Seasonal Worker Sentenced to 42 Months Imprisonment for Stealing Data from Healthcare.Gov Database

A seasonal employee at a Virginia-based tech company that supported the Centers for Medicare & Medicaid Services (CMS) by operating contact centers that provided assistance with Medicare enrollment and other services, has been sentenced to 42 months in jail for accessing patient records, stealing personally identifiable information (PII), and using the PII for financial gain.

While working at a call center in Bogalusa, LA, Colbi Trent Defiore, 27, of Carriere, MS, accessed the protected health information of more than 8,000 individuals stored in the HHS database without authorization, copied that information, and used it for criminal activity, including opening credit lines in individuals’ names.

Defiore had been employed by the company on three occasions in 2014, 2017, and 2018. He was discovered to have accessed records without authorization during his last employment period.  The company had taken steps to ensure personally identifiable information (PII) was protected and had provided training to all employees on how to handle that information securely.

In November 2018, Defiore conducted bulk searches of the database, which were not permitted, and copied that information to a virtual clipboard. The information was then pasted into his work email account and was sent to his email account at the company. The stolen data was then used to fraudulently apply for at least 6 credit cards and loans and to open lines of credit for personal financial gain.

The tech company identified the unauthorized access and reported the matter to law enforcement. The company was able to supply law enforcement with video and audio recordings of Defiore during a phone call with a customer on November 6, 2018. The recordings showed Defiore conducting a bulk search of the database using first and last names unrelated to the call he was on. A data loss prevention tool also identified suspicious activity related to PII data.

Defiore was discovered to have remotely accessed his work email account outside of work hours on multiple occasions to retrieve the data. Prosecutors explained that the company’s data center was located in Virginia, so when Defiore transferred the PII to his work email account, the information crossed state lines making this a federal crime.

According to court documents, Defiore’s employer had implemented security measures to prevent customer service representatives such as Defiore from remotely accessing work email accounts. A single sign-on, multi-factor authentication application had been implemented for remote access, which could be accessed from a computer or mobile application. A software token was required to verify a user and complete the remote login process.

Defiore set up the multifactor authentication on a mobile phone using a Virtual Private Network in October 2018 and obtained the software token that would permit him to remotely access his work email account on his personal mobile phone or computer. The investigation revealed an IP address associated with Defiore had been used to remotely access his work email account.

Defiore’s actions resulted in $587,000 in losses for his employer, which included breach notification costs and providing identity theft protection services to the individuals whose PII was stolen.

Defiore pleaded guilty to one count of intentionally accessing a protected computer in excess of authorization for the purpose of commercial advantage and private financial gain. In addition to the 42-month jail term, Defiore will have to undergo 3-years of supervised release and is required to pay a $100 special assessment fee. A hearing has been scheduled for January 12, 2021 to determine the amount of restitution Defiore must pay.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.