Former Systems Administrator Gets Prison TimeDefendant Continued Systems Access After Leaving Pennsylvania Clinic Group
A former systems administrator who was on the job at a Pennsylvania clinic group for only about three weeks has been sentenced to 27 months in federal prison after he was convicted in a case involving wire fraud and hacking computers.
The former employee used clinic credentials to delete computer settings and data - including patient information - as well as to make fraudulent technology purchases, prosecutors say.
The case highlights the importance of managing administrative credentials, especially when employees leave an organization.
The Department of Justice says Brandon Coughlin, a 29-year-old resident of Texas, "intentionally hacked and damaged" 13 servers operated by Pennsylvania-based Centerville Clinics Inc. and engaged in a scheme to defraud the clinics group by using the organization's purchase card to order merchandise from Staples.
Indictment documents say that on or about Jan. 16, 2013, Coughlin was hired as the "in-house systems administrator" of Centerville Clinics' computer systems, and "was aware of the administrative credentials necessary to gain access, modify settings and control all computer systems at the healthcare entity."
On Feb. 4, 2013, Coughlin was asked to resign and did so. Other court documents indicate Coughlin was asked to leave because his former employer, Home Depot, allegedly pressed charges related to fraud.
Nonetheless, the indictment document says the clinic groups' administrative credentials to its computer systems "and the web-based email server" were not changed after Coughlin left the employment of the clinic.
About two days after ending his job at the clinics, "Coughlin created an undisclosed new administrative account giving him full access and control of [the clinics'] computer system, without the knowledge, consent or authorization of the healthcare entity's management officials," the indictment says.
The clinics' system administrator's credentials "were not changed until mid-2015, well after the defendant left the employ of the healthcare entity," the indictment says.
It was during that time between when he left his job at the clinics and before the credentials were changed, that prosecutors say Coughlin committed his crimes.
From about Feb. 6, 2013 through about Sept. 18, 2013, Coughlin "knowingly caused the transmission of a program, information, code, and command, and, as a result of such conduct, intentionally caused damage without authorization to protected computers belonging to [the clinics]," indictment papers indicate.
Coughlin "accessed the protected computer servers of [the clinics] using the new undisclosed and unauthorized administrative account, disabled all administrative accounts needed to control any and all of the protected computer servers of [the clinics] and deleted users' network shares, business data, and patient health information data, including patient medical records from those protected computer servers," the court documents say.
Prosecutors say the administrative portal of the email server of the clinic group "could be reached via the internet from anywhere in the country and the person using the administrative credential could access and read any email in any users' email accounts and also implement administrative rules on users accounts to delete emails from certain senders and forward incoming emails to other email accounts."
The DOJ says Coughlin caused a financial loss of approximately $60,000 for the clinics and also caused the organization "to cease its medical treatment of patients until its system was restored."
In addition to breaching and tampering with the clinics' computer systems to change user accounts and delete data, federal prosecutors say Coughlin used the clinics' credentials and the purchase card account information to gain access to the clinics' Staples account and to fraudulently purchase several Apple tablet computers.
The U.S. Department of Health and Human Services also does not list Centerville Clinics Inc. or CCI as having reported any data breaches impacting protected health information for 500 or more individuals on its HIPAA Reporting Breach Tool website, commonly called the "wall of shame."
In a statement provided to Information Security Media Group, Centerville Clinics says it hired an outside firm to analyze the impact of Brandon Coughlin's unauthorized access to its systems. "We reviewed the facts under the four-part breach analysis under HIPAA and concluded that since there was no evidence that the electronic medical record database or any protected health information contained in the database was viewed, and it was mathematically impossible for the database to have been downloaded during the brief period of unauthorized access, there was a low probability that the PHI has been compromised, and that no HIPAA breach occurred," the statement notes
Centerville Clinics' 11 locations use a common electronic health record system, a spokesman for the clinics says.
Subsequent to this incident, Centerville Clinics says it has taken a number of steps to prevent a recurrence of unauthorized access to its PHI, including, among others:
- Disabled remote access to servers from any account with administrative privileges;
- Implemented a new policy to change administrative passwords - both locally and on the domain - every six months;
- Ensured all servers are up to date on Windows security updates;
- Started finding and deleting any inactive user accounts.
Lessons to Learn
Mac McMillan, president of security consultancy CynergisTek, says the Coughlin case offers familiar lessons pertaining to insiders.
"The most dangerous employee we have from a cybersecurity perspective is someone who has elevated privileges and, in particular, those involved in managing the network, applications and data," McMillan says.
"They are also all too often overlooked in monitoring and audit efforts. The overwhelming majority if IT workers are hard-working dedicated professionals like any other group. The challenge is that when it comes to cybersecurity, they present the greatest risk in the user population and our protections and audit activities need to reflect the risk."
Data access abuses committed by terminated employees are a problem for many entities that are slow to adopt more robust security practices, McMillan says.
"It is probably way more common than we'd like because discipline around security practices is not always where it should be. We know people leave organizations ... and are not always removed from the system as efficiently or timely as they should be," he says.
What makes the Coughlin case unusual, however, is that his tenure at the entity was so brief.
"The activities that Coughlin engaged in that allowed him to go undetected should not have been possible, or at the very least should have generated an auditable event," McMillan says "Had that happened he might have been discovered earlier. The lesson is simple. The minute they join, [employees should be] educated on their responsibilities, monitored and when they leave [their credentials] removed immediately."