ISMG Editors: The Plot to Leak US Health Records to RussiaAlso: Sentencing of the Capital One Hacker and the Exit of Lacework’s Co-CEO Anna Delaney (annamadeline) • October 7, 2022
In the latest weekly update, four editors at Information Security Media Group discuss important cybersecurity and privacy issues, including the indictment of a Maryland couple accused of giving military medical records to Russia, the probationary sentence handed down in the massive Capital One hack, and why the co-CEO of cloud security vendor Lacework called it quits.
The panelists - Anna Delaney, director, productions; Marianne Kolbasuk McGee, executive editor, HealthInfoSecurity; Michael Novinson, managing editor, Business; and David Perera, editorial director, news - discuss:
- How a Maryland anesthesiologist and her U.S. Army physician spouse face federal indictment for an alleged conspiracy to provide the Russian government with military medical records;
- How convicted Capital One hacker Paige Thompson this week received a sentence of time served and five years of probation following her June conviction in U.S. federal courts for five felonies and two misdemeanors;
- Why David "Hat" Hatfield has exited the co-CEO role at Lacework just four months after the cloud security vendor laid off 20% of its employees.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Sept. 23 edition discussing the industrywide implications of a teenager hacking into Uber's internal systems and the Sept. 30 edition discussing whether others will follow the U.S. lead to legislate software bills of materials.
Anna Delaney: Hi, welcome to the ISMG Editors' Panel. I'm Anna Delaney. And this is our weekly editorial analysis of the top cybersecurity stories. And this week, I'm very happy to be joined by editors Marianne Kolbasuk McGee, who heads our HealthcareInfoSecurity site, Michael Novinson, who leads our business coverage, and our editorial director, news, David Perera. As always, wonderful to see you.
David Perera: Thanks for having me here.
Delaney: Marianne, start us off. You're embracing the autumnal sun maybe?
Marianne McGee: Well, this is a photo we took out in Western Mass a few weeks ago. We went out to Western Mass, they have what they call the biggie every year, which is like an agricultural festival/carnival. So this is more of an agricultural photo. I'm not really a carnival person, but it's always nice to get away.
Delaney: So, lots of local vendors?
McGee: Yeah, they have pig races and they demonstrate how they shave the wool off sheep. You know, they have a lot of fried food, that sort of thing.
Delaney: Just like any ordinary weekend. Michael, you are providing the music today.
Michael Novinson: Yes, I am. This is a photo of the Rhode Island Philharmonic Orchestra. Now, during most of the year, they perform indoors, classical music in a nice venue in Downtown Providence. But over the summer, they traveled the state of Rhode Island, but they put on free concerts around the state. Playing more popular music this year was music from theater and from famous movies. So we did get to enjoy them this summer. My two-year old had a ball listening to the Sousa March. And this is a photo of them performing in front of, in Roger Williams Park in Providence, in front of a nice piece of artwork.
Delaney: Incredible and to think it's free as well. That's awesome. Dave, you're joining us from the great outdoors.
Perera: In the great outdoors, overlooking Harpers Ferry, which is a small historical town about an hour's drive away from Washington, D.C., where I'm located, give or take a suburb. And Harpers Ferry is beautiful, year round. But, of course, when the trees turn, as they're doing, this is especially beautiful.
Delaney: It doesn't look like Scotland in many ways. Gorgeous. I am well, but you know how your phone or some social media platform shares memories of you. So this is the memory. Three years ago today, I was in Napa Valley and just sampling some wine. I think it said 10 am, drinking wine. So, of course, sharing you some nostalgia with you from three years ago. Well, Marianne, I think we've got to start with you this week because you've got the most bonkers story, surely. A U.S. Army Major doctor and his wife face federal indictment for attempting to disclose to a Russian spy the medical records of U.S. military patients. Tell us more about it?
McGee: Well, since Russia's invasion of the Ukraine back in February, we've been hearing a lot about potential spillover cyberattacks on the critical infrastructure of the U.S. and other allied nations that are assisting Ukraine, as well as potential hacktivism or other cyber incidents involving attackers that support Russia's effort. Thankfully, we haven't seen any of those worst fears materialize in the healthcare sector. But the Justice Department, as you noted, just last week revealed a pretty stunning criminal case that highlights how malicious insiders could use their access to sensitive information to help Russia. In this case, it was Dr. Anna Gabrielian, who is an anesthesiologist and her spouse U.S. Army Major Jamie Lee Henry, who is also a doctor formerly at Fort Bragg. They were charged on eight counts of conspiracy and criminal violations of HIPAA involving wrongful disclosure of identifiable health information. Now, for one thing in the bigger picture, we don't generally see many criminal HIPAA cases being filed by prosecutors. And when we do, those cases are generally tied to allegations of patient data that was accessed or stolen by insiders to commit crimes, such as ID fraud, credit and tax fraud and those sorts of things. But this case is generally an outlier here. In this case, prosecutors allege that the conspiracy centered on a plot by Gabrielian and Henry to assist Russia in its conflict with Ukraine by providing details about sensitive medical conditions of U.S. military and Department of Defense officials, including some retired and some deceased individuals' spouses. In court papers, prosecutors allege that Gabrielian used her access to electronic health records where she worked to obtain the medical information. And the DOJ doesn't identify where Gabrielian worked, but she's known to have been a doctor at Johns Hopkins Medicine in Maryland, whose patients include ex military and intelligence personnel. The DOJ alleges that the couple conspired to provide this medical information to an individual that they believed was working for the Russian government. However, the supposed Russian spy was actually an undercover FBI agent. Gabrielian told the undercover agent allegedly that she was motivated by patriotism toward Russia. Now court documents allege that Gabrielian told the undercover FBI agent that Henry's information could help Russia gain insight into how the U.S. military establishes an Army Hospital in war conditions. Right now, the company, the couple is currently under house arrest and pending their arraignments, they've surrendered their passports. If convicted, Henry and Gabrielian face a maximum sentence of five years in federal prison for the conspiracy counts, and a maximum of 10 years in federal prison for each count of disclosing health information. Now, I've been covering this sort of space for a long time. And this is definitely one of the more unusual alleged HIPAA criminal cases I've encountered, involving malicious insiders. And it's also a reminder for healthcare and other entities not to lose sight of the so-called potential enemy from within, as they try to prevent potentially catastrophic cyber incidents from external attackers. So, very unusual case.
Delaney: It's an interesting case, because of the insider threat meets Russia's war in Ukraine. Are there other ways that healthcare organizations can refresh their take to thinking about insider risks?
McGee: Well, the thing that's interesting about this case, and it's not really documented yet in court papers, maybe we'll find out, as this sort of plays out, is how Gabrielian and Henry were able to sort of access this information and take it with them without anybody noticing. Or it's possible that because they met with the FBI agent before this information was taken, or at least, handed over to the FBI, you kind of wonder, maybe the FBI also tipped off Johns Hopkins Medicine or the military facility where Henry worked to let them know that we're watching this case here, you better watch your access monitoring more closely, but this is what's happening. So, but in most cases, healthcare organizations aren't tipped off that you got somebody in your organization that might be trying to do something malicious with patient information. So we'll have to see how this plays out, but it's definitely an unusual case for criminal HIPAA allegations, but also a war crime possibly. That's what's being charged.
Delaney: How has the community reacted and received this news?
McGee: I think it's gotten a lot of national coverage here in the U.S., and I think it's definitely a juicy case. Because again, there's been so much said about possible cyberattacks involving Russia and Ukraine and spillovers and all that, but this is something that I think caught people by surprise.
Delaney: Thank you, Marianne. Well, from one insider threat case to another. David, more law and order this week. A former Seattle tech worker, Paige Thompson, was sentenced to time served and five-year probation, including computer monitoring, for her massive hack on Capital One that allowed her to obtain the personal information of more than 100 million people. Tell us about the sentencing.
Perera: So, the sentencing was very much in line with what her defense attorneys had asked for. Government prosecutors were asking for seven years imprisonment. So, the judge very much sided with defense attorneys on this, deciding that the 100 days that she spent in jail ahead of her trial and five years of supervised release, along with home confinement during that period, was sufficient punishment for Thompson. The circumstances of how she came to hack Capital One are very interesting. And one thing that defense attorneys did stress during the trial was that she didn't target Capital One, she didn't know that she would be getting the information of 100 million individuals. She was basically running a script looking for vulnerabilities in application, web application firewall on the Amazon cloud and she found vulnerabilities and one of them belonged to Capital One, which was in the middle of closing down its data centers and transferring all this information to the Amazon cloud. If she had gone on to sell that information, if she had shared that information, then no doubt her sentence would have been much stricter. And there are indications that she was thinking about doing something like that or pondering what her next steps were with all the information that she had downloaded, but the facts are is that she didn't sell it. It doesn't appear to have been distributed just beyond her hard drive. And so she's getting supervised release.
Delaney: And what do you make of the verdict? Because the DOJ isn't very happy to think that it's not what justice looks like.
Perera: Well, that's what one of the federal prosecutors in this case said, yes. They're not happy at all. The defense attorneys are very happy. They saw that quote and they got in contact and they said, this is indeed what justice looks like that the case against Thompson was hyped up from the start and didn't match the severity of her actual crimes.
Delaney: What's Capital One's reaction been?
Perera: So Capital One is not necessarily saying anything about the sentencing itself. But there is a sense that Capital One is moving beyond this 2019 incident. It was fined $80 million by federal financial regulators, who also put the company under a quarterly cybersecurity improvement reporting mandate, basically saying that every quarter, you have to report back to federal regulators, how you've improved your security posture. And just in August, federal regulators released Capital One from that requirement. Basically, they said that we believe the security has improved to the point where we no longer need quarterly updates. Capital One also settled a proposed class action against it, tied to the breach, so it's $190 million settlement. And Capital One decided that rather than continue with litigation, it was simply just settled with the class action attorneys. And now, of course, Thompson has been found guilty and sentenced. So I think there's a sense that the Capital One is closing the chapter on this particular incident, moving forward.
Delaney: But also another reminder not to dismiss the insider threat. Michael, you've written about the departure of Lacework co-CEO David Hatfield, what happened?
Novinson: Anna, thank you for having me on here. So, Lacework last year was one of the highest flying security startups soaring through the stratosphere. They close the largest funding round in cybersecurity industry history, they raised $1.3 billion on a valuation of $8.3 billion, which is the third-highest valuation any cybersecurity startup has ever received, behind only Tanium and Snyk. 2022 has been a very different story for Lacework. They say bad news comes in threes, and that certainly has been the case here. So first off in May, Lacework was the first cybersecurity vendor who publicly disclosed layoffs as a result of the economic downturn. They announced that they were laying off 20% of their workforce. They employed approximately a thousand people at the time. The second strike came in late August when Andy Byron, who was their president and their chief revenue officer - he was responsible for sales and marketing, in particular, is focused on growing the company's channel program globally. He announced - it was reported that he had left the company after spending three years there. He had previously served as the chief revenue officer at Cybereason. So when Byron left, all of his responsibilities were shifted over to David Hatfield, who had started as the CEO at Lacework in February of 2021. Previously, he was the president at Pure Storage for nearly seven years, which was backed by Sutter Hill Ventures, the same folks who are backing Lacework. Round three came out late Tuesday, Protocol reported, and the company confirmed they had sent a memo to employees that David Hatfield is out as co-CEO of the company, meaning that the company, going forward, will be led by Jay Parikh, who was the longtime VP of Engineering at Facebook, spent more than 11 years in that role, and then joined Hatfield as the co-CEO in July of 2021. So the interesting thing here is that Hatfield and that co-CEO arrangement, Hatfield was really responsible for operations, for business strategy, for global expansion, a lot of the go-to-market stuff that overlapped with what Byron was doing in sales and marketing. Jay Parikh, who's now the sole CEO, there is an engineering guy, he looks at product technology, engineering, R&D, that's his bread and butter. So you now have, with both Hatfield and Byron departing, you have a major gap in terms of overseeing how this technology is brought to market. And given that the company had quintupled its headcount, from 200 employees to a thousand employees in the 14 months leading up to - prior to the layoffs. There's a large global operation to oversee here and a pretty clear vacuum in terms of who is going to be focused on directing the go-to-market motion. Here I have asked Lacework where those responsibilities lie today, what their plan going forward is. I have not heard back from them yet. But it certainly will be an interesting thing to keep an eye on.
Delaney: They say too many cooks spoil the broth, but the partnership, what we're led to believe, that was actually a happy one at the beginning, it went smoothly. Do we have any indication of what went wrong?
Novinson: It's an interesting question. So co-CEO arrangements tend to be volatile. We've seen a handful of them in security over the years, just a couple of weeks ago written about a co-CEO arrangement at IronNet where Keith Alexander, the former NSA, had co-CEO arrangement with William Welch, COO of Zscaler and Duo to help with the go-to-market affairs at IronNet, they've really struggled. Welch left. You go back to Tanium a couple of years ago. Orion Hindawi was a co-founder over there, they had brought in Fazal Merchant who had more of a CFO, CEO background to help with some of the operational stuff. That only lasted for a little while. He left. You look at Darktrace. They had Nicole Eagan as CEO and then for a couple of years, Poppy Gustafsson, who was the CFO moving into that role to help with operations. That only lasted a few years, though, in that case, she did continue to stay with the company and she's now heading their chief strategy and AI. Actually, we had her in the ISMG Studios a couple of weeks ago here. But these are just hard to make work. You know, Oracle did it for a number of years, it's just hard to have two leaders at the same time. I think when companies are struggling, they tend to affect the go-to-market side more that investors don't want to see a retrenchment from technology or R&D investments. So when it comes time to cut jobs, last tend to be heavily weighted toward sales and marketing. And there's a sense that if things aren't going maybe the way that investors want them to go, that those are the folks to blame if people believe that the technology is strong and the technology is legit. Then the folks who are in charge of the operations and the strategy piece are usually the ones ... we saw Welch depart in the case of IronNet. And then in this case, we're seeing Hatfield depart. So yeah, it's interesting we now have no co-CEO arrangements anymore in cybersecurity. I wonder if we'll see any more, going forward.
Delaney: Yeah. Let's see what happens in the Lacework story next. Thank you very much, Michael. Okay, well, speaking of leadership, and I'm going to make you leaders. I'm going to make you heads of sparkling new incident response teams. What is the name of your team? What would you call yourselves? Silly names only, of course.
Novinson: So I was inspired by the Geek Squad at Best Buy. Been around for a couple of decades and come up with the Nerd Herd. I do have to give a tip off to the NBC television show Chuck, which had that really original, for me, but do you think Nerd Herd would be a very fun name for an IR team?
Delaney: Yeah, I like that. Marianne?
McGee: Cyber Stat. Everything's urgent in healthcare. So got to jump on it.
Delaney: Yeah, you got it. Very good. Dave?
Perera: Oh, well, the jets. Yeah. Because when you're a Jet, you're a Jet all the way. You're never alone. You're never disconnected. You're home with your own and when company is expected, you're well-protected.
Delaney: Oh, wow. You've got your marketing message already. I was just thinking West Side Story - song and dance. So that was great. So I was thinking, I looked up. I tried to use the internet for inspiration as one does. Apparently, the word diamond is an old English word for invincible and untamed. So I'm feeling really creative here. I thought Cyber Diamonds. Diamond documents, perhaps? Yeah, we can only try. Well, thank you very much. This has been fun, as always. And great to see you all. So, Marianne, Dave, Michael. Thank you.
McGee: Thank you.
Perera: Thanks. Have a great day.
Delaney: Thanks so much for watching. Until next time.