Former employee fined nearly $15,000 for hacking patient files in the cloud

A former employee of the Transformations Autism Treatment Center (TACT) in Bartlett, Tennessee, was sentenced to a 30-month imprisonment with a three year supervised release on March 2 for hacking 300 patient files, states a press release from the Department of Justice. The employee will also be facing a monetary fine of $14,941.36 in restitution, as decided by U.S. District Judge John T. Fowlkes, Jr.

Jeffrey R. Luke was terminated from his position as a behavioral analyst at TACT in February 2017 for misuse of the IT system. Upon Luke’s resignation, the organization changed the email address authorization to access its data. However, TACT kept its patient records on a Google Drive account which was accessible through a shared Google Drive email address. The following month, an IT specialist at the center discovered that the email address was comprised.

The FBI and Bartlett Police Department investigated the case, and the hack was traced using the IP address. The stolen information included patient records, forms, and templates, which were being stored on Luke’s hard drive. The case serves as a reminder that snooping in patient records and stealing data can carry serious consequences.