Seasonal Worker Sentenced to 42-Months Imprisonment for Theft of Data from Healthcare.Gov Database

A seasonal worker at a tech firm based in Virginia was sentenced to 42 months in prison for accessing patient files, stealing personally identifiable information (PII), and employed the PII for financial gain. The tech company provides support to the Centers for Medicare & Medicaid Services (CMS) by managing contact centers that offered assistance with Medicare enrollment and other services.

While Colbi Trent Defiore, age 27, of Carriere, MS worked at a call center located in Bogalusa, LA, he accessed the protected health information (PHI) of about 8,000 people saved in the HHS healthcare.gov database without valid work reason, stole the information, and utilized it for criminal activity, such as opening credit lines in the names of other individuals.

Defiore was employed by the organization three times in 2014, 2017, and 2018. He was discovered to have viewed data without authorization the last time he was employed at the company. The firm already took steps to ensure personally identifiable information (PII) was secured and had trained all workers on how to handle that data securely.

In November 2018, Defiore carried out bulk lookups of the database, which were not allowed, and duplicated that information to a virtual clipboard. The data was then copied into his work email account and was routed to his email account. The stolen information was then used to fraudulently sign up for no less than 6 credit cards and loan products and to get lines of credit for personal monetary gain.

The tech organization identified the unauthorized access and reported the incident to the authorities. The firm supplied law enforcement with video and audio recordings of Defiore while having a phone call with a customer on November 6, 2018. The recordings revealed Defiore performing a bulk lookup of the database utilizing first and last names not related to the call he was on. A data loss prevention application additionally identified suspicious activity connected to PII data.

It was found that Defiore has remotely used his company email account outside of his work period on several occasions to get the data. Prosecutors discussed that the data center of the company was based in Virginia, therefore when Defiore transmitted the PII to his work email account, the data crossed state lines and that makes this a federal crime.

Based on court records, Defiore’s employer had enforced security measures to stop customer service staff like Defiore from remotely accessing work email accounts. A single sign-on, multi-factor authentication program was implemented for remote access, which may be accessed from a computer or mobile app. A software token was needed to confirm a user to complete the remote login process.

Defiore utilized the multifactor authentication on a mobile phone by means of a Virtual Private Network in October 2018 and acquired the software token that would enable him to remotely gain his work email account on his personal cellular phone or PC. The investigation uncovered an IP address linked to Defiore was employed to remotely access his company email account.

Because of Defiore’s actions, his employer suffered $587,000 in losses that included breach notification expenses and providing identity theft protection services to the persons whose PII was exposed.

Defiore pleaded guilty to one count of deliberately accessing a protected computer with no permission for the intent of commercial advantage and private financial profit. Besides the 42-month in jail, Defiore must go through 3-years of monitored release and needs to pay a $100 special assessment cost. A hearing was slated for January 12, 2021 to decide the sum of restitution Defiore should pay.