Cybercrime
,
Fraud Administration & Cybercrime
,
Healthcare
Terminated Worker Accused of Stealing 1M Affected person Information
A former Nuance Communications insider is dealing with extra federal expenses in a prison case alleging he downloaded and saved on a private exterior laborious drive with greater than 1 million affected person data of buyer Geisinger Well being two days after he was terminated from his job in 2023.
See Additionally: New Assaults. Skyrocketing Prices. The True Value of a Safety Breach.
In a superseding indictment filed Tuesday in a Pennsylvania federal courtroom, prosecutors charged Max Vance, who’s often known as Andre Burk, with two counts of constructing false statements to FBI brokers.
The brand new indictment alleges Vance lied to FBI brokers in January 2024 when he denied downloading greater than 1 million affected person data he was not approved to obtain after he was terminated from his job at Nuance in 2023, after which lied once more about transferring that affected person info onto a private exterior laborious drive.
Through the time of the incident, Nuance – now a part of Microsoft – offered quite a lot of IT providers to Geisinger Well being, a regional well being system in Pennsylvania.
The superseding indictment, like the unique indictment in opposition to Vance in January 2024, seeks Vance to forfeit his a “private exterior drive (USB drive), Samsung mannequin PSSD T7” which prosecutors allege comprises the illegally obtained affected person info. Each indictment paperwork additionally search Vance to show over any proceeds obtained immediately or not directly from his alleged offenses.
The brand new expenses are along with the one rely of “acquiring info from a protected pc” (see: Nuance Ex-Worker Indicted for Breach Affecting 1 Million).
The prison grievance in opposition to Vance is sealed by the courtroom. Vance is in custody in a county jail as he awaits trial, and is defending himself within the case with help from a public defender, who didn’t instantly reply to Info Safety Media Group’s request for remark.
Vance’s trial had been slated for August 2024 however has been postponed by the courtroom a number of instances. It’s now scheduled for April 20.
Prosecutors probably determined so as to add the additional expenses in opposition to Vance – two years after their first indictment – as a result of gathering extra proof, mentioned regulatory lawyer Rachel Rose, who will not be concerned within the Vance case.
“The timing is prosecutorial discretion and could also be strategic, particularly because the trial was moved,” she mentioned.
Even with out Vance’s USB drive, prosecutors probably produce other robust proof of the alleged crimes, she mentioned.
“Geisinger is subtle and if the obtain has been tracked both by Nuance or Geisinger or tracked on the darkweb to an IP handle tied to the defendant, then that might even be precise direct proof,” she mentioned.
Nuance reported the info breach on Sept. 15, 2023 to federal regulators as hacking incident affecting greater than 1.2 million people.
Affected person info compromised within the breach included identify, birthdate, handle, medical document quantity, race, gender, telephone quantity and facility identify abbreviation, Geisinger mentioned in a January 2024 assertion.
Geisinger mentioned that on Nov. 29, 2023, it found and instantly notified Nuance {that a} former Nuance worker had accessed sure Geisinger affected person info two days after the worker had been terminated.
Nuance completely disconnected its former worker’s entry to Geisinger’s data. Regulation enforcement was notified and Vance was later arrested, Geisinger mentioned.
Final November, a federal courtroom permitted a $5 million settlement in consolidated class motion litigation filed in opposition to Nuance and Geisinger.
A remaining approval courtroom listening to for the settlement is about for March 16 (see: $5M Settlement in Geisinger Well being, Nuance Insider Breach).
The Nuance-Geisinger incident presents vital classes for different well being sector entities and their IT distributors, Rose mentioned.
“It underscores that each coated entities and enterprise associates have to conduct thorough background checks and have enough technical, administrative and bodily safeguards, in addition to an enough and efficient compliance program,” she mentioned.
Additionally, staff who go away an organization should honor their ongoing confidentiality obligations and employers ought to have formal off boarding procedures in place, she mentioned.
That features not solely instantly terminating ex-workers’ entry to pc programs, but additionally their bodily entry to the info heart and safe rooms.
