Cyber Incident Victim: Trillium Health
Date:
Jan 2020
Location:
United States of America
Summary
A former information systems security support coordinator at Trillium Health exploited administrative privileges to illegally access coworkers' devices and accounts, compromising over 65 employees. The attacker stole hundreds of explicit photos and videos, along with personal data including social media credentials, driver's licenses, credit card details, and Social Security cards. Suspicion arose when unusual network activity traced to the employee's workstation revealed unauthorized access using colleague credentials. Forensic examinations of seized devices confirmed extensive possession of sensitive materials. The organization incurred over $100,000 in cybersecurity remediation costs and cooperated with law enforcement, though no patient information was accessed. Victims had previously interacted with the perpetrator during routine IT assistance requests, with one instance involving written passwords for software installation that were later misused for unauthorized account access.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In January 2020, Trillium Health, a healthcare organization, experienced a cybersecurity incident involving a former employee. On January 2, a co-worker detected unusual network activity traced to the workstation of Ameer Elashmawy, then an information systems security support coordinator. The activity involved unauthorized access using another employee’s credentials. The co-worker identified anomalous file names unrelated to normal operations but did not view their contents, prompting escalation to a supervisor. The following day, Trillium’s director of information systems and technology discovered nude photographs and compromising images of female employees on Elashmawy’s devices during a forensic review. The director also found usernames, passwords for victims’ social media accounts, and a photo of an employee’s Social Security card. Confronted that same day, Elashmawy offered no substantive response and was escorted from the premises without access to his office. Trillium Health reported the incident to law enforcement on January 6, 2020.
Investigators examining Elashmawy’s electronic devices—including USB drives, laptops, external hard drives, and iPhones—identified over 65 victims. Evidence showed he possessed hundreds of explicit photos and videos of coworkers, along with driver’s licenses, credit card details, Social Security cards, and other personal data. Elashmawy allegedly exploited his administrative privileges to access employee work accounts during IT assistance sessions, where victims used company laptops for personal social media access. Only one employee voluntarily shared passwords, specifically for installing Spotify on devices, with instructions to destroy the credentials afterward; Elashmawy instead retained and misused them. No patient data was compromised. Trillium incurred over $100,000 in costs for cybersecurity consulting and employee protection services. Federal charges were filed against Elashmawy for unauthorized computer access and identity theft, carrying potential penalties of five years’ imprisonment and a $250,000 fine. The organization expressed support for affected staff and cooperated fully with law enforcement throughout the investigation.