A former Nuance Communications employee admitted guilt in federal court to stealing information from a protected computer without authorization after accessing data connected to more than 1.2 million Geisinger Health System patients.
Guilty Plea
Max Vance, a 46-year-old resident of El Cajon, California, pleaded guilty on February 27, 2026 in the U.S. District Court for the Middle District of Pennsylvania. The charge involves stealing data from a protected computer without authorization.
The criminal case is connected to unauthorized access to patient information belonging to Geisinger Health System. According to Federal law, such a case is looking at a maximum penalty of five years of imprisonment, a $250,000 monetary penalty, and a supervised release term of up to three years.
A plea agreement filed about the matter proposes a sentence of time already served followed by three years of supervised release with no penalty. The agreement also provides for the dismissal of two counts related to false statements made to the Federal Bureau of Investigation. At the time of reporting, the court had not scheduled the sentencing hearing.
System Access After Employment Termination
Vance previously worked for Nuance Communications, which provided information technology services to Geisinger Health System and had system access involving patient data. He was terminated from his role for reasons unrelated to the later data access incident.
Two days after the termination of work contract, system credentials remained active. On November 29, 2023, the former employee used those credentials to access Geisinger systems and copy patient data. Geisinger identified the activity and notified Nuance Communications.
The former employee’s system access was subsequently removed. Authorities were notified and an investigation began.
Patient Data Affected by the Incident
The data accessed included the protected health information (PHI) of more than 1.2 million Geisinger patients. Categories of information included patient names, dates of birth, contact information, admission or discharge or transfer codes, medical record numbers, race, and gender.
Financial account data, Social Security numbers, and health insurance information were not included in the copied files according to reporting on the incident. The unauthorized activity was detected on November 29, 2023.
Investigation Findings
Law enforcement arrested Vance in February 2024. Investigators conducted a search of his property during the investigation and found electronic equipment containing the copied patient data. They also found two unregistered firearms, counterfeit ID materials, blank identification documents, and equipment used to produce ID cards.
Civil Litigation Following The Data Incident
Several lawsuits were filed in response to Geisinger patient data breach. Those cases were consolidated into a single federal proceeding identified as In re: Geisinger Health Data Security Incident Litigation.
Geisinger Health and Nuance Communications agreed to establish a settlement fund totaling $5,000,000 to resolve the consolidated claims. Court approval is required for the settlement to proceed. A final approval hearing was scheduled for March 16, 2026.
Individuals seeking compensation must submit claims by March 18, 2026. The class action covers more than one million individuals whose data was involved in the incident.