Feds Allege Former IT Consultant Hacked Healthcare CompanyExperts: Case Spotlights Critical, But Often Overlooked, Insider Threats, Risks
A former IT consultant has been charged in an Illinois federal court for allegedly hacking into a computer server of a healthcare company client that prosecutors say had months earlier denied him employment with the organization.
The Department of Justice in a statement Wednesday says Aaron Lockner, 35, of Downers Grove, Illinois, has been indicted on one count of intentionally causing damage to a protected computer. The charge is punishable by up to 10 years in federal prison, the Justice Department says.
Lockner's arraignment in the U.S. District Court in the Northern District of Illinois, Eastern Division, is scheduled for May 31.
Prosecutors allege that Lockner, on April 16, 2018, illegally accessed the server of a healthcare company that operated clinics in Oak Lawn, Illinois, and in other parts of the state as well as in other states. The company's servers are located in Lombard, Illinois, court documents say.
"Insider threats definitely do not draw enough attention. They represent a risk that is perhaps even greater than that of external threats."
—Erik Weinick, Otterbourg PC
Court documents say Lockner was employed by an IT firm that was contracted to provide security and technology services to the healthcare company. Lockner had sought - and was denied - employment at the healthcare company in February 2018 and was terminated by the IT contracting firm in March 2018, court documents allege.
On or about April 16, 2018, Lockner allegedly "knowingly caused the transmission of a program, information, code, and command, and as a result of such conduct, intentionally caused damage without authorization to a protected computer" belonging to the healthcare company, according to the indictment document.
Lockner's alleged conduct "caused the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of one or more individuals," the indictment says.
Neither the healthcare company nor the third-party IT contracting company for which Lockner worked were identified in court documents.
Also, neither the Justice Department nor an attorney representing Lockner immediately responded to Information Security Media Group's request for comment and additional information.
In April, the Department of Health and Human Services' Health Sector Cybersecurity Coordinating Center, or HC3, issued a threat brief spotlighting the risks and challenges the healthcare sector faces because of insider threats, including fraud, data theft, system sabotage, competitive loss, liability issues and brand damage (see: Mitigating Insider Security Threats in Healthcare).
Some legal experts say the case involving Lockner also highlights data security threats and risks posed by insiders, which should not be underestimated by healthcare sector entities or other organizations.
"Insider threats definitely do not draw enough attention," says privacy and security attorney Erik Weinick of the law firm Otterbourg PC.
"They represent a risk that is perhaps even greater than that of external threats because of the insider’s direct knowledge of an organization’s information systems and what data is most valuable, and what type of action may inflict the most damage on an organization," he says.
"You are always most vulnerable to those that you trust."
—Nick Bunch, Haynes and Boone LLP
Weinick says data security incidents involving insiders do not draw as much attention as external intrusions because, "Those responsible for hiring an individual who goes rogue are embarrassed for putting that person into a position of trust and do not want to publicize the incident."
Former federal prosecutor Nick Bunch, a partner at law firm Haynes and Boone LLP, offers a similar assessment. "There is no question that the greatest threat to corporate security is from the inside - people who have been given access to the internal systems and networks and can use inside information to cause damage and harm," he says.
"You are always most vulnerable to those that you trust. And too often, they can use that trust to take advantage of the company, its employees and its customers," Bunch says.
Bunch says that the allegations against Lockner are similar to those in a case he prosecuted while at the Department of Justice, involving a former IT engineer at a major law firm who became disgruntled and quit - after installing a backdoor into the firm's network.
In that case, the former IT worker was convicted of attacking the law firm's network several times in 2011, "issuing instructions and commands that caused significant damage to the network, including deleting or disabling hundreds of user accounts, desktop and laptop accounts, and user e-mail accounts," according to the Justice Department.
The defendant in that case was sentenced in 2016 to 115 months in federal prison and ordered to pay nearly $1.7 million in restitution.
The Lockner case highlights the need to carefully vet employees "to the fullest extent allowed by law - before they are hired - and to carefully monitor employees while they are employed - again, to the fullest extent allowed by law," Weinick says.
"These are not processes that should be rushed or glossed over simply because employers are currently facing challenges in hiring," he says.
"It also highlights the need to segment and/or silo the access particular individuals have to systems. Organizations of all types should really try and limit an employee's access to only those systems and data they need for their job. Of course, for more highly placed employees, this is more difficult."
But attention to employees' access to data and systems should continue even when their employment terminates, experts say.
"When an employee leaves, organizations need to make sure their access is cut off immediately. Their username needs to be disabled, their remote access to systems eliminated, and any 'general passwords' - which are never a good idea anyway - need to be changed," Weinick says.
Bunch says IT departments need to be "constantly vigilant" about what is on the network and where it has potential exposure.
"When employees leave, especially disgruntled ones, IT needs to scrub the network, change the passwords, update login information, and generally be sensitive to what that disgruntled employee knew and what he or she had access to," Bunch says.
"IT departments should be doing that regularly regardless of who is employed, but certainly when someone quits who wasn’t happy."
Weinick says that organizations may also want to consider eliminating or drastically limiting an employee's access to systems from the time they announce their departure or are terminated until their actual last day of work. This can help prevent opportunities for improper conduct while the individuals still has authorized access to systems, he says, adding that organizations "may also want to check the system for any unauthorized or nefarious programs, apps or codes that the departing employee left in place."