Earlier today, Robert A. Purbeck of Idaho, aka “Lifelock” and “Studmaster,” pleaded guilty in an Atlanta federal courtroom to two counts of an 11-count indictment filed against him in 2021. The two counts charged violation of Title 18, United States Code/ Sections 1030(a)(2)(C)/ 1030(c)(2)(B)(i) and 1030(c)(2)(B)(iii) and Section 2, more commonly known as the Computer Fraud and Abuse Act (CFAA).
DataBreaches summarized some background on Purbeck’s case earlier this month and has reported on him since 2017 when he first contacted this site about two of his hacks and extortion attempts involving entities in the medical sector. The indictment in the Northern District of Georgia was not for those two attacks, however, but it was his voluntary disclosures about those attacks and this site’s reporting on him that caught law enforcement’s attention. In 2019, they obtained and executed a search warrant at his home, and in 2021, he was indicted for three other attacks: the Family Medical Center in Georgia, Newnan City in Georgia, and what had previously been described as an orthodontist in Wellington, Florida.
What Can He Be Sentenced To?
In pleading guilty to Counts 1 and 2 of the indictment, Purbeck faces the following sentencing guidelines for each of the two counts:
- Maximum term of imprisonment: 5 years.
- Mandatory minimum term of imprisonment: None.
- Term of supervised release: 0 to 3 years
- Maximum fine: $250,000.00, due and payable immediately.
- Full restitution, due and payable immediately, to all victims of the offense(s) and relevant conduct.
- Mandatory special assessment: $100.00, due and payable immediately.
- Forfeiture of any personal property that was used or intended to be used to commit or to facilitate the commission of the offense; and any property, real or personal, constituting or derived from, any proceeds obtained, directly or indirectly, as a result of the offense.
Both the prosecution and the defense will provide their recommendations on enhancing or reducing the sentence. It will be up to the judge to make the final determination on sentencing, but the prosecution has agreed to recommend that Purbeck be sentenced to no more than 70 months in prison to be followed by a term of supervised release.
Restitution
Purbeck has agreed to pay $1,048,702.98 in restitution to victims. As the plea agreement reveals, the review of devices seized from his home uncovered personally identifiable information for at least 132,725 individuals, “obtained through numerous data breaches, including Family Medical Center and the City of Newnan, as well as at least 17 other victims throughout the United States.”
Three of those 17 other victims were the incidents Purbeck had told DataBreaches about: Andrea Yaley, DDS, and Holland Eye Surgery & Laser Center in Michigan, and the Mayor of Holland, Nancy DeBoer.
The amount of restitution to be paid to each victim will be determined at or before sentencing, but Purbeck has agreed to pay restitution to the following victims:
- Andrea Yaley, DDS — $92,095.00
- City of Newnan — $113,935.00
- Nancy DeBoer — $400.00
- Family Medical Center — $138,500.00
- Golden Heart Administrative Professionals — $142,568.85
- Holland Eye Care — $130,174.00
- Simon Orthodontics — $285,980.13
- Ursa Farmers Co-Op — $ 145,050.00Total: $ 1,048,702.98
Ironically, it seems Holland Eye Surgery & Laser Center will receive restitution for its expenses, but has yet to experience any significant consequences for its willful failure to notify HHS and patients of the breach in 2016 when it occurred and when they first discovered it. DataBreaches is still waiting for HHS OCR to respond to a request for an update on the watchdog complaint filed about the entity’s non-disclosure of a reportable breach.
Other Provisions
Because Purbeck has sued a number of law enforcement and government employees alleging civil rights violations and other violations, DataBreaches took particular note of a FOIA/Privacy Act Waiver included in the agreement:
The Defendant hereby waives all rights, whether asserted directly or by a representative, to request or receive from any department or agency of the United States any records pertaining to the investigation or prosecution of this case, including, without limitation, any records that may be sought under the Freedom of Information Act, Title 5, United States Code, Section 552, or the Privacy Act of 1974, Title 5, United States Code, Section 552a.
In another provision, Purbeck also agreed “to hold the United States of America, its agents and employees, harmless from any claims whatsoever in connection with the seizure, abandonment, disposition, and destruction of the listed property.”
It is not clear to DataBreaches whether this means that his lawsuit in Idaho (Purbeck v. Wilkinson et al.) will be dropped. DataBreaches has contacted defense counsel for the FBI agents named as defendants to inquire what these provisions might mean for that case, and will update this post if he replies.
Purbeck’s sentencing is scheduled for June 18, 2024 at 10:30 AM in Newnan Division of U.S. District Court for the Northern District of Georgia.