The former systems administrator of a Pennsylvania health care facility was charged with criminal hacking Monday after prosecutors said he wreaked havoc using administrative credentials that went unchanged more than two years after he resigned.
An attorney for Brandon Coughlin, 29, pleaded not guilty on his behalf in Pittsburgh federal court Monday after the Justice Department unsealed a criminal indictment charging him with one count each of felony hacking and wire fraud.
Mr. Coughlin, the former computer technician of an unnamed health care facility, is accused of purging records from his old job’s databases and purchasing nearly $5,000 worth of iPads on the company’s dime after he was asked to resign from the gig in February 2013 following three weeks of employment.
Documents unsealed in federal court this week indicate Mr. Coughlin was hired Jan. 16, 2013, to work as the “in-house systems administrator” of the health care entity’s computer system, but resigned Feb. 4 upon the company’s request.
The administrative credentials necessary to gain access, modify settings and control the entirety of the health care entity’s computer system and its web-based email server were not immediately changed following Mr. Coughlin’s resignation, U.S. Attorney Soo C. Song wrote in the indictment. Indeed, prosecutors allege Mr. Coughlin maintained privileged access over the entity’s email system more than two years after his resignation, and illegally operated in its shadows well after his employment ended.
Mr. Coughlin’s alleged cybercrime streak started two days after his resignation, according to prosecutors. Investigators believe he created a new administrative account on Feb. 6 that gave him full, unauthorized control of the entity’s computer system, then used that authority to lock-out legitimate users while he began deleting business data and patient health information, including medical records.
The activity caused at least $5,000 in damages and may have potentially interfered in the examination, diagnosis, treatment and care of individuals whose information was in the custody of the entity, according to prosecutors.
Additionally, authorities say Mr. Coughlin maintained access to the administrative portal of the health company’s email server for two years past the end of his employment, allowing him to access and read internal and external correspondence. Furthermore, prosecutors allege he implemented system-wide rules over the company email system, the likes of which allowed him to purchase six Apple iPads without being detected using his former employer’s account with Staples, the office retailer, according to the indictment.
Administrative credentials were for the health care facility’s email platform were not changed until mid-2015, according to the indictment, in utter defiance of widely-accepted security practices and common sense.
“If you don’t have a solid IT-disconnect policy for employee termination then you will eventually need a VERY strong [incident response] team & process,” tweeted Andrew Case, the research director at Volexity, a security firm in Washington, D.C.
Mr. Coughlin faces up to 30 years in prison and a $500,000 fine if convicted, the Justice Department said in a statement. He was arrested March 8, prior to the indictment unsealing, and was free on bond as of this week, according to court documents.
An attorney listed for Mr. Coughlin declined to comment.