A man who orchestrated a cyberattack on Boston Children's Hospital and a treatment facility in 2014 that disrupted operations and cost the facilities tens of thousands of dollars was sentenced Thursday to 10 years in prison.
Infographic: When a breach occurs, the whole hospital is our patient
About the case and the disruptive hacking
Martin Gottesfeld, a computer engineer, was arrested in 2016 while attempting to flee to Cuba with his wife amid a federal investigation into the 2014 hacking. A federal jury last August found Gottesfeld guilty of conspiracy to damage protected computers.
Prosecutors in the case alleged Gottesfeld in March 2014 launched a denial-of-service attack against Wayside Youth & Family Support Network, a residential treatment facility. That attack preceded an April 2014 denial-of-service attack against Boston Children's Hospital. According to Health IT Security, the attack disrupted service at the hospital for two weeks. The Associated Press reports the facilities lost tens of thousands of dollars because of the attacks.
Gottesfeld argued the attacks were not criminal, and were launched to protest the treatment of Justina Pelletier—a teenager who was placed in state custody after her parents rejected Boston Children's Hospital's conclusion that Pelletier's symptoms, which were previously thought to be due to mitochondrial disease, were attributable to a psychiatric problem. Pelletier was a resident of Wayside after she was discharged from the hospital.
Pelletier's parents later regained custody of her.
The sentencing hearing
Gottesfeld's wife, Dana Gottesfeld, said he staged the attacks to protect Pelletier.
At the hearing Thursday, Gottesfeld, who represented himself at the hearing, maintained that his actions were not criminal and said that his "only regret is that I didn't get to Justina sooner." He added that he wished he "had done more" to help the teenager. Gottesfeld called himself a "political prisoner" and maintains that he helped Pelletier and should only be sentenced to time served.
Meanwhile, Assistant U.S. Attorney David D'Addio objected to Gottesfeld's characterization of himself as a hero and asked the judge to sentence Gottesfeld to more than 12 years. D'Addio characterized Gottesfeld as a "self-aggrandizing menace" who has tried to depict himself as a human rights activist. D'Addio said Gottesfeld "committed crimes and today is about holding him accountable."
Judges sentence Gottesfeld to 10 years in prison
U.S. District Judge Nathaniel Gorton ultimately sentenced Gottesfeld to 10 years in prison, calling his crimes "contemptible, invidious, and loathsome."
During the sentencing Gorton told Gottesfeld, "It was your arrogance and misplaced pride that has been on display in this case from the very beginning that led you to believe you know more than the doctors at Boston Children's Hospital," the psychiatrists at the treatment facility and everyone else.
Gottesfeld's wife, Dana Gottesfeld, said that they plan to appeal the sentence, insisting that Gottesfeld's actions were "always about protecting a child" (Durkin Richer, AP/Boston.com, 1/11; Raymond, Reuters, 1/10; Davis, Health IT Security, 1/11).
When a cyberattack occurs, the whole hospital is our patient
Health care organizations are under attack. Vicious threats like ransomware can significantly disrupt or even shut down clinical and business operations at a moment’s notice.
This graphic details how the steps in responding to a clinical crisis mirror one of the most widely used cyber response methods, the SANS Institute’s PICERL approach: preparation, identification, containment, eradication, recovery, lessons learned.