them into his Microsoft Azure cloud account.
· From there, he downloaded the files to the local drive on his laptop, removed his Azure account and cleared all its history and metadata. He then cleared his Internet browsing history.
· Devices seized during the execution of a search warrant at Vance’s California apartment revealed patient data files in the recycle bin of his Microsoft laptop and personal Samsung hard drive.
An FBI review of those devices did not reveal evidence that the data was transferred to other devices or elsewhere, Moreno wrote.
Vance’s breach of Geisinger’s servers was recorded on video through digital software called SecureLink, he stated.
The government believes costs associated with Geisinger’s identification and response to the data breach are well over $1 million that could result in an enhanced sentence for Vance if he pleads or is found guilty.
Vance was denied bail.
More details of his history and the case can be found in the Penn Live story.
