Vendor's Ex-Employee Allegedly Shut Down Medicaid SystemCriminal Case Claims Defendant Shuttered Oregon's System for Hours
A federal criminal case alleges that a former Hewlett-Packard Enterprise Corp. employee shut down Oregon's Medicaid information systems for several hours after the vendor laid him off.
Some security experts caution organizations to take steps to minimize risks from workers who are laid off or fired.
"When an employee is suddenly fired, a few minutes of unfettered access to information systems can lead to a lot of damage," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
In indictment papers filed in U.S. district court, prosecutors allege that Hossein Heydari - a resident of Maryland and former employee of HPE who was assigned to work on the Medicaid management information systems for Oregon and three other states - intentionally caused damage to Oregon's MMIS after he was laid off from his job as part of a workforce reduction.
Prosecutors allege that as part of his job duties - which are not specified in the indictment - Heydari had access to the servers that hold MMIS data. Court documents do not name the three other states where Heydari was working on Medicaid systems.
The indictment alleges that on or about Oct. 14, 2016, HPE informed Heydari that, as part of a workforce reduction, his last day of employment would be Oct. 28, 2016.
About three days after his last day of employment, the defendant "intentionally altered part of the MMIS, causing it to fail and resulting in an eight-hour loss of functionality for Oregon's MMIS system and its users," prosecutors allege.
The indictment charges that Heydari "knowingly caused the transmission of a program, information, code and command, and, as a result of such conduct, intentionally caused damage without authorization to protected computers." Prosecutors allege the conduct caused:
- More than $5,000 in expenses for the Oregon Health Authority - which operates the state's Medicaid program - and HPE;
- The impairment of the medical examination, diagnosis, treatment or care of individuals; and
- A threat to public health.
Not Guilty Plea
Heydari on Sept. 28 pleaded not guilty to one count of "fraud and related activity in connection with computers," according to court documents, which also indicate that Heydari is indigent and represented by a public defender.
The defendant surrendered in late August after a warrant was issued for his arrest. On Thursday, he was released with several conditions, including the surrender of his passport, cooperating with collection of a DNA sample, and participating in mental health evaluation and counseling if directed by court pre-trial services, prosecutors say.
A jury trial is slated to start in the Oregon federal court on Nov. 28.
In a statement, the Oregon Health Authority tells Information Security Media Group: "In the year since this happened, we have worked closely with our vendor to ensure we have the appropriate processes and protocols in place for vendor staff who have the highest levels of security."
Neither the public defender representing Heydari nor the federal prosecutor in the case against Heydari immediately responded to ISMG's requests for comment on the case.
An HPE spokeswoman declined to comment, saying the case related to part of the business that was spun off and became DXC Technology.
DXC Technology did not immediately respond to ISMG's inquiry. In a DXC Technology press release issued in April, however, it notes that it officially launched as a business in April 2017 as the result of a merger between HPE and Computer Sciences Corp. So, it appears that the alleged incident involving Heydari occurred before the HPE spin-off.
Greene, the attorney, says the IT and human resources departments of organizations should work closely together to address the risk to information systems posed by the firing or laying off of workers.
"While most employees who are terminated would never act to harm the organization, and all employees should be treated with respect and compassion, organizations should at least consider the increased risks posed during layoffs and other terminations," he says.
Consultant Rebecca Herold says too many organizations "have very lax, or completely missing, offboarding security policies and practices. Too many miss disconnecting all remote access to IT that executives and other workers have. ... It is a huge human-failure-made security risk.
"From the details shared, this situation could have been completely prevented," says Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy.
The Oregon Medicaid case spotlights the importance of quickly taking action when employees - especially those with privileged access - leave their jobs, says Susan Lucci, a senior consultant and chief privacy officer at security consulting firm Just Associates.
"When any IT worker in authority to access information like this is terminated, access should be terminated with simultaneous changes made immediately to lock them out of all points of access," she says. "This is particularly crucial due to their permissions level to create, modify and delete access points."
The three-day lag between Heydari's last day of employment and the date that the alleged incident took place is a reminder why organizations need to shut off access to data and systems promptly following the departure or notice of termination of an employee, Lucci stresses. "Best case, it happens at the exact time the employee is being terminated," she says.
It's relatively unusual for insider cases like the Oregon Medicaid case to be prosecuted, Lucci adds. "Too many cases of hacking interference go unresolved because tracing these activities is extremely difficult, and therefore the culprits are not brought to justice," she says.
The incident should prompt the state of Oregon to more rigorously vet their business associates, Lucci stresses.
Other Steps to Take
Herold suggests that organizations take a number of critical steps to reduce the risk posed by terminated employees, including:
- Remove the worker's access to administrative accounts and disable their access to sensitive systems and applications, personal information files and other types of critical business assets;
- Review all user accounts to validate each is valid;
- Turn on logging for all accounts the worker used to ensure someone did not re-enable them after they were been disabled;
- Collect from departing employees any physical security access tokens, keys, or other entry devices;
- Advise management, and in appropriate instances the terminated worker's team members, that they should discontinue providing any business-related information or access to the former employee.
Herold adds these caveats regarding employees who work remotely or from home.
"I recommend you include a right to audit that remote office to determine the information and devices they have that belong to the organization, and to immediately collect them upon making the decision to terminate the worker," she says.
If this is not possible, Herold suggests requiring the installation of remote data wiping tools and then using them upon employee termination.