Medical Researcher Sentenced in IP Theft CaseProsecutors Say Insider Conspired to Sell Trade Secrets to China
The sentencing this week of a medical researcher who pleaded guilty in a federal case involving conspiracy to steal trade secrets from a children’s hospital and sell them to China spotlights the growing risks to intellectual property posed by insiders.
See Also: Automating Security Operations
The U.S. Department of Justice says Li Chen was sentenced to 30 months in prison for conspiring to steal exosome-related trade secrets concerning the research, identification and treatment of a range of pediatric medical conditions, including liver cancer and necrotizing enterocolitis, a condition found in premature babies.
Exosomes are a type of extracellular vesicle that contains DNA and RNA of the cells that secrete them.
Chen admitted in her guilty plea in July 2020 to stealing scientific trade secrets from the Columbus, Ohio-based Nationwide Children’s Hospital’s Research Institute. She also pleaded guilty to conspiring to commit wire fraud.
As part of her plea, Chen agreed to forfeit approximately $1.4 million in common stock received from two companies in exchange for exosome intellectual property Chen and her husband, Yu Zhou, claimed they owned.
Prosecutors say Chen and Zhou worked in separate medical research labs at the research institute for 10 years. They both pleaded guilty to conspiring to steal at least five trade secrets related to exosome research from Nationwide Children’s Hospital.
Chen and Zhou were arrested in California in July 2019. Zhou's sentencing is still pending.
Over the course of several years, Chen conspired to steal and then monetize one of the trade secrets by setting up a company in China for creating and selling exosome "isolation kits," according to court documents.
Chen received payments from the Chinese government and also applied to Chinese government talent plans, "a method used by China to transfer foreign research and technology to the Chinese government," prosecutors say.
"Chen willingly took part in the Chinese government’s long-term efforts to steal American intellectual property," U.S. Attorney David DeVillers says.
To carry out the scheme, Chen engaged in "substantial unauthorized and improper email traffic," court documents say.
"While working for Nationwide Children’s Hospital, Chen regularly sent emails to herself and to Zhou regarding … marketing material, NCH's proprietary exosome images, information and analysis related to proprietary exosome research conducted by NCH," the documents note.
Chen used the hospital's equipment to generate exosome images and analysis that she then sent via email to herself and to Zhou, according to prosecutors.
The Nationwide Children’s Hospital’s Research Institute, in comments to Information Security Media Group, notes that federal prosecutors in a July 2020 statement about the case cited that the entity "took reasonable measures to protect its cutting-edge intellectual property and trade secrets regarding exosomes."
"As the sole victim in this case, Nationwide Children’s appreciates the government’s efforts in prosecuting this case," the Nationwide Children’s Hospital’s Research Institute tells ISMG.
The sentencing of Chen on Monday came on the same day that the National Counterintelligence and Security Center issued a warning about China's ongoing efforts to collect DNA data sets and other sensitive health data of Americans through hacking and other methods (see: NCSC Warns of China’s Effort to Collect US DNA Data).
The report warns that China’s collection of data "poses … serious risks, not only to the privacy of Americans, but also to the economic and national security of the U.S."
In July 2020, when Chen pleaded guilty, Assistant Attorney General for National Security John Demers commented: "Far from being an isolated incident, we see the People's Republic of China implicated in around 60% of all trade secret theft cases."
"The dangers posed by insiders are demonstrated by Chen and Zhou," says technology attorney Philip Crowley of the law firm Crowley Law. "They stole valuable research that would have accelerated their ability, and the ability of other Chinese companies, to compete with the U.S. innovators without taking the time and expense required to develop the intellectual property involved."
Discovering insiders' theft of information can be particularly difficult, Crowley notes. "Systems can be programmed to alert management to unusual or large downloads of data. Using artificial intelligence tools to create such programs can make them more powerful," he says.
To help prevent insider thefts, organizations also can provide employees with terminals that have no capability to download data to ports for portable data media, he says. Or they can require all data manipulation to occur only on the system by providing employees with diskless terminals.
"It’s additional work and expense and can slow work - so there may be resistance by management to employing these measures," he says. "As for email, that too can be monitored on a systemic basis."
Timing of Thefts
Randy Trzeciak, director of the CERT Insider Threat Center at Carnegie Mellon University, says his organization’s research on IP theft by insiders shows "the vast majority steal the data ‘on their way out the door.'"
In approximately 80% of the incidents CERT analyzed since 2001, "the insider stole the data within 30 day of announcing they are leaving from the organization," he says.
"Many tend to exfiltrate the data via USB device, company or personal email, external cloud storage or an organization-provisioned device. Some stole physical copies of the intellectual property. “
In the effort to prevent or detect the theft of intellectual property by insiders, Trzeciak recommends organizations consider several key questions, including:
- Do you know who has access to your critical assets, and can you compare that to who should have access?
- Do you apply additional monitoring for employees, contractors, subcontractors or other trusted business partners on their way out the door?
- Can you look back 30 days from the time an employee announces they are leaving for anomalous data access, usage or transfer?
- Do you provide a defense-in-depth strategy to prevent exfiltrated data from being accessed?