Serial extortionist of medical facilities pleads guilty to cybercrime charges

Robert Purbeck even went as far as threatening a dentist with the sale of his child’s data

A cyberattacker and extortionist of a medical center has pleaded guilty to federal computer fraud and abuse charges in the US.

Robert Purbeck, adopting the aliases "Lifelock" and "Studmaster" during his time as a cybercriminal, according to the Department of Justice (DoJ), stole personal data belonging to more than 132,000 people.

The 44-year-old pleaded guilty to launching attacks on at least 18 different organizations across the US, including medical clinics. In one incident described by the DoJ following his 2021 indictment [PDF], Purbeck was said to have targeted a Florida orthodontist and threatened to sell his child's personal information unless they paid a ransom.

During this time he was also said to have sent a series of emails and text messages harassing the orthodontist and his patients.

In another case heard in court this week, Purbeck allegedly bought access credentials to a Griffin, Georgia medical clinic's server in 2017 off the dark web, broke in, and stole the personal data of more than 43,000 people in one go. This included names, addresses, dates of birth, and social security numbers.

Speaking to regarding a separate attack on a Michigan eye surgery center, which was allegedly only reported by the center two years after the attack, Purbeck tried to weaponize the media to pressure the facility into disclosing the incident.

Now where have we seen tactics similar to that before?

Following the Georgia medical center data theft, Purbeck once again used an initial access broker (IAB) to break into a server belonging to the police department of the city of Newnan, also in Georgia.

He used that access to steal various files such as police reports and other miscellaneous police documents which were ultimately found to contain the personal information of an additional 14,000 people.

"Purbeck breached computer systems in our district and across the country, stole vast amounts of personal information, and aggravated his crimes by weaponizing sensitive data in an egregious attempt to extort his victims," said US attorney Ryan K Buchanan.

"Cyberattacks on healthcare facilities and local governments pose a grave risk to the security of personal information. Our office is committed to tirelessly coordinating with our law enforcement partners to help safeguard the sensitive information of citizens by combatting cybercrime threats from within and outside this district."

Following his March 2021 arrest, Purbeck's property was searched in August that year and feds confiscated a number of his devices.

Purbeck tried on a number of occasions to regain access to his devices and counter-sue the authorities who searched him, all while representing himself in court. Across various cases, he argued that the devices seized from his property had been taken illegally since they were crucial to a company in which he was a shareholder, tried to suppress evidence by claiming the files were illegally surveilled by the authorities, and generally complained about the conduct of the investigators involved.

Purbeck claimed that agents used excessive force and overly aggressive tactics during his arrest, and that his genitals were felt for at least a minute to humiliate him – an event that allegedly required therapy for PTSD.

The efforts to reverse the seizure of devices and quash the search warrant were denied, however. The case against various agents involved in the claims regarding excessive force has largely been dismissed, except for two who are still involved in ongoing proceedings.

Purbeck is due to be sentenced on June 18, and as part of his guilty plea, he agreed to pay $1 million in restitution to his victims. ®

Send us news

Three cuffed for 'helping North Koreans' secure remote IT jobs in America

Your local nail tech could be a secret agent for Kim’s cunning plan

Europol confirms incident following alleged auction of staff data

Intelligence-sharing platform remains down for maintenance

Cybercriminals hit jackpot as 500k+ Ohio Lottery lovers lose out on their personal data

Not a lotto luck for these powerball hunters

One year on, universities org admits MOVEit attack hit data of 800K people

Nearly 95M people in total snagged by flaw in file transfer tool

Microsoft's Brad Smith summoned by Homeland Security committee over 'cascade' of infosec failures

Major intrusions by both China and Russia leave a lot to be answered for

Cybersec chiefs team up with insurers to say 'no' to ransomware bullies

Guidebook aims to undermine the criminal business model

UK opens investigation of MoD payroll contractor after confirming attack

China vehemently denies involvement

How two brothers allegedly swiped $25M in a 12-second Ethereum heist

Feds scoff at blockchain integrity while software bug said to have been at heart of the matter

NHS Digital hints at exploit sightings of Arcserve UDP vulnerabilities

When PoC code is released within a day of disclosure, it's only a matter of time before attacks kick off

Uncle Sam urges action after Black Basta ransomware infects Ascension

Emergency ambulances diverted while techies restore systems

Encrypted mail service Proton hands suspect's personal info to local cops

Plus: Google patches another Chrome security hole, and more

US faith-based healthcare org Ascension says 'cybersecurity event' disrupted clinical ops

Sources claim ransomware is to blame