Network Engineer Gets Five Years For Destroying Former Employer's Data

A San Diego network engineer, Jon Paul Oson, was sentenced to more than five years in prison this week for intentionally damaging computers at his former workplace.

The sentence issued Monday is one of the longest imposed to date in the United States for computer hacking, according to the Office of the U.S. Attorney in San Diego.

Oson was convicted last summer of accessing the network of his former employer, The Council of Community Health Clinics (CCC), without authorization. CCC provides various services to 17 regional health clinics in San Diego and Imperial counties in California.

According to the government's account of the jury findings, Oson resigned from CCC following a negative performance review. He subsequently accessed the CCC network, disabled the automatic backup process, and later deleted data and software on CCC servers, including patient data belonging to North County Health Services Clinic (NCHS), one of CCC's member clinics.

The intrusion was made through a server that held medical information submitted by CCC member clinics for a federal research program, according to the government's trial brief. Access to it was supposed to be restricted because it contained personally identifiable medical information. But the server was in fact accessible through the Internet using the "Remote Desktop" application that's part of Windows Terminal Services, with a CCC password.

During the internal CCC investigation into the breach, engineers concluded that the damage had to have been done by an insider who had knowledge of CCC's systems. Server logs revealed that the intruder had used a computer named "TEMP3" that had been equipped to work with an HP 2100 LaserJet printer.

Those investigating the incident searched CCC's computer logs for other logins associated with that model printer. Only one CCC employee was found to have logged in remotely using a computer associated with an HP 2100 printer: Jon Oson, using his CCC-supplied computer named CCC-JOSON.

Another unauthorized access was made using a computer named "KUKU," the nickname of Oson's son, the trial brief says. Additional evidence pointing to Oson was uncovered and a search warrant was obtained for Oson's residence. An HP 2100 LaserJet printer was found at Oson's house.

The computers seized from Oson's residence all had their operating systems re-installed after December 29, 2005, the date of the last unauthorized access, effectively erasing potential evidence on them. However, other evidence gathered from CCC's logs and witness testimony proved sufficiently compelling for the jury to convict Oson.

The trial brief says that the deletion of CCC's data hit the organization hard. "Patients who visited the clinic in the weeks following the network disruption were kept waiting hours and sometimes futilely while their charts were located and delivered to the appropriate clinic and doctor," the court documents explain. "With the shutdown of its Practice Management system, NCHS had to shift to a paper-based system. It took dedicated NCHS staff months to collect the paper records, input them into Practice Manager and initiate billing for those visits. The unavailability of charts and the associated computerized records impacted patient care."

Oson was ordered pay restitution of $144,358.83 to CCC and $264,979.00 to NCHS.