Former Health Clinic Employee Charged with Unlawful Access of Clinic’s Computer System
10/20/2016
Former Health Clinic Employee Charged with Unlawful Access of Clinic’s Computer System
In March 2015, The Consolidated Tribal Health Project (CTHP) reported that their computer system was accessed on multiple occasions by an unauthorized person and patient records were compromised. They were also missing data from their network, their email had been disabled and their web site was taken down.
The Consolidated Tribal Health Project (CTHP) is a nonprofit ambulatory community health clinic governed by a consortium of eight Pomo tribes and one Cahto tribe. CTHP is located in Calpella (unincorporated Mendocino County) California.
On Friday October 31, 2014, CTHP terminated their Information Technology manager (I.T.) Peter Fennel and Human Resources Director Dianna Clarke. As the day went on employees began to notice that files were missing from the computer system, to include patient billing records, Human Resource records, and billing records for outside medical services for our patients. Included in these records is the personal identifying information and medical history information for approximately 800 patients. None of the records were encrypted. They were unable to determine at that point if the data had just been deleted or if it had been downloaded by the suspect to another system, but everything including the backup copies were gone. By Monday, November 3, 2014, CTHP external email system did not work and their website was offline.
After a 4 month investigation by the NC3TF arrest warrants were filed in Mendocino County for Peter Fennell and Diana Clarke for multiple counts of computer intrusion, electronic eavesdropping, and conspiracy. In an apparent act of retaliation after being terminated from his position as IT Director Fennell accessed and deleted databases and backups of patient files, disabled the business website, and surreptitiously monitored employees’ emails by forwarding them to a personal Gmail account. He then shared that Gmail account with Clarke, the former Human Resources Director who was terminated at the same time. Both Fennell and Clarke, who is also a practicing in-house counsel, discussed the contents of the forwarded emails in text messages in the months after their termination. Both suspects turned themselves in on the warrants and were arraigned on Monday, September 14. The court case is continuing.
Charges against Clarke were dismissed at the preliminary hearing but Fennell was held to answer on multiple felony counts.
As part of a plea agreement Fennell pled no contest to a violation of California Penal Code section 502(c)(2); Unauthorized Use of a Computer System.