On January 10th, a federal judge sentenced cybercriminal Martin Gottesfeld, 34, to a decade in prison. This comes after a jury found Gottesfeld guilty of perpetrating a 2014 cyberattack against Boston Children’s Hospital and an affiliated treatment home. The attack cost Boston Children’s hundreds of thousands in donations and revenue, tens of thousands in damage remediation, and impacted patients’ care at local hospitals for several days.
Gottesfeld, for his part, remained unrepentant. He stood by his initial rationale for his crime, that he needed to act to protect the life of Justina Pelletie. Pelletie, a teenaged patient, lay at the center of a dispute over care between Boston Children’s and her parents. As per the Associated Press:
The Connecticut teenager was placed in state custody in Massachusetts after her parents disputed Boston Children’s Hospital doctors’ diagnosis of their daughter.
Pelletier had previously been diagnosed with mitochondrial disease, a disorder that affects cellular energy production, but Boston Children’s Hospital diagnosed her problems as psychiatric.
The case drew national media attention and ignited a debate over parental rights. Pelletier was later returned to her parents on a judge’s order.
Prosecutors had asked Gottesfeld be sentenced to 12 years. In sentencing Gottesfeld to 10, the judge called Gottesfeld’s actions “contemptible, invidious and loathsome.”
“It was your arrogance and misplaced pride that has been on display in this case from the very beginning that led you to believe you know more than the doctors at Boston Children’s Hospital,” the psychiatrists at the treatment facility and everyone else, U.S. District Judge Nathaniel Gorton said.
What can we learn?
- Hackers will attack everyone – nothing is sacred, not even the lives of children. Gottesfeld received such a harsh sentence in part because he refused to admit his actions were unjustified. Gottesfeld had called himself an “Obama-era political prisoner” and contended that he needed to act to save Pelletier’s life. Despite endangering the lives of patients – children – all over Boston, Gottesfeld would not admit he hurt anyone and even plans to appeal his sentence. Even the group he claimed to be a part of – Anonymous – disavowed his actions in a 2014 tweet: “To all Anons attacking Children’s Hospital in the name of Anonymous … It’s a hospital, stop it.” When even 4chan calls you a bad person, you really need to re-evaluate your life.
- Attacks are easy to start and difficult to stop. Gottesfeld executed a “DDoS attack”, which manifests as the sending of fake data to valid targets, overwhelming them to the point they can’t process real data. These attacks are cheap, with a basic attack costing as little as 5 Euros (~$5.68). And with up to 125GB of network bandwidth available at these prices, someone could take down most corporate IT systems for under the price of a Starbucks coffee. And with the average cost of damage remediation in the six figures, even for small businesses, the risk-to-reward ratio is skewed in the attacker’s favor.
- Invest in cybersecurity before an attack, not after. Given the numbers above, what would you, as a practice owner or manager, want to pay? The cost of a consultant plus some security tools? Or would you prefer paying up to $2 million in forensics, fines, remediation, and all the rest? Start now. Look into specialized anti-DDoS services like Cloudflare to block malicious traffic. Try to use firewalls with some sort of anti-DDoS protection as well. Have a good IT auditing solution in place – if you can’t block the attack, knowing exactly what they did and how they did it will save you untold hours and dollars. And hire specialists in healthcare IT security to come in and verify your defenses will work.
Attacks like this are a fact of life. Make sure you prepare for them.