A Hospital Employee Stole The Identities Of Dying Patients To Steal Covid Benefits, Feds Claim | #government | #hacking | #cyberattack


“We want old people?” Matthew Lombardo asked, texting from the Scripps Health hospital in San Diego where he worked as a patient financial service representative. Such reps typically meet with patients to discuss their health insurance options, and are cogs in the giant 13,000-employee Scripps non-profit machine, responsible for five hospitals along the west coast.

“No. I mean, someone 55 or younger who is on their way out… maybe a couple of days left or something,” Konrad Piekos, a suspected heroin and methamphetamine dealer, messaged back.

“OK. I’ll dig around and see what I can find. Should be a few of them anyway,” Lombardo responded.

These conversations, according to a search warrant obtained by Forbes, allegedly took place as part of a scheme in which the Justice Department claims that, in 2020, Lombardo grabbed personal information from patients who were dying – from a homeless person to a heart attack victim – pilfering their names, birthdays, social security numbers and addresses. This data would be passed onto Piekos, who would then forward it on to other accomplices, so they could steal patients’ identities and attempt to file fraudulent benefits claims, including Pandemic Unemployment Assistance (PUA), according to investigators. The DOJ didn’t say whether any successful claims were made by the accused using patients’ identities, though noted they’d previously had success with filing under prisoners’ names.

The previously-undisclosed data breach highlights how the dying make particularly good targets for such a fraud: bed ridden and incapacitated, they’re unlikely to notice someone stealing their identity. Once they’re dead, there may still be time to pilfer their ID before government death databases are updated and anti-fraud alarms go off. Some gravediggers may also feel less moral culpability about pilfering from them rather than the living. “Dead people make great targets because the crime is seen as a victimless crime,” says Eliza-May Austin, a former VISA cybersecurity professional and cofounder of startup th4ts3cur1ty.company. “Which is not true, it’s not victimless because the families have to deal with this after the fact.”

Indeed, the government, in its search warrant application, noted that fraudsters are targeting dead and incarcerated people to steal pandemic-related benefits. “Persons committing PUA fraud will often seek out PII [personally identifying information] from black market databases that market stolen PII as well as seeking out PII from prisoners and deceased persons who are not eligible to claim PUA benefits,” wrote the Department of Labor employee in the criminal complaint. In general, identity theft for fraudulent benefits has skyrocketed in the pandemic. A recent FTC report found that of the identity theft reports it received in 2020, more than 394,000 came from people who said their information was misused to apply for a government benefit, representing a “staggering” jump of nearly 3000% from 2019. It was a problem that has “proliferated during the pandemic,” the FTC said.

As the conspiracy went on, Lombardo would relay what kinds of people made good targets for the fraud, the government claims. One was a homeless woman, who Lombardo said “might be a good one,” while another was a man who’d recently died from a heart attack, according to the warrant document. Yet another, a former General Dynamics employee, was a heart attack victim, who Lombardo said likely wouldn’t live, the warrant continued. On at least one occasion, Lombardo simply took a photo of the patients’ data from a hospital computer screen and sent it on to Piekos, the government said. Lombardo claimed to have taken pictures of “about 50” patient admission forms and sent 11 images of handwritten admission sheets from the maternity pre-admission division, according to the criminal complaint, though it’s unclear whether or not this was to target soon-to-be mothers. The DOJ declined to comment.

The investigation started in October 2020 after Piekos was pulled over by San Diego County Sheriff deputies because he was driving without a license plate, according to a criminal complaint, unsealed this week. When police saw that an assault rifle was visible in the car they carried out a search of the vehicle, finding $40,000 in cash inside, as well as other loaded firearms, including a Smith & Wesson 44 Magnum, the government alleged. Subsequent search warrants were served on Piekos’ properties, including one where another alleged co-conspirator, Ryan Genetti, and his girlfriend resided. Firearms, heroin and fentanyl were recovered, investigators said. Piekos’ and Genetti’s phones were also searched, revealing the messages to and from Lombardo on the former’s device. They also discovered evidence that Piekos and another alleged accomplice, Dobrilla “BeBe” Milosavljevic, had stolen the identities of prisoners who were ineligible for pandemic relief as part of the fraud, the government wrote. And, in the phone searches, officers said they’d found conversations concerning the illegal sale of firearms and drug trafficking across the Mexican border.

Police believe that Lombardo was recruited into the criminal scheme in August 2020. According to his LinkedIn page, Lombardo worked at the Scripps facility “part time to give back to the community,” his other gig being a self-employed medical marijuana grower. Scripps confirmed Lombardo had been let go earlier this year. “Mr. Lombardo was a patient services specialist employed by Scripps Health on an as-needed basis from May 13 2019 to April 14 2021. He was terminated on April 14 2021, for cause. Scripps takes its responsibility for protecting patient privacy very seriously and is cooperating with the government investigation,” a spokesperson said.

Lombardo was arrested and made his initial appearance in court on July 12. He has not yet been indicted and hasn’t made a plea, so remains innocent until proven guilty. His counsel hadn’t responded to a request for comment. Piekos was arrested in March on charges of firearm and drug possession with intent to deal narcotics to which he has pleaded not guilty. He has not entered a plea for the further charges of identity theft. “Mr. Piekos has entered not guilty pleas and is waiting on further discovery by the U.S. Attorney’s Office,” his lawyer Vikram Monder told Forbes. Neither Genetti nor Milosavljevic have filed pleas for the fraud and identity theft allegations. Neither of their lawyers had responded to requests for comment. Genetti and his girlfriend were arrested earlier this year on separate allegations and have pleaded not guilty to being felons in possession of firearms. 

The fraud was allegedly perpetrated right in the middle of the Covid-19 pandemic, not only at a time when American hospitals were full of the infirm, but as health care institutions were barraged by cyber attacks, in particular ransomware, where ransoms are demanded by hackers, in return for the non-disclosure of information and the release of locked up computers. Just last month, Scripps itself reported it was the victim of a ransomware attack, which led to a leak of personal data affecting as many as 147,000 people. This year has already seen attacks on health organizations affecting as many as 22 million people, says John Riggi, a former FBI and CIA agent, now senior advisor for cybersecurity at the American Hospital Association. That’s not far off the 26.7 million hit by cyberattacks on the health industry in the whole of 2020, according to Riggi’s analysis of publicly available data hosted by the Health and Human Services agency.

“Cybersecurity has become much more challenging in the face of Covid,” says Zach Furness, director of cybersecurity governance and risk management at the Children’s National Hospital. “Healthcare has traditionally lagged behind other industries in funding cybersecurity, making them an easy target for exploits, especially ransomware. Add to that, the fact that IT infrastructures are stressed due to greater emphasis on remote working and telehealth and you have a perfect storm.”



Original Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

+ twenty four = thirty one