A California man originally charged in the 2023 Geisinger Health System data breach now faces additional counts of making false statements to federal investigators. Max Vance is accused of lying to FBI agents about downloading unauthorized patient data onto his personal devices following his termination from a Microsoft subsidiary.

Max Vance, formerly known as Andre Burk, was a healthcare interface engineer for Nuance Communications when he allegedly accessed Geisinger’s servers without authorization. The breach occurred in late 2023, shortly after Vance was fired for unrelated misconduct, and resulted in the theft of personal information belonging to over 1.3 million patients. Federal prosecutors allege that Vance used his remaining credentials to run extensive queries and move sensitive data to his personal cloud account and local hard drives.

The scope of the stolen information was significant, including patient names, birth dates, addresses, and specific medical record numbers. While Geisinger discovered the intrusion in November 2023, the health system waited until June 2024 to notify the public. This delay was reportedly requested by federal authorities to ensure the ongoing criminal investigation was not compromised while they tracked the movement of the digital files.

Investigators eventually executed a search warrant at Vance’s residence in El Cajon, California, where they discovered the missing patient data. Although Vance had allegedly attempted to wipe his internet history and delete his cloud metadata, forensic teams found the files within the recycle bin of his laptop and on a personal Samsung hard drive. These findings directly contradicted statements he made to agents in early 2024, leading to the new charges in the superseding indictment.

The prosecution claims Vance took calculated steps to hide his tracks, including downloading more than 1.2 million patient records into two specific computer files before attempting to scrub his digital footprint. These actions form the basis of the charge for obtaining information from a protected computer, a crime for which he is currently being detained. The case highlights the vulnerabilities health systems face from former employees with high-level technical access.

Vance remains in custody as he awaits trial in the U.S. Middle District Court. The legal proceedings will address both the initial unauthorized access and the subsequent allegations that he attempted to mislead the FBI during the recovery of the stolen data. If convicted, the former engineer faces significant prison time for the breach and the intentional deception of federal officers.

Source: Man Accused In 2023 Geisinger Data Breach Faces Additional Charges