Health system IT specialist pleads guilty to stealing colleagues' personal info
An IT specialist at a health system in upstate New York pleaded guilty this week to stealing personal information from colleagues' computers.
Ameer Elashmawy, 28, pleaded guilty on Monday to fraud and related activity in connection with computers. According to an October press release from the U.S. Attorney's Office, Elashmawy's employer, Trillium Health, spent more than $100,000 to safeguard and protect its affected employees.
WHY IT MATTERS
Trillium Health is a two-facility system that offers primary and specialty care services in Rochester, New York.
As outlined by the USAO, Elashmawy was responsible for the company's information system security design and oversight. He also assisted employees with various IT needs.
"The defendant had administrative rights and could log onto other employee work accounts, however, he was not allowed to access personal accounts of employees or former employees," noted the October press release.
"Between April 2019 and January 2020, the defendant used his administrative access rights to search employees’ email and social media accounts without their knowledge or permission," said federal officials.
After a different employee noticed unusual activity on the Trillium Health network in January 2020, an investigation found personal explicit photos and videos of at least 14 victims, as well as numerous photos of their driver's licenses, credit cards, social security cards and other personal data.
According to the Democrat and Chronicle, Trillium spent $232,000 to hire a cybersecurity firm to investigate how far Elashmawy had intruded into the network. (It's not clear whether that includes the $100,000 outlined in the October USAO press release.)
The charges carry a maximum penalty of five years in prison and a $250,000 fine.
THE LARGER TREND
Although federal officials did not report that Elashmawy inappropriately accessed patient information, snooping has led to a number of high-profile patient data breaches in recent years.
In February, a New York health system said an employee viewed clinical information, including test results and diagnoses, via electronic health records.
Last year, a cybersecurity firm noted that the COVID-19 pandemic could lead to an increase in improper EHR access by healthcare workers.
ON THE RECORD
"The defendant, without authorization and for his own personal benefit, copied the personal photos and [personal identifiable information] from such employees’ personal electronic devices," said federal officials, as reported by Rochester First.