New York hospital IT professional accused of stealing co-workers' passwords, information

A former health IT employee at a New York City-area hospital was charged in Manhattan federal court with compromising dozens of co-workers' email accounts and stealing their confidential information, the Department of Justice announced Friday

Richard Liriano, 33, of the Bronx is accused of installing a malicious software program known as a keylogger on dozens of computers and online accounts between 2017 and 2018, officials said. The program recorded and sent victim employees’ keystrokes to Liriano, officials said.

Liriano allegedly used the stolen credentials to repeatedly compromise password-protected online accounts such as social media and personal email accounts and is accused of pilfering through sensitive personal photographs and other documents such as tax records. 

"As information technology increasingly becomes an integral part of our workplaces, ensuring the integrity of those systems becomes even more critical," said U.S. Attorney Geoffrey Berman in a statement. "The arrest of Liriano should serve as an error message to any information technology professionals seeking to capitalize on their trusted access to information: As in this case, you will be caught and prosecuted.”

RELATED: Health systems get failing grade when it comes to NIST cybersecurity best practices: report

Liriano was arraigned in federal court before U.S. Magistrate Judge Katharine Parker. He was charged on three counts, including transmitting a program to a protected computer that intentionally caused damage, which carries a maximum sentence of 10 years in prison.

In the accusation, officials said he primarily used the keylogger program to access at least 30 email accounts, primarily those of female employees. 

“Whatever alleged motivation the subject in this case had, hacking into his co-workers lives, albeit extremely disturbing, wasn't the most egregious act," said FBI Assistant Director in Charge William Sweeney Jr. in a statement. "He allegedly installed a harmful program on computers that house vital and critical healthcare information for hospital patients, without a thought to what he could be compromising in his attempts to spy on people.”

While much of the concern around cybersecurity in healthcare has centered around external actors, a data breach investigations report from Verizon released earlier this year found insider attacks were responsible for the majority of healthcare data breaches (59%) in 2018 versus external attacks (42%). The healthcare industry is the only sector to show a greater number of insider attacks than external, according to Verizon's analysis of more than 20 industries.

Across all industries, external threat actors are still the primary force behind attacks (69% of breaches), with insiders accounting for 34%, they said.