Cyber Incident Victim: Health Insurance Marketplace

In November 2018, Colbi Trent Defiore, a 27-year-old seasonal employee at a Virginia-based technology company operating contact centers for the Centers for Medicare & Medicaid Services (CMS), engaged in unauthorized access of Healthcare.gov consumer data. Defiore, stationed at a call center in Bogalusa, Louisiana, exploited his position to conduct bulk searches within the Healthcare.gov database—an action explicitly prohibited by his employer—despite having received training on proper handling of personally identifiable information (PII). He extracted data belonging to over 8,000 individuals by copying search results to a clipboard and emailing them to his work email account. After his shifts ended, Defiore remotely accessed his work email without authorization to retrieve the stolen PII. Over multiple occasions during that month, he systematically harvested sensitive consumer details, which he later used to commit financial fraud.

Defiore fraudulently applied for at least six credit cards, personal loans, and lines of credit using the stolen information of five confirmed victims, seeking personal financial gain. The breach was investigated by federal authorities, leading to Defiore’s indictment by a grand jury on November 7, 2019, on charges of intentionally accessing a protected computer exceeding authorized access for financial benefit and in furtherance of a felony. The incident caused $587,000 in losses to the call center operators, covering costs for incident response, damage assessments, system remediation, victim notifications, and identity theft protection services for affected consumers. In December 2020, Defiore was sentenced to 42 months in federal prison followed by three years of supervised release and ordered to pay a $100 special assessment fee. The case underscored vulnerabilities in contractor oversight within federal healthcare enrollment systems but did not implicate technical flaws in Healthcare.gov’s infrastructure itself.