Cyber threats are well known and companies are often concerned about external threats to their IT systems – and considering the data on breaches, such concern is warranted.  However, companies should not overlook insider threats – like the one highlighted in a recent announcement by the U.S. Department of Justice (DOJ).  On May 25, 2022, the DOJ announced charges against Aaron Lockner for allegedly causing damage to a protected computer that he previously had authorization to access and service.

According to the DOJ, Mr.  Lockner was employed by an IT company that provided information security and technology services for a health care company that operated several clinics.  As part of his employment with the IT company, Mr. Lockner serviced the health care company.  In February 2018, Mr. Lockner sought employment with the health care company he serviced, but his application was denied.  A month later, the IT company terminated Mr. Lockner’s employment.  The reason for Mr. Lockner’s termination was not stated in the indictment. 

Around April 16, 2018, approximately one month after his termination and two months after his application denial, Mr. Lockner allegedly remotely accessed the health care company’s network without authorization.  The government alleges that Mr. Lockner “knowingly caused the transmission of a program information, code, and command, and as a result of such conduct, intentionally caused damage without authorization to a protected computer, belonging to Company A, which caused loss…”  The alleged impact included modification or potential modification of medical examination, diagnosis, and treatment of at least one patient, according to the indictment.  The alleged acts resulted in the federal government charging Mr. Lockner with one count of intentionally causing damage to a protected computer.  The indictment is not evidence of guilt, and the contents of the indictment are only allegations.  However, if found guilty, Mr. Lockner faces up to ten years in federal prison, subject to several factors including federal limitations and the U.S. Sentencing Guidelines. 

In March 2022, Chilivis Grubman attorneys discussed OCR Director Lisa Pino’s blog post titled “Improving the Cybersecurity Posture of Healthcare in 2022,” and cautioned covered entities and business associates to heed Director Pino’s warnings and take meaningful steps to reduce the likelihood of a cyber event occurring and the impact of such an event.  Meaningful steps include consideration of insider threats.  Companies often have IT exclusion, termination of access rights, or “lockout” policies and procedures for when an employee’s employment ends.  These procedures should occur timely.  Companies should also consider backing up or imaging the former employee’s data (when appropriate) to ensure no critical information is lost with implementing lockout procedures.  

Mr. Lockner’s indictment, however, highlights insider third-party threats. Companies should review their contracts with third parties and ensure the contractor’s policies, at a minimum, follow the company’s policies.  This is especially true when dealing with terminated employees.  In Mr. Lockner’s case, he allegedly had access to the health care company’s system a month after the IT company terminated his employment.  

The attorneys at Chilivis Grubman assist businesses of all types and sizes in connection with Data/Cyber Security and HIPAA-related matters, including breach response, breach notification, OCR investigations, and resulting civil litigation.  If you need assistance with such a matter, please contact us today.