Why CFAA prosecutions of credentialed clinical staff are rising, and what it means for insider risk

A Maryland pharmacist was indicted this month on two counts of unauthorized access to a protected computer and one count of aggravated identity theft, tied to alleged insider activity at the University of Maryland Medical Center. The indictment is unusual not because the conduct is rare — credentialed-staff misuse is a persistent feature of the healthcare threat environment — but because of the legal framework prosecutors chose. Federal prosecutors are using the Computer Fraud and Abuse Act to reach conduct that HIPAA's civil enforcement model doesn't address well, and the cases that result will reshape what compliance programs need to document.

What the CFAA does that HIPAA doesn't

HIPAA's enforcement architecture is built around covered entities. The Office for Civil Rights investigates organizations and imposes corrective action plans, civil monetary penalties, and resolution agreements. Individual workforce members face professional consequences and possible state-licensing action, but federal criminal exposure under HIPAA itself is narrow — Section 1320d-6 reaches knowing wrongful disclosure but is rarely charged.

The Computer Fraud and Abuse Act, codified at 18 U.S.C. § 1030, fills that gap. It criminalizes unauthorized access to a protected computer — a term defined broadly enough to cover essentially any healthcare information system connected to interstate commerce. When a credentialed clinician exceeds the boundaries of authorized access — querying records of patients outside their assigned panel, downloading data for personal use, accessing records that aren't required for the task at hand — that conduct is reachable under the CFAA in a way that it isn't reachable under HIPAA.

The Maryland indictment adds an aggravated identity theft count under 18 U.S.C. § 1028A, which carries a mandatory minimum two-year federal prison sentence to be served consecutively. That's a structural feature of the statute: it forces sentencing judges to add prison time to the underlying offense regardless of the rest of the case profile.

Why this matters for compliance programs

Healthcare compliance programs typically focus on the practice's affirmative obligations — the policies, the training records, the access reviews, the breach response. Federal criminal prosecution of an individual workforce member is outside that scope. But the practice's documentation practices become discoverable evidence in those prosecutions, and the documentation that exists at the time of the federal investigation is the documentation that will be examined.

A few specific implications follow.

Audit logs become evidentiary records. When OCR investigates, audit logs support the corrective action plan. When the FBI investigates a CFAA case, audit logs are evidence in a federal prosecution. The standard is the same — what did the user access, when, and from where — but the consequences of incomplete logs differ. A gap in log retention that an OCR investigator might note as a corrective opportunity becomes, in a federal investigation, a defense argument the prosecutor has to overcome.

Access definitions in policy matter. The CFAA's "exceeds authorized access" language depends on what the practice defined as authorized. Practices that document role-based access scopes — pharmacist accesses dispensing data, billing staff access claim records, nurse manager accesses staff assignments — provide clear evidence of where the boundary sits. Practices with vague or unwritten access scopes make the prosecutor's job harder, but also make the practice's compliance posture harder to defend if the FBI starts asking questions.

Sanctions records have a second purpose. HIPAA Section 164.530(e) requires a sanctions policy and documentation of its application. Most practices treat this as a paperwork exercise. In a CFAA prosecution, sanctions records are evidence of the practice's awareness of the conduct and its response. Consistent application of the sanctions policy — including for terminated employees who later face federal charges — is one of the cleaner facts a practice can present.

What independent practices should check now

Three operational items follow directly from the prosecution pattern.

First, the audit log scope and retention period should match the realistic timeline of investigation. CFAA cases regularly reach back two to three years before charging. If the practice's audit logs only cover ninety days, the practice can't help its own employees mount a defense, and it can't help itself defend the institutional response. A 24-month audit log retention is the floor for a healthcare practice that wants to participate meaningfully in any future investigation.

Second, access reviews need to produce documented decisions, not just artifacts. A "we reviewed access" memo without a list of accounts examined and decisions made is weak evidence. A spreadsheet showing every account, current access scope, last-review date, and reviewer name — refreshed quarterly — is strong evidence.

Third, sanctions policy application should be tracked even when the conduct doesn't reach the federal-investigation threshold. The trail of how the practice handled small-scale insider issues becomes the evidence of how the practice would handle a larger one. Federal prosecutors and OCR investigators both look at this trail; if it's empty, the absence is itself a finding.

The Maryland indictment is one case, but the pattern is broad enough to plan around. Federal prosecutors have decided that healthcare insider misuse is reachable under the CFAA. The cases will keep coming. The compliance programs that are ready for them are the ones whose documentation already exists when the federal letter arrives.

Read the original at DataBreaches.net →