A Maryland man is facing federal indictment in connection with an unauthorized computer access scheme involving a Maryland medical system. The 41-year-old defendant, of Clarksville, is charged with two counts of unauthorized access to a protected computer and one count of aggravated identity theft while working as a pharmacy clinical specialist for Company A, a medical system located in the District of Maryland. US Attorney for the District of Maryland Kelly O. Hayes announced the indictment on May 1, 2026, alongside FBI Baltimore Field Office Special Agent in Charge Jimmy Paul.
According to the indictment, between July 2016 and September 2024, the defendant intentionally accessed Company A computer systems without authorization and obtained information from protected computers. Through this unlawful access, he obtained victims’ usernames, passwords, cookies, images, videos, and other data.
The defendant allegedly used various cyber intrusion techniques—including keylogging, cookie management tools, mailbox rule creation, and file masquerading—to gain access to personal and professional accounts belonging to current and former employees, individuals in relationships with employees, and others affiliated with Company A. This enabled access to victims’ accounts on services such as Google Photos, iCloud Photos, Gmail, Microsoft 365, and social media platforms.
The indictment further alleges that he created mailbox rules that automatically deleted incoming emails with the subject line “Critical Security Alert,” preventing Company A cybersecurity personnel from detecting compromised accounts.
His repeated extraction of browser cookies allowed him to import them into internet browsers and access victims’ accounts on other devices without authorization, enabling continued access from locations outside Company A’s network.
Additionally, beginning in or around February 2023 and continuing through July 2024, he allegedly installed spyware on one or more Company A computers. Through this software, he conducted video surveillance of individuals at Company A and recorded victims without consent, including women engaged in breast pumping.
Compliance Perspective
Issue
The HIPAA Security Rule requires covered entities to implement appropriate administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). This includes implementing controls to prevent, detect, and respond to unauthorized access to systems containing ePHI, including access by workforce members acting outside their authorized job responsibilities. Organizations must ensure that access to ePHI is limited to the minimum necessary for legitimate business purposes, and that system activity is regularly monitored for suspicious or inappropriate use. Failure to maintain effective safeguards may result in unauthorized access to sensitive information, security incidents, and violations of HIPAA requirements.
Discussion Points
- Review and update policies and procedures related to HIPAA Security Rule compliance to ensure they address appropriate access controls, system monitoring, and detection of unauthorized activity. Policies should clearly define acceptable use of organizational systems, restrictions on access to ePHI, and escalation procedures for suspected security incidents. Organizations may benefit from periodic review of technical safeguards with an experienced compliance consultant to assess potential vulnerabilities and strengthen protections against unauthorized access.
- Provide ongoing education for staff on HIPAA Security Rule requirements, including organizational responsibilities for identifying, responding to, and mitigating security incidents involving ePHI. Training should emphasize the importance of recognizing potential security events, following established incident response procedures, and ensuring appropriate documentation and escalation of suspected incidents. Staff should also understand breach reporting obligations and the importance of system monitoring and audit log review. Med-Net Academy offers the course HIPAA Security Rule Security Incident Procedures, which reviews the Security Rule framework and outlines how to develop policies and procedures to address security incidents. The course also covers incident response planning, formation of response teams, audit log review, mitigation of harmful effects, data backup strategies, and breach reporting requirements.
- Conduct regular audits and system monitoring of access logs, user activity, and security alerts to detect unauthorized or unusual access to systems containing ePHI. Audit processes should include review of login behavior, data access patterns, and potential indicators of compromise. Findings should be addressed promptly through investigation and corrective action, and organizations may consider periodic independent security reviews to identify gaps and strengthen system protections. Contact Med-Net Healthcare Consulting or info@mednetconcepts.com for more information.
*This news alert has been prepared by Med-Net Concepts, Inc. for informational purposes only and is not intended to provide legal advice.*