California man admits breaching more than 1.2M Geisinger patient records
California man admits breaching more than 1.2M Geisinger patient records
Published: Feb. 27, 2026, 5:16 p.m.
Geisinger Medical Center
A California man has admitted breaching Danville-based Geisinger Health System patient records in 2023, downloading them into two computer files and then uploaded them into his Microsoft Azure cloud account.Courtesy of Geisinger Medical Center
By John Beauge | Special to PennLive
WILLIAMSPORT — A California man has admitted breaching Geisinger Health System patient records in 2023, and removing protected information — including names, dates of birth and addresses — on 1.2 million people.
Max Vance, 46, of El Cajon, pleaded guilty Friday in U.S. Middle District Court to a charge of obtaining information from a protected computer.
Former president Sarkozy appeals conviction in Libyan funding case
The plea nearly did not occur as Vance, a Philadelphia native, wanted it to be contingent on him released pending sentencing.
He had agreed the evidence against him outlined by Assistant U.S. Attorney Kyle A. Mareno was correct but hesitated when Judge Matthew W. Brann asked if he was pleading guilty.
When Vance said no, the judge announced the case would be set for trial and left the bench.
Vance changed his mind before marshals escorted him out of the courtroom. Brann returned and Vance admitted his guilt.
Terms of the plea agreement allow Vance to withdraw it if the judge does not agree to the stipulated provisions related to the sentence.
Among the provisions: that Vance will receive a sentence of time served followed by three years of supervised release and no fine.
Vance argued for immediate release claiming he has spent more time in jail since his arrest than the guideline minimum sentence for his crime. He also pointed out he does not have a prior criminal record.
The maximum sentence for the crime to which he pleaded guilty is five years. He has spent more than two years in jail since his arrest.
Brann ordered Vance remain detained, saying he needed to review the plea agreement to determine if he will accept the agreed-to sentence. If he does not, the case will go to trial on all charges including two recently added charges of false statements.
The plea agreement requires Vance to pay restitution but there is a dispute over the amount.
Records of more than 1.2 million Geisinger patients were accessed by the breach.
Information obtained included name, date of birth, address, admit and discharge code, medical record number, race, gender, phone number and care location.
Vance was a former principal healthcare interface engineer with a division of Nuance Communications Inc., a Microsoft company based in Burlington, Massachusetts, that provides information technology services to hospitals and major companies.
Geisinger discovered the breach on Nov. 29, 2023, but patients were not notified until June 24, 2024. It claims it delayed notification so not to hinder a federal investigation.
This is what Moreno said occurred two days after Vance was fired for unrelated misconduct:
* Using his Nuance credentials he ran several queries of Geisinger’s servers for numerous categories of private patient information.
* He downloaded protected information of more than 1.2 million patients into two computer files. He then uploaded them into his Microsoft Azure cloud account.
* From there, he downloaded the files to the local drive on his laptop, removed his Azure account and cleared all its history and metadata. He then cleared his Internet browsing history.
* Devices seized during the execution of a search warrant at Vance’s California apartment revealed patient data files in the recycle bin of his Microsoft laptop and personal Samsung hard drive.
Vance changed his name legally from Andre J. Burk in Montgomery County in November 2021 and moved to California the following March.
At least six civil suits have been filed against Geisinger and Nuance in which victims claim the delay in advising them of the data breach increased the possibility of identity theft.
The federal suits were consolidated and settled for $5 million.
Published: Feb. 27, 2026, 5:16 p.m.
Geisinger Medical Center
A California man has admitted breaching Danville-based Geisinger Health System patient records in 2023, downloading them into two computer files and then uploaded them into his Microsoft Azure cloud account.Courtesy of Geisinger Medical Center
By John Beauge | Special to PennLive
WILLIAMSPORT — A California man has admitted breaching Geisinger Health System patient records in 2023, and removing protected information — including names, dates of birth and addresses — on 1.2 million people.
Max Vance, 46, of El Cajon, pleaded guilty Friday in U.S. Middle District Court to a charge of obtaining information from a protected computer.
Former president Sarkozy appeals conviction in Libyan funding case
The plea nearly did not occur as Vance, a Philadelphia native, wanted it to be contingent on him released pending sentencing.
He had agreed the evidence against him outlined by Assistant U.S. Attorney Kyle A. Mareno was correct but hesitated when Judge Matthew W. Brann asked if he was pleading guilty.
When Vance said no, the judge announced the case would be set for trial and left the bench.
Vance changed his mind before marshals escorted him out of the courtroom. Brann returned and Vance admitted his guilt.
Terms of the plea agreement allow Vance to withdraw it if the judge does not agree to the stipulated provisions related to the sentence.
Among the provisions: that Vance will receive a sentence of time served followed by three years of supervised release and no fine.
Vance argued for immediate release claiming he has spent more time in jail since his arrest than the guideline minimum sentence for his crime. He also pointed out he does not have a prior criminal record.
The maximum sentence for the crime to which he pleaded guilty is five years. He has spent more than two years in jail since his arrest.
Brann ordered Vance remain detained, saying he needed to review the plea agreement to determine if he will accept the agreed-to sentence. If he does not, the case will go to trial on all charges including two recently added charges of false statements.
The plea agreement requires Vance to pay restitution but there is a dispute over the amount.
Records of more than 1.2 million Geisinger patients were accessed by the breach.
Information obtained included name, date of birth, address, admit and discharge code, medical record number, race, gender, phone number and care location.
Vance was a former principal healthcare interface engineer with a division of Nuance Communications Inc., a Microsoft company based in Burlington, Massachusetts, that provides information technology services to hospitals and major companies.
Geisinger discovered the breach on Nov. 29, 2023, but patients were not notified until June 24, 2024. It claims it delayed notification so not to hinder a federal investigation.
This is what Moreno said occurred two days after Vance was fired for unrelated misconduct:
* Using his Nuance credentials he ran several queries of Geisinger’s servers for numerous categories of private patient information.
* He downloaded protected information of more than 1.2 million patients into two computer files. He then uploaded them into his Microsoft Azure cloud account.
* From there, he downloaded the files to the local drive on his laptop, removed his Azure account and cleared all its history and metadata. He then cleared his Internet browsing history.
* Devices seized during the execution of a search warrant at Vance’s California apartment revealed patient data files in the recycle bin of his Microsoft laptop and personal Samsung hard drive.
Vance changed his name legally from Andre J. Burk in Montgomery County in November 2021 and moved to California the following March.
At least six civil suits have been filed against Geisinger and Nuance in which victims claim the delay in advising them of the data breach increased the possibility of identity theft.
The federal suits were consolidated and settled for $5 million.
