From the SDNY, a press release involving an unnamed hospital in NYC. I’ll tell you more about this one after the press release:
Audrey Strauss, the Acting United States Attorney for the Southern District of New York, announced that RICHARD LIRIANO was sentenced yesterday to 30 months in prison for engaging in a scheme to use malicious software programs, including a program known as a “keylogger,” on dozens of his coworkers’ computers at a New York City-area hospital, secretly obtaining user names and passwords to his victims’ personal email and other accounts, and using that unauthorized access to steal private and confidential files. Using his victims’ stolen credentials, LIRIANO repeatedly compromised their password-protected online accounts, and accessed their sensitive personal photographs, videos, and other private documents. LIRIANO’s sentence was imposed by United States District Judge Lewis A. Kaplan.
Acting U.S. Attorney Audrey Strauss said: “For approximately five years, Richard Liriano used his computer skills and abused the trust placed in him as an information technology professional at a New York hospital to spy on his coworkers and steal personal information from them. Liriano’s disturbing crimes not only grossly violated the privacy of his coworkers but jeopardized the integrity of computers housing vital healthcare and patient information, costing his former employer hundreds of thousands of dollars to remediate. He will now be held accountable.”
According to the allegations in the Information to which LIRIANO pled guilty, a prior Indictment filed against LIRIANO, as well as statements made during the sentencing and other proceedings in the case:
From at least in or about 2013, up to and including at least in or about 2018, LIRIANO misused administrative access provided to him as an information technology employee at a New York City-area hospital (“Hospital-1”), to log in to employee accounts, and copy other employees’ personal documents, including tax records and personal photographs, onto his own workspace computer for his own personal use.
To further his efforts to steal personal information from Hospital-1’s employees, LIRIANO, used various malicious programs that he installed on Hospital-1’s computer systems without authorization, to steal the user names and passwords of his primarily female co-workers. One of these programs is known as a keylogger, which surreptitiously recorded and sent victim employees’ keystrokes to LIRIANO, such as the usernames and passwords those employees entered to access their personal web-based email accounts. Through the course of this conduct, LIRANO stole usernames and passwords for at least approximately 70 email accounts belonging to Hospital-1 employees or persons associated with those employees (the “Compromised Accounts”).
LIRIANO then used those stolen usernames and passwords to log into the Compromised Accounts and obtain unauthorized access to other password-protected email, social media, photographs, and online accounts to which the Compromised Accounts were registered. Among other things, LIRIANO conducted searches for sexually explicit photographs and videos in the Compromised Accounts.
LIRIANO’s computer intrusions into Hospital-1’s computer networks caused over $350,000 in losses to Hospital-1, which include the expenses that Hospital-1 incurred to remediate the damage that LIRIANO caused to its computer networks.
* * *
In addition to the prison term, LIRIANO, 34, of the Bronx, New York, was sentenced to three years of supervised release. LIRIANO was also ordered to pay restitution of $351,850.25.
Ms. Strauss praised the investigative work of the Federal Bureau of Investigation and thanked the New York City Police Department for its assistance.
This case is being handled by the Office’s Complex Frauds and Cybercrime Unit. Assistant U.S. Attorney Vladislav Vainberg is in charge of the prosecution.
Source: U.S. Attorney’s Office, Southern District of New York
So what’s not in their press release that you may want to know is that this was the Hospital for Special Surgery, and I can find nothing on this site where I ever knew of this incident before. Nor would we have seen this on HHS’s breach tool because it involved employee data only, not patient data.
According to court filings seen by DataBreaches.net and as noted in the press release, Liriano made a voluntary confession to HSS and the FBI. He claimed that he accessed the employees’ files to obtain nude photos and sexual videos that were not used for extortion and were not posted anywhere but were used “to do what people do when they view nude images.”