Inside Job: Grabbing Patient Records for Fraud

Fraud Management & Cybercrime , Fraud Risk Management

Medicare Contractor’s Service Rep Sentenced to Prison

Inside Job: Grabbing Patient Records for Fraud

A former seasonal worker at a tech contractor supporting Medicare open enrollment has been sentenced to serve 42 months in prison after pleading guilty to a charge in connection with improperly accessing patient records, some of which were used to open fraudulent credit lines.

See Also: Top 50 Security Threats

Court papers describe how the insider was able to access and copy thousands of individuals’ personal information.

In a statement, the Department of Justice said Colbi Trent Defiore, a Mississippi resident, was sentenced in a Louisiana federal court for accessing and obtaining without authorization the personal identifying information of 8,000 individuals through “bulk searches” he conducted of the Department of Health and Human Services’ database.

The court will soon determine the amount of restitution Defiore will be ordered to pay, the Justice Department says.

Seasonal Help

Prosecutors say Defiore was a seasonal employee at an unidentified Virginia-based technology firm – described in court papers only as “Company A” – that supported HHS’ Centers for Medicare and Medicaid Services with call center services during Medicare open enrollment. Defiore was a customer service representative at the company’s call center in Bogalusa, Louisiana.

General Dynamics Information Technology confirmed to Information Security Media Group that a breach notification statement the company issued in December 2018 was related to the incident involving Defiore.

The company says it sold operations of the Bogalusa contact center in November 2018 as part of the sale of the company’s public-facing contact-center business to Maximus Corp.

In a statement provided to ISMG, the company says: “In November 2018, GDIT learned that a now former employee, while working as a customer service representative at a contact center in Bogalusa, Louisiana, had accessed a limited number of consumer records held in a computer system without authorization. Upon discovering this activity, we promptly alerted law enforcement and notified all of the identified individuals whose records were potentially accessed without authorization, offering them complimentary identity theft protection services for 24 months from AllClear ID.”

‘Bulk Searches’

Court papers indicate that Defiore was hired by the tech company three times – in 2014, 2017 and 2018. The criminal case involved his last stint, between September and November 2018.

Defiore’s employer “took a series of security measures to protect consumers’ PII and supervise its employees, including requiring all employees to undergo training on how to handle consumers’ PII appropriately,” prosecutors say.

On numerous occasions in November 2018, Defiore accessed and obtained without authorization the PII of individuals “for the purpose of his private financial gain and in furtherance of criminal acts, including wire fraud,” prosecutors say.

“Defiore conducted ‘bulk searches’ of the database, which he was prohibited from doing, and was able to view the personal information of customers,” according to the Justice Department.

“Defiore copied the results of his searches onto a virtual clipboard and sent them to himself via email. After work hours, Defiore accessed [his employer’s] network remotely without authorization to retrieve his work email.”

Defiore then used the information on at least five consumers to apply fraudulently for at least six credit cards, loans and lines of credit for his personal benefit, prosecutors say.

Defiore’s conduct caused about $587,000 in expenses to the call center company, including costs associated with providing identity theft protection services for individuals affected, court papers indicate.

Improper Access

Defiore’s employer provided to law enforcement officials an audio and video recording of Defiore’s workstation while he assisted a customer over the phone on Nov. 6, 2018, prosecutors say. The video allegedly shows him conducting a series of bulk database searches based on first and last names unrelated to the customer he was supporting at the time.

In addition to the recordings of Defiore’s customer sessions, his employer used a data loss prevention tool that recorded suspicious activity conducted involving consumer PII data, court papers say.

“Defiore was expressly precluded from performing bulk searches based solely on first and last names to minimize unnecessary access to consumer data,” the court documents state.

Prosecutors say the investigation found that, on multiple occasions, Defiore copied the customer data from the virtual clipboard, pasted it into his internal work email account and then sent those emails to his own email account at the company.

Defiore’s employer’s email servers were in data centers located in Virginia, prosecutors note. So the emails Defiore sent to himself containing PII were electronically transmitted across state lines.

When Defiore logged onto his work email remotely at a later time to access the customer data, he “effectively transferred” the PII out of his employers’ facilities, prosecutors say.

Remote Workarounds?

Defiore’s employer used “a single sign-on, multifactor authentication application for remote access, which was accessible from a computer or a mobile application,” court papers say.

Upon entering credentials into the login screen, employees received a software token that was verified before completing the login process, court papers say. This allowed an employee to obtain remote access – including to work email – through a virtual private network onto the company’s network.

As a customer service representative, however, Defiore was not authorized to receive any software tokens that would allow remote access to his employer’s network, prosecutors say.

But in October 2018, Defiore used a mobile phone to set up the multifactor authentication process that enabled him to remotely access his employers’ network using his mobile phone or personal computer, according to court documents.

Records show that the remote activity was attributed to an account from an IP address associated with Defiore, prosecutors say.

Defiore pleaded guilty in January to one count of accessing a protected computer in excess of authorization for the purpose of commercial advantage and private financial gain. He faced a maximum five-year prison term.

‘Gig Economy’

Regulatory attorney Paul Hales of the law firm Hales Law Group notes that the case against Defiore highlights important issues for other organizations.

“In today’s ‘gig economy,’ background checks and close supervision of temporary employees who handle sensitive information are essential,” he says.

Although Defiore’s employer was able to provide data logs and audio and video recording to the FBI documenting his unlawful access to protected health information, the company did not detect Defiore’s activity at the time he logged on to steal bulk information or when he emailed the PII to his personal email account, he notes.

“Safeguards – including workforce authorization and supervision, information system activity review, access control and log-in monitoring – may have detected Defiore’s activity in real time and stopped it,” he says.

Lessons Learned

So, how can other organizations better prevent workers from conducting activities such as “bulk searches” on databases containing sensitive customer information?

“Ideally, the user’s role-based access would limit the ability to conduct a bulk search and to remotely access the system if that was not within their job responsibilities,” says regulatory attorney Marti Arvin of security consulting firm CynergisTek.

“Unfortunately, companies often have to trade off tight technical controls on user’s role-based access as a practical matter so they are not trying to manage thousands of roles,” she notes.

If role-based access cannot be done through a technical control, then it requires processes to monitor user activity, Arvin adds.

“Without monitoring network and online activities of staff, entities open themselves up to a large menu of civil and regulatory liability,” warns technology attorney Steven Teppler, partner at the law firm Mandelbaum Salsburg P.C.

“Establish policies, review them from time to time, enforce them and monitor enforcement. Also, consider cyber insurance that covers insider fraud,” he suggests.

Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips