The FBI was contacted and Graham ultimately pleaded guilty to a felony, intercepting electronic communications, in U.S. District Court. He faces possible prison time when sentenced early next year, although probation is also possible.
Graham's case raises questions. How could a hospital's security be breached with a legal product? And how many other people might be trying something similar?
Early last year, Graham, a cardiac surgical technician at University Hospitals in Cleveland, wanted to sneak a peek at the online activity of a woman he knew.
So he sent an e-mail to her personal Yahoo! account with an attachment that would unleash spyware when opened.
The spyware, legally purchased on the Internet, was designed to capture e-mails and screen shots from the infected computer and forward them to a stealth e-mail account Graham could peruse without anyone knowing.
Graham was soon receiving hospital files, including more than 1,000 screen views, most containing confidential information about medical procedures and diagnostic notes for specific patients. He also received personal e-mail and financial records of four hospital employees.
MIAOULIS NOTE: What should the Hospital have done to prevent this? Virus software, firewalls, etc. could may have prevented this. Could this happen at your organization? Do you allow Gmail, Yahoo mail, etc.? It was through this GMAIL account that this breach occured.