Health care facility hacked by ex-employee using 2-year-old credentials: Justice Department

The former systems administrator of a Pennsylvania health care facility was charged with criminal hacking Monday after prosecutors said he wreaked havoc using administrative credentials that went unchanged more than two years after he resigned.

An attorney for Brandon Coughlin, 29, pleaded not guilty on his behalf in Pittsburgh federal court Monday after the Justice Department unsealed a criminal indictment charging him with one count each of felony hacking and wire fraud.

Mr. Coughlin, the former computer technician of an unnamed health care facility, is accused of purging records from his old job’s databases and purchasing nearly $5,000 worth of iPads on the company’s dime after he was asked to resign from the gig in February 2013 following three weeks of employment.
Documents unsealed in federal court this week indicate Mr. Coughlin was hired Jan. 16, 2013, to work as the “in-house systems administrator” of the health care entity’s computer system, but resigned Feb. 4 upon the company’s request.

The administrative credentials necessary to gain access, modify settings and control the entirety of the health care entity’s computer system and its web-based email server were not immediately changed following Mr. Coughlin’s resignation, U.S. Attorney Soo C. Song wrote in the indictment. Indeed, prosecutors allege Mr. Coughlin maintained privileged access over the entity’s email system more than two years after his resignation, and illegally operated in its shadows well after his employment ended.