Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/17/2012
11:50 AM
50%
50%

Patient Data Theft Sends IT Specialist To Jail

Atlanta man gets 13 months for hacking into former employer's computer database and stealing patient data for a competing medical practice.

12 Mobile Health Apps Worth A Closer Look
9 Mobile Health Apps Worth A Closer Look
(click image for larger view and for slideshow)
Eric McNeal, a 38-year-old information technology specialist from Atlanta, Ga., has been sentenced for hacking into the patient database of a former employer, stealing patient information, and then deleting the information from the system.

For his crime, McNeal was sentenced on Jan. 10 to serve 13 months in prison with three years of supervision after his release. McNeal also was ordered to perform 120 hours of community service.

"The circumstances of this case and resulting patient data breach is very common," and can happen in any size of practice, Rick Kam, president and co-founder of ID Experts told InformationWeek Healthcare. According to court documents, McNeal, who pleaded guilty to the charge on Sept. 28, worked as an information technology specialist for APA, a perinatal medical practice in Atlanta. He left APA in November 2009, and subsequently joined a competing perinatal medical practice, which was located in the same building as APA.

[ Explore docs' fascination with iPads. See Apple Capitalizes On Doctors' iPad Romance. ]

In April 2010, McNeal used his home computer to hack into APA's patient database; download the names, telephone numbers, and addresses of APA's patients; and then delete all the patient information from APA's system. McNeal used the patient names and contact information he stole to launch a direct-mail marketing campaign for his new employer. There is no evidence that McNeal downloaded or misused specific patient medical information.

Christine Marciano, president of Cyber Data Risk Managers, said medical facilities looking at this case should ask themselves how they can realistically protect against similar hacking attempts. "Having an exit strategy in place when an employee leaves or is terminated should be strictly enforced," Marciano told InformationWeek Healthcare. "The exit strategy needs to include cutting off the employee's access to all of the facility's databases in order to prevent unauthorized access."

Richard Santalesa, senior counsel at InfoLawGroup, said because McNeal pleaded guilty his sentence was reduced, and noted that McNeal could have received a five-year federal prison sentence for his crimes.

"Anyone who gives their personal information to a doctor or medical facility does not expect that their information will be hacked and used to make money," U.S. Attorney Sally Quillian Yates, said in a statement. "The cost of medical care is already high enough without patients having to pay a heavier cost with the loss of their privacy."

When are emerging technologies ready for clinical use? In the new issue of InformationWeek Healthcare, find out how three promising innovations--personalized medicine, clinical analytics, and natural language processing--show the trade-offs. Download the issue now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
1/18/2012 | 1:20:16 AM
re: Patient Data Theft Sends IT Specialist To Jail
Symantec recently released some interesting research about insider threats and the profile of employees who tend to go rogue that is good reading for organizations worried about this kind of breach.
http://www.symantec.com/connec...
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19740
PUBLISHED: 2019-12-12
Octeth Oempro 4.7 allows SQL injection. The parameter CampaignID in Campaign.Get is vulnerable.
CVE-2019-19746
PUBLISHED: 2019-12-12
make_arrow in arrow.c in Xfig fig2dev 3.2.7b allows a segmentation fault and out-of-bounds write because of an integer overflow via a large arrow type.
CVE-2019-19748
PUBLISHED: 2019-12-12
The Work Time Calendar app before 4.7.1 for Jira allows XSS.
CVE-2017-18640
PUBLISHED: 2019-12-12
The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
CVE-2019-19726
PUBLISHED: 2019-12-12
OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from th...