A former IT network engineer and technical services manager for San Diego's Council of Community Health Clinics was sentenced to 63 months in prison on federal hacking charges.
According to a release from the FBI's San Diego office, Jon Paul Oson of Chula Vista, Calif., was convicted of intentionally damaging protected computers in December 2005 when he disabled the automatic backup database of patient information.
Oson had resigned from his job after a negative performance review. He was convicted of accessing the CCC network without authorization. He also was found guilty of attacking the system again on December 29, 2005, this time deleting data and software on several CCC servers.
This is one of the longest sentences ever imposed for computer hacking.
Don Jackson director of threat intelligence at SecureWorks said he believes the length is justified.
“If he had sold the data, he probably would have received a lower sentence,” Jackson told SCMagazineUS.com on Thursday. “But he put lives at risk, and this is what he deserves.”
Tom Dager, director of information security with SecureWorks and a former police officer agreed, stating that life protection should always take precedence over asset protection.
“This wasn't a simple hack attack that stole information for monetary gain,” Dager told SCMagazineUS.com. “A lot of health care facilities are moving away from paper records. The ability to compromise the data backup and delete the existing data, essentially erasing the medical history of a patient, is what elevated this in the eyes of the judiciary.”
To better protect systems from a similar attack in the future, Dager recommended companies take a dual-control approach and make sure that more than one person has access to information and systems.
According to a release from the FBI's San Diego office, Jon Paul Oson of Chula Vista, Calif., was convicted of intentionally damaging protected computers in December 2005 when he disabled the automatic backup database of patient information.
Oson had resigned from his job after a negative performance review. He was convicted of accessing the CCC network without authorization. He also was found guilty of attacking the system again on December 29, 2005, this time deleting data and software on several CCC servers.
This is one of the longest sentences ever imposed for computer hacking.
Don Jackson director of threat intelligence at SecureWorks said he believes the length is justified.
“If he had sold the data, he probably would have received a lower sentence,” Jackson told SCMagazineUS.com on Thursday. “But he put lives at risk, and this is what he deserves.”
Tom Dager, director of information security with SecureWorks and a former police officer agreed, stating that life protection should always take precedence over asset protection.
“This wasn't a simple hack attack that stole information for monetary gain,” Dager told SCMagazineUS.com. “A lot of health care facilities are moving away from paper records. The ability to compromise the data backup and delete the existing data, essentially erasing the medical history of a patient, is what elevated this in the eyes of the judiciary.”
To better protect systems from a similar attack in the future, Dager recommended companies take a dual-control approach and make sure that more than one person has access to information and systems.