An Idaho man is facing several charges relating to a breach of the city of Newnan’s computer system.
Robert Purbeck of Meridian, Idaho, was charged with the Northern District of Georgia on March 2 for computer fraud and abuse, access device fraud and wire fraud.
Purbeck – who made his first appearance before a U.S. magistrate judge in Boise, Idaho – also is accused of hacking into the computer systems of Atlanta-area medical clinics.
“This alleged cyber-criminal and extortionist targeted the city of Newnan as well as medical clinics in our district, stealing over 60,000 records containing personal information of our citizens,” said Acting U.S. Attorney Kurt R. Erskine.
Erskine said Purbeck also allegedly attempted to extort a Florida orthodontist, threatening to sell the Social Security number of his minor child unless the orthodontist submitted to a payment demand.
“The charges against Purbeck highlight the need to remain vigilant in our cybersecurity efforts,” said Chris Hacker, special agent in charge of FBI Atlanta. “The theft of intellectual property to be used to extort citizens is a very serious crime and one the FBI will diligently pursue, no matter if you are hiding behind a computer screen.”
According to court documents, between June 23, 2017 and April 28, 2018, Purbeck allegedly purchased, – on a criminal marketplace – the usernames and passwords to computer servers belonging to multiple Georgia victims. He then allegedly used those credentials to access the victims’ computers, stealing sensitive and personally identifiable information including:
• Medical records and other documents that contained names, addresses, birth dates and social security numbers of over 43,000 people from a Griffin, Georgia, medical clinic;
• Police reports and other documents containing personal information of more than 14,000 people from the city of Newnan; and
• Personal information of more than 7,000 people from a Locust Grove, Georgia, medical practice.
On June 25, 2018, Purbeck allegedly hacked into the computers of the Florida orthodontist and stole the medical records of more than 1,800 people. He reportedly threatened, harassed and attempted to extort the orthodontist, demanding a ransom payment in Bitcoin.
During the course of his attempted extortion, Purbeck reportedly sent numerous harassing emails and text messages to the orthodontist and his patients.
The case is being investigated by the FBI’s Atlanta Field Office, assisted by the FBI Boise Resident Agency.
In September 2019, Newnan city officials were notified by the Georgia Bureau of Investigation and the FBI that an unauthorized person had gained possession of electronic files maintained by the city, according to Assistant City Manager Hasco Craver IV.
"The city undertook a comprehensive review of the files to determine the type of information leaked and to confirm the identities of those affected individuals,” Craver said. "The breach was not a case of encrypted data or ransomware situation."
The information included names, dates of birth, driver’s license and Social Security numbers.
After learning of the breach, the city hired an outside firm to do a subsequent security check of all IT systems, which determined the environment remains secure and the vulnerability had been closed much earlier than when the city learned of the breach, Craver said.
The good news is that there was no misuse of personal information, according to Craver.
“It’s important to note that both of those agencies have zero evidence any misuse took place,” he said.
Those affected by the breach were provided with documentation confirming their information was compromised, which accompanied a year of free identity protection service, including assistance on reporting incidents to banks and credit card companies.
“A third party helped provide guidance on how to place fraud alerts and security freezes, along with providing free credit reports,” Craver said. “This information will be included in the notices that the affected individuals receive.”
"As a resident and staff member, I’m confident that this city has managed the process with individuals’ best interests in mind and didn’t leave any stone unturned,” Craver continued. "The minute we learned of the incident, we went to work making improvements not only to our systems but also through providing services like credit monitoring back to them. That’s something that’s not legally required, but very appropriate.
“Strict security measures remain a high priority for us to protect the information that’s in our care,” he continued. “We’re always reviewing those policies and procedures and seeking information for industry experts."