Healthcare Hacker Sentenced to 10 Years in Jail
A hacker who targeted multiple U.S. healthcare organizations, breached their networks, stole sensitive data, and attempted to extort them, has been sentenced to a decade in jail. Robert Purbeck, 45, an IT specialist who worked for Ada County in Idaho, hacked at least 19 organizations between 2017 and 2018 and stole the personal data of more than 132,000 individuals. Purbeck, who used the monikers Lifelock and Studmaster, accessed victims’ networks using stolen credentials purchased on darknet marketplaces such as AlphaBay. Sensitive data was identified and exfiltrated and he demanded ransom payments to prevent the publication of the stolen data.
One of the first U.S. victims was Family Medical Center in Griffin, Georgia. The credentials purchased by Purbeck allowed him to access the medical clinic’s network in June 2017 and exfiltrate the protected health information of more than 43,000 individuals, including names, addresses, dates of birth, and Social Security numbers. In February 2018, using darknet-purchased credentials, Purbeck accessed a server of the Police Department in Newnan, Georgia, and exfiltrated police reports containing the sensitive information of around 14,000 individuals.
In July 2018, Purbeck used purchased credentials to access the network of a Florida orthodontist and stole the data of around 1,800 patients. Purbeck demanded payment of a ransom from Simon Orthodontics to prevent the publication of the stolen data, which included the protected health information of the orthodontist’s child. After issuing the ransom demand, Purbeck harassed the orthodontist and the practice’s patients via emails and text messages to pressure the practice into paying the ransom. Other healthcare victims included Holland Eye Care in Michigan and Andrea Yaley, DDS in California.
Purbeck was identified as a suspect in an investigation by the Federal Bureau of Investigation (FBI) Atlanta Field Office and on August 21, 2029, a search of his Meridian, Idaho property found multiple computers and other electronic devices, the analysis of which identified the data of 132,000 individuals that had been stolen from 19 victims in the United States. Purbeck was charged in an 11-count indictment, and while he initially fought the charges, Purbeck entered a plea deal in March 2024, pleading guilty to two counts of intentionally accessing and obtaining information from a protected computer. Last month, Purbeck was sentenced to 10 years in jail followed by 3 years of supervised release and was ordered to pay $1,048,700 million in restitution to his victims. Purbeck is currently appealing the guilty plea and sentence, according to databreaches.net.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
