Former HHS CyberSec Chief Faces Prison

Convicted on Child Pornography Charges
Former HHS CyberSec Chief Faces Prison

A former acting director of cybersecurity at the Department of Health and Human Services has been sentenced to 25 years in federal prison after being convicted on several child pornography charges.

See Also: The Application Security Team's Framework For Upgrading Legacy Applications

The Jan. 5 sentencing of Timothy DeFoggi follows his conviction on Aug. 26, 2014, after a four-day jury trial in the U.S. District Court of Nebraska, according to the U.S. Department of Justice.

DeFoggi, who prosecutors says was a member of the Tor-network-based child pornography website, was convicted of engaging in a child exploitation enterprise, conspiracy to advertise and distribute child pornography and accessing a computer with intent to view child pornography.

Indictment papers in the case were filed against DeFoggi and several others on March 20, 2013. DeFoggi had been employed at HHS during the time of the alleged crimes in 2012, and was apparently still employed at HHS even after he was indicted in 2013.

However, court papers indicate that DeFoggi on May 13, 2013, was "detained" without bail at a correctional facility, citing "the nature and seriousness of the danger posed by the defendant's release." The detention papers cite DeFoggi's "on-line communications with others regarding sadistic and bizarre actions to be taken with children."

An HHS spokesman tells Information Security Media Group that "DeFoggi was employed at HHS, first at the Indian Health Service as a supervisory IT specialist from September 2008 until March 2012, and then at the HHS Office of the Assistant Secretary for Administration as a lead IT specialist from March 2012 until January 2014." When asked about DeFoggi's HHS employment tenure overlapping the crimes and extending beyond his indictment, the spokesman told ISMG, "we're not at liberty to provide any further details since that relates to a personnel matter, which we do not discuss publicly."

Before working for HHS, DeFoggi was a counterintelligence official at the Department of Energy, according to a copy of his résumé supplied to ISMG by the Justice Department, which presented the document as evidence at DeFoggi's trial.

A DOJ statement about DeFoggi's conviction in August said evidence presented at his trial showed that DeFoggi was registered as a member of the Tor-network-based child pornography website on March 2, 2012, and maintained his membership and activity until Dec. 8, 2012, when the website was taken down by the FBI.

"The website's users utilized advanced technological means in order to undermine law enforcement's attempts to identify them," the DOJ statement said. "The website was accessible only through Tor, an Internet application specifically designed to facilitate anonymous communication. Acting under the cloak of anonymity, users advised others on best practices to prevent detection by law enforcement, including advice about the proper use of encryption software, techniques to hide or password-protect child pornography collections, and programs to remove data from a user's computer."

Role at HHS

An organizational chart contained in an HHS fiscal 2014 document Public Health and Social Services Emergency Fund - Justification of Estimates for Appropriations Committees lists DeFoggi reporting to HHS CISO Kevin Charest. The document lists DeFoggi as heading "OS IT security operations," with several other unnamed managers reporting to him in areas including operations and program management; security monitoring and incident response; risk management and audit remediation; vulnerability/patch management; asset management; and configuration management.

DeFoggi's résumé indicates that he became acting director of HHS cybersecurity operations in September 2008. In that role, according to the document, he was paid an annual salary of $144,385 and was "responsible for agency-wide IT security policy, incident response, evaluation and implementation of security tools, oversight and compliance, and system accreditation for all IT systems." His résumé says he was also "accountable for the protection of all personally identifiable and personal health information through implementation and enforcement of FISMA, HITECH and HIPAA regulations."

Prior to joining HHS, DeFoggi from May 2006 to September 2008 worked for the Department of Energy office of counterintelligence as director of emerging programs and as a counterintelligence officer, the résumé shows.

A DOJ spokesman tells ISMG that there was no evidence presented at DeFoggi's trial that indicated he used or accessed government computers or other federal IT to commit his crimes. Prosecutors, however, did argue that DeFoggi tapped his federal technology know-how for the criminal activity.

"Using the same technological expertise he employed as acting director of cybersecurity at HHS, DeFoggi attempted to sexually exploit children and traffic in child pornography through an anonymous computer network of child predators," Assistant Attorney General Leslie Caldwell said in a Jan. 5 statement. "But dangerous criminals cannot be allowed to operate on-line with impunity."

Sixth Conviction

DeFoggi was the sixth individual to be convicted as part of an ongoing investigation targeting three Tor-network-based child pornography websites, according to the Justice Department.

The websites were run by a single administrator, Aaron McGrath, who was previously convicted of engaging in a child exploitation enterprise in connection with his administration of the websites, prosecutors say. On Jan. 31, 2014, McGrath was sentenced to 20 years in prison by a U.S. District judge. In addition, four other members of the same website as DeFoggi were convicted and sentenced in connection with their illegal activity on the site. Those sentences ranged from 12 to 20 years in prison.

DOJ says the cases were brought as part of Project Safe Childhood, a nationwide initiative launched in May 2006 to combat child sexual exploitation and abuse.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.