United States Attorney Carol C. Lam announced that Jon Paul Oson was arraigned today in federal court in San Diego on federal computer hacking charges. Mr. Oson was named in a sealed indictment handed up by a federal grand jury on Friday, August 25, 2006, charging him with two counts of intentionally damaging protected computers. Among other things, as summarized below, Oson is alleged to have deleted patient data of the North County Health Services clinic (“NCHS”), which data was stored at the facilities of Oson’s former employer, the Council of Community Health Clinics (“CCC”), in San Diego. In addition to causing financial losses at CCC, NCHS and other CCC member clinics, the deletion of the data caused patient care at NCHS to suffer. Mr. Oson was arrested on Friday following the issuance of a warrant for his arrest and the indictment was unsealed upon his initial appearance and arraignment before United States Magistrate Judge Nita L. Stormes today.

According to the indictment and other court records, Oson was employed as a network engineer and as technical services manager for the Council of Community Health Clinics from May 2004 until October 2005. CCC is a non-profit organization that provides a variety of services to its membership, consisting of seventeen Community Health Clinics located in San Diego and Imperial Counties. The largest member clinic is North County Health Services. NCHS used CCC’s information technology services to host and manage its Practice Management system. The Practice Management system consists of a variety of software applications that reside on several computer servers at CCC. This software is used by NCHS for billing, scheduling of patient appointments and for tracking medical information of NCHS patients, including diagnosis, treatment plans and case history. NCHS, like the other member clinics of CCC, provides medical services to the poor, the uninsured and the under insured.

Mr. Oson’s resignation from CCC followed a performance evaluation that he perceived as negative. That may have provided the motive for his attack upon the CCC network. As charged in the indictment, on December 23, 2005, Oson accessed without authority the CCC network and disabled the automatic process that created backups of the patient data for the NCHS Practice Management system. On December 29, 2005, Oson attacked the CCC system again and systematically deleted data and software on several CCC servers, including the patient data for NCHS. In addition to attacking the servers that hosted Practice Management, Oson deleted and attempted to delete data and software used for electronic mail and used by other clinics. Although patient data for other clinics was deleted, those clinics were not as reliant on technology as NCHS. Consequently, their day to day activities were not as disrupted.

According to Assistant United States Attorney Mitch Dembin, who is prosecuting the case, court filings indicate that Oson was identified as the source of the attacks, in part, by reconstruction of the computer logs left after the attack. The logs reflected certain attributes of the attacker’s computers that tied those computers to Oson.

U.S. Attorney Lam said, "This was a callous crime against innocent patients; Mr. Oson didn’t care who he was hurting or how badly he hurt them."

FBI Special Agent in Charge Daniel R. Dzwilewski commented, "As a former employee of the Council of Community Clinics, Mr. Oson's actions not only caused over $700,000 in damages, but negatively impacted medical treatment for dozens of patients. Such vicious acts of vandalism, both physical and cyber-based, will not be tolerated by law enforcement."

This case was investigated by Special Agents assigned to the Cybercrime Squad of the San Diego Division of the Federal Bureau of Investigation. Bail was set in the amount of $75,000 which must be cosigned by two financially responsible persons and Mr. Oson will next appear on September 5, 2006 before the Honorable Thomas J. Whelan, United States District Judge for motion setting.

DEFENDANT

Case Number: 06cr1875-W Jon Paul Oson

SUMMARY OF CHARGE

Two Counts - Title 18, United States Code, Section 1030(a)(5)(A)(i) - Intentionally Damaging a Protected Computer
Maximum Penalty: 10 years’ imprisonment and $250,000 fine per count

AGENCY

Federal Bureau of Investigation

An indictment itself is not evidence that the defendant committed the crimes charged. The defendant is presumed innocent until the Government meets its burden in court of proving guilt beyond a reasonable doubt.