Seasonal Staff Sentenced to 42-Months In Jail for Theft of Information from Healthcare.Gov Database

A seasonal staff at a tech firm in Virginia got sentenced to 42 months imprisonment for accessing patient files, theft of personally identifiable information (PII), and used the PII for monetary gain. The tech company offers support to the Centers for Medicare & Medicaid Services (CMS) by running contact centers that gave help with Medicare enrollment and other services.

When Colbi Trent Defiore, 27, of Carriere, MS worked at a call center in Bogalusa, LA, he accessed the protected health information (PHI) of over 8,000 people located in the HHS database without permission, duplicated the information, and employed it for criminal actions, which include applying for credit lines in the names of other persons.

Defiore worked at the organization thrice in 2014, 2017, and 2018. He was discovered to have viewed data without authorization the last occasion he was employed at the firm. The firm already took action to make sure personally identifiable information (PII) was safe and had given training to all staff on how to manage that data safely.

In November 2018, Defiore performed bulk queries of the database, which were not authorized, and replicated that information to a online clipboard. The details was then placed into his work email account and was delivered to his email account. The stolen records were then employed to deceitfully get about 6 credit cards and financial loans and to apply for lines of credit for personal financial gain.

The tech organization discovered the illegal access and reported the issue to the police. The company provided law enforcement with audio and video files of Defiore while in a phone call with a client on November 6, 2018. The recordings proved Defiore doing a bulk research of the database employing first and last names not connected to the phone he was having. A data loss prevention program likewise recognized suspicious activity connected to PII data.

It was found that Defiore has remotely utilized his company email account beyond work time on many instances to obtain the data. Prosecutors mentioned that the data center of the firm was situated in Virginia, thus when Defiore moved the PII to his work email account, the data crossed state lines and so this a federal offense.

As per court docs, Defiore’s employer had carried out security procedures to keep customer service workers including Defiore from remotely accessing work email accounts. One sign-on, multi-factor authentication app was used for remote access, which can be accessed from a PC or mobile software. A software token was necessary to validate a user to proceed with the remote login process.

Defiore used the multifactor authentication on a mobile phone via a Virtual Private Network in October 2018 and received the application token that would allow him to remotely get] access to his work email account with his personal cellular phone or computer. The investigation discovered an IP address linked to Defiore was utilized to remotely access his company email account.

Due to Defiore’s activities, his company sustained $587,000 in losses including breach notification expenditures and giving identity theft protection services to the persons whose PII was compromised.

Defiore pleaded guilty to one count of purposefully accessing a secured computer with no permission for the motive of commercial and private monetary benefit. Along with the 42-month imprisonment, Defiore need to undertake 3-years of closely watched release and must pay a $100 special assessment charge. A hearing was booked for January 12, 2021 to ascertain the total of restitution Defiore ought to pay.