Former employee visits cloud and steals company data

Shared credentials may have facilitated a former medical center employee's access to the HIPAA data stored in the cloud after his termination.

login password - user permissions - administrative control

Employees aren’t always going to be employees, and therefore you must have in place a mechanism to address what happens when someone is no longer a member of the company team. The circumstances of a person's departure may affect the manner and means in which you act, but the result needs to be the same: full and complete termination of access to company information. Any employee who departs is no longer a trusted insider.

This is called off-boarding, and without a comprehensive off-boarding process, you risk being exploited by a malevolent former employee. Former employees whose access is not terminated can attempt to access data from which they should now be excluded.

This is precisely what occurred to the Transformations Autism Treatment Center (TACT), in Bartlett, Tenn. One of its employees, a behavioral analyst, Jeffrey Luke, was terminated. The TACT did what many companies do: It terminated his access to sensitive data and changed the email address authorized to access its data. In this case, the TACT kept its patient records in the cloud, specifically the Google Drive version of cloud storage. The steps it took were consistent with what one would expect from an entity that falls under the Health Insurance Portability and Accountability Act (HIPAA).

All looked good until the following month, when the TACT noticed that information on 300 current and past clients of TACT had been accessed. The executive director of the TACT, speaking to the Commercial Appeal, explained how TACT noticed files had been moved, and immediately called the police, who brought in the FBI.

The IP address that was used in the compromise of the email address was traced to Luke’s residence, according to the Department of Justice. The subsequent search of Luke’s residence found that he had on his computer patient records, forms and templates, as well as records from a former employer, Behavioral and Counseling Services (BCS) in Somerville, Tenn. The BCS data also contained patient data. 

Luke went on to plead guilty to the crime and was sentenced this month to 30 months' imprisonment and three years' supervised release, and he was ordered to pay approximately $15,000 in restitution.

Luke, though he entered a guilty plea, appealed his sentence on March 14, to the U.S. Court of Appeals for the Sixth Circuit.

Lessons aplenty

Clearly the use of a shared email address rendered the TACT vulnerable to exactly what transpired. It would take a visible act within the Google Drive, the moving of data, to give the TACT a hint that is data was being accessed in an unauthorized manner.

The audit trail within Google is good, but there would be no way of knowing who was accessing the data based on the audit trail if there had been only one account with access but multiple users of that account. Shared credentials is the first information-security sin. 

The anomaly that facilitated the TACT to home in on Luke was that he had, shortly after his departure, accessed the Google Drive and authorized a shared access to his personal Gmail account. With this act, an unambiguous audit trail was present. The authorization came from the compromised account, and occurred post-termination. How Luke garnered access to the account if the password had been changed was not fully explained in court documents, and media called it a "hack."  

Luke’s departure was for cause — misuse of the IT system — which should have been a red flag that perhaps additional attention to detail would be required prior to and after Luke’s final hours with the TACT. There is no timeline provided showing when the shared account password was made or how the password was distributed to staff. Both could have afforded Luke opportunity to learn the new password if there had been a slip of the lip or botched process.

Insiders are in the most trusted positions and therefore have the access to that which is being protected from external threats.

In this case, unique access requiring individual login to the HIPAA data being stored on the Google Drive would have been more appropriate than a shared email account. Luke's termination of access could have been facilitated with a specific removal of access within the Google environment, with an audit trail available to review.

Copyright © 2018 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022