Fraud Management & Cybercrime , Fraud Risk Management

Inside Job: Grabbing Patient Records for Fraud

A former seasonal worker at a tech contractor supporting Medicare open enrollment has been sentenced to serve 42 months in prison after pleading guilty to a charge in connection with improperly accessing patient records, some of which were used to open fraudulent credit lines.

See Also: Small Business. Large security risks.

Court papers describe how the insider was able to access and copy thousands of individuals’ personal information.

In a statement, the Department of Justice said Colbi Trent Defiore, a Mississippi resident, was sentenced in a Louisiana federal court for accessing and obtaining without authorization the personal identifying information of 8,000 individuals through “bulk searches” he conducted of the Department of Health and Human Services’ Healthcare.gov database.

The court will soon determine the amount of restitution Defiore will be ordered to pay, the Justice Department says.

Seasonal Help

Prosecutors say Defiore was a seasonal employee at an unidentified Virginia-based technology firm – described in court papers only as “Company A” - that supported HHS’ Centers for Medicare and Medicaid Services with call center services during Medicare open enrollment. Defiore was a customer service representative at the company’s call center in Bogalusa, Louisiana.

General Dynamics Information Technology confirmed to Information Security Media Group that a breach notification statement the company issued in December 2018 was related to the incident involving Defiore.

The company says it sold operations of the Bogalusa contact center in November 2018 as part of the sale of the company’s public-facing contact-center business to Maximus Corp.

In a statement provided to ISMG, the company says: “In November 2018, GDIT learned that a now former employee, while working as a customer service representative at a contact center in Bogalusa, Louisiana, had accessed a limited number of consumer records held in a computer system without authorization. Upon discovering this activity, we promptly alerted law enforcement and notified all of the identified individuals whose records were potentially accessed without authorization, offering them complimentary identity theft protection services for 24 months from AllClear ID.”

‘Bulk Searches’

Court papers indicate that Defiore was hired by the tech company three times - in 2014, 2017 and 2018. The criminal case involved his last stint, between September and November 2018.

Defiore’s employer “took a series of security measures to protect consumers’ PII and supervise its employees, including requiring all employees to undergo training on how to handle consumers’ PII appropriately,” prosecutors say.

On numerous occasions in November 2018, Defiore accessed and obtained without authorization the PII of individuals “for the purpose of his private financial gain and in furtherance of criminal acts, including wire fraud,” prosecutors say.

“Defiore conducted ‘bulk searches’ of the database, which he was prohibited from doing, and was able to view the personal information of Healthcare.gov customers,” according to the Justice Department.

“Defiore copied the results of his searches onto a virtual clipboard and sent them to himself via email. After work hours, Defiore accessed [his employer’s] network remotely without authorization to retrieve his work email.”

Defiore then used the information on at least five consumers to apply fraudulently for at least six credit cards, loans and lines of credit for his personal benefit, prosecutors say.

Defiore’s conduct caused about $587,000 in expenses to the call center company, including costs associated with providing