Former Florida Department of Health data scientist Rebekah Jones is facing a felony charge after turning herself on a warrant related to unauthorized computer access.
Former Florida Department of Health data scientist Rebekah Jones is facing a felony charge after turning herself on a warrant related to unauthorized computer access.
Former Florida Department of Health data scientist Rebekah Jones is facing a felony charge after turning herself on a warrant related to unauthorized computer access.
ID#: 2562 Warent# 00st 1 CF 125
In the County Court Ageney Ciae "TBs
Leon County, Florida’ : ee
Offenses against users of
puters (F3)
102184 15 -ANIOS2b-” ~ yggrea of Gree os
COMPLAINT Statute No. . 818.06
Hittin
FLORIDA
Charge
(a)
STATE OF FLORIDA °
vs.
Rebekah Danielle Jones:
Defendant
Address
IN THE. NAME AND BY THE AUTHORITY OF THE
STATE OF FLORIDA
Before me, thé undersigned authorty, personally appeared Spacial Agent Noel Pratts who, being first duly sworn
says that onthe 10-day of November "AD. 2020. in Leon County, Florida, the eforesaid deferidant
willfully, knowingly, and without authorization or exceeding authorization access or caused to be accessed any
computer, computer system, ‘computer network, or electronic device with knowledge that suich access is.
unauthorized’ or the manner:of use exceeds authorization Florida State Statute 615.06 (2}(a).
‘contrary to Sec., 815.06 (2y{a)
Contrary {o the'statute, rule regulation of ether provision of law in such case made and provided, and against the peace and
dignity of the State of Florida,
Complainant
‘Address
‘Sworn to and subscribed before me this £4 dayor Fusery 2026p
(LEO
Judge, Assistant State Attomey of Notary Pubic
‘SEALIi: 2562 Pr IAWsIy>s
2 .CFIIS
FSS 815.06(2){a) Offenses against users of computers, computer systems, computer networks,’ and
electronic:devices (F3)
if 129
Section 1
A: Your Alfant, Noel Pratts (hercafter veferred to’ as “Affiant’) is @ Special Agent sith:
Department of Law Enforcement (FDLE) assigned tothe Tallahassee Regional Operations Genter (TRDC) {~
Cyber High/Tech Crime Squad. Your Affiant has 18 total years of law enforcement experce ‘with 13»
Years of criminel investigative exper‘ence. Your fiat is certified axa Cyber Crimes inggatigetor te -
National White-Collar Crime Center (NWC3} Board of Directors and has successfully copipléted trating
Specific to’ Cyber-Crime “including but. not limited ‘to, Federal Bureau of Investigatians (FB) Cyber
Intrusions, F's Explotig Network Communications, NW3C Basic Network Intrusion Investigations, SANS
Introduction to:information Security, and Comp TIA Network+. Your Affiantis2 credentialed member of
the FBI Cyber Tesk Force based our of the FB! Jacksonville Field Office. This FBI task force is comprised of
federal and state law enforcément agencies engaged in the investigation of computer réleted crimes
involving cyber intrusion. As 2 Speciat Agent with FDLE, your Afflant is authorized to investigate violations
of Florida criminal statutes,
Section2
‘At Count 1:0n November 10, 2020, at approximately 24:20:20 (UTC -0500) and 14:42:36 (UTC -0500),
Rebekah Jones (hereafter referred to as “Jonés") did violate Florida Stati Statute 815.06 (2)(a) by wilfully,
knowingly, and without authorization or exceeding authorization access or caused to be accessed any
computer, computer system, computer network, or electronic device with knowledge that such access is
unauthorized or the manner of use exceeds authorization.
Section
Probable cause
Ai To Wit: On November 10, 2020, Assistant Special Agent in Charge (ASAC) Keith Witmer from the Florida
Department of Law Enforcement (FOLE) Tallahassee Regional Operations Centér (TROC) advised your
Affiant to cofttact Otis Aaron, Public Health Advisor for CDC to the Florida Department of Health's Bureau
‘of Preparedness and Response regarding @ possible network intrusion to their ReadyOP system: Your
Affiant contacted Mr. Aaron and learied that there wes an unauthorized access of an account from a
depaitmental application used and operated by the Florida Department of Health {FOOH). During this
‘unauthorized access, a mass text message was sent. FDOH estimates that the message wos delivered to
‘approximately 1750,people before the software vendor was able to stop the message. The message read:
“"t's time to speak up before another 17,000 people are dead, You know this is wrong, You don’t have to
he part ofthis: Bea hero. Speak out before it's too late. -From StateESFS. Planning,” This message carried
a time stamp of 11/10/2020 at 14:44:54 (UTC -0500}.
8; Your Affiant requested from FOOH the technical history IP logs for the time freme surrounding the text
message including all users accessing the multi-user group “StateESF8.Planning” on ReadyOp, The multi-
ser group State ESF8. Planning isthe state's emergency management support functions. The functions of
SF8 Js Public Health & Medical. ESF8 coordinates the state’s health end medicel resources, capablities,ID#: 2562
and capacities. They provide the means for public health response, triage, treatment, and transportation.
Some examples of ESF8 missions are Health & Medical Assessment Team Deployment, Medical Supply
Deployment and Support for Healthcare facilities, Your Affiant reviewed the logs and learned that on
November 10, 2020, the IPve address 2601:4¢1:4000;3a80:286e:3d41: fed:Sc4a logged into the systent at
‘14:20:20 (UTC-0500), aid 14:42:36 (UTC -0500) and sent @ group text at 14:44:54 (UTC -OS00). Utilizing
ar open source search tool, your Affiant determined this IP address to be under the control and domain
of Comcast Cable Commurications.
Further examination of thie ReadyOp SMS text history logs, vihich were provided to your Affiant by FOOH
arid the Vendor ReadyOp, revealed two previous text messages were also sent Gn Novernber 10, 2020.
‘The first massage was sent to Witness Aand read “It’s time to speak out before another 17,000 are dead.
‘Text Rebekah ~From: StateESF8.Planning." This message carried a time stamp of 22/10/2020 at 14:36:16
(UTC -0500)... The second text. message was sent to Witness'B and read “It’s time to speak up before
another 17,000 are dead. ~ From: StateESF8.Planning”. This message carried a time stamp'of 11/10/2020
at 14:38:13 (UTC -0800). According to the FOOH and ReadyOp logs, only three messages were sent
through the'system dn Noventber 20, 2020.
¢: Your Affiant drafted a subpoena that was reviewed and approved by the FDLE Regional-Legal Advisor
(RLA). The purpose of the suopoene was to request that Comcast identify the account holder of the [P
address (referenced in section 3 paragraph 8). The subpoena was reviewed, approved and issued by the
Office of the State Attorney for the 2nd Judicial Circuit. The subpoens was then served.cn Cameast on
November 12; 2020.
D: On November 23, 2020, your Affiant received 2.response to the. subpoena from: Comcast Cable
Communications, In the response, Comcast confirmed that the iP address was under thelr control and
was assigned to an active customer account, Coméast advised in the response that the IP address for the
date and time in question (Section 3-paragraph 8) resolved to the following account:
Subscriber Name: REBEKAH JONES
‘Account Status: Active
IP Assignment: Dynamically Assigned
IP History: See Attached
Esmail User ids: MEE <0 1cast.het
&: With the new information, your Affiant reached-out to FDOH and spoke with Witness A in an attempt
to identify the account holder and determine ifthe subject wais a current or former employee. Witness A
advised that Rebekah Jones was a former employee of FDOK. Your Affiant was later informed by FOOH
‘that Jones was terminated approximately six (6): months prior on May 25, 2020. A sworn affidavit from
Witness A stated the following: “Ms. Jones, 3 former employee of FOOH, was riot authorized to access,ID#; 2562
view, review, edit, or send any messages or any other information through the ReadyOp software system
since her dismissal from FOOH". When employed at-FDOH 2 multi-user account holder had access to
submit responses to forms and surveys, access and update situation reports, access arid updates SpNS
Census Reports, view CHD Contacts lst for ESEB and Comprehensive Emergency Management Plane
(CEMP} reviews, use mobile app, and view mission ready package list. While employed with FOOH, Jones's
role would not have required her to send messages through the ReadyOp system: If, for same unfcrascen
reason, Fones needed to send a message during her employment with FDOH, it would have required prior
supervisor approval.
On December 3rd 2020, your Affiant applied for a search warrant for the residence located at
EEE '0 Tallahassee, Florida 32308. The warrant was submitted to the FOLE RLA, upon approval,
twas forwarded to the Office of the State Attorney for the 2" Sudicial Circuit where it was again reviewed
and approved. The warrant was submitted through the Leon County ewarrants system which ‘assigned it
to Circuit Court Judge Joshua.lM1. Hawkes of the Second Judicial Circuit, Judge Hawkes determined probable
cause existed for the search of the residence and issuéd the search warrant.
G:-On December 7th 2020, at approximately 0830 hours, members from FOLE accompanied by @
uniformed Tallahassee Police Department officer executed the search warrant, During the search warrant
2 Hewlett-Packard (HP) tower computer (hereafter referred to “Exhibit #9") was seized. Inia post-Miranida
interview Jones stated that in her household everyone has thelr own electronic devices and they do not
‘use each other's devices. Jones further stated that she is the sole user of Exhibit 19 a (Hewlett Packer)
desktop, After this statement Jones requested legal counsel and the interview was concluded.
H: Following the search warrant, forensie analysis was conducted on Exhibit #9 by FDLE computer forensic
technicians. This analysis indicated the owner 2s IMM 2 gmail.com with a compute name.of
DESKTOP-96R9EKS. Ouring this forensic analysis it was revealed that Exhibit #9 was the electronic device
responsible for the two. separate accesses to the: FDOH. ReadyOp System based on the forensic
exaimination of the Cookies.
\:.A cookie is « small piece of data stored on the user's computer by the web browser while browsing o
website. Cookies. were designed to ‘be a. reliable mechanism for websites to remember stoteful
information or to record the user's browsing activity.
J: Exhibits #9's logs show two records within the Chrome cookies with a timestamp of November 10, 2020
@ 14:60 hours with a created time of 14:20:19 and record two.on the same date at 14:20:21. it was
‘during this unauthorizéd access Jones exfiltrated data with a created timestamp of 14:32:48.
K: Data exfitration (aka “data extrusion”) is the unauthorized transfer of data from a.computer. The
transfer of data can be manual by someone with physical access to the computer or remotely utilizing
the internet.
L: Forensic analysis on Exhibit #9 reveals that on November 10, 2020, Jones downloaded a file containing
2,945,233 bytes of data from ReadyOp which equates to approximately 600-700 sheets of paper, The file
Jones downloaded was named Roster_contacts.xlsx. This document contained the contact informationID, 2562
for aporoxitnately 19,182 people across the state of Florida. This file contained flersona! Information to
Include first and last ame, organizatkins, titles, countiés located, personal email addresses and phone
nurnbers. In spaaking with several of the affected: persons identified in this file, they advised they
provided to FDOH this persona! Information for emergency contact purposes only and it was notte be
disseminated outside:FDOH ESF.
M;. Computer forensics revealed Jones downloaded:and saved this file (which is FDOM intellectual
Property) to.two different destinations.- One destination was a shared folder on Exhibit #9. The other
destination was ones’s personal Microsoft OrieDrive Storage Service,
Nt OneDrive fs a cloud-based starage service for hosting files. Microsoft OneDrive is 6 way to store, syne
‘and share files in order to re-access them from various devices and focations.
(0; Based on this evidence discovery your Affiant drafted a second search warrant for Jones's personal
OneDrive account. On December 17th 2020 this search warrant was reviewed and approved by the Office
of the State Attorney for the 2 Judicial Circuit and submitted through the Leon County ewarrants system
which assigned it to Lean County Judg@ Ashenaft Richardson who found probable cause existed and issued
the warrartton December 2ist 2020. Your Affiant served this search wartant to Microsoft on this sme
date,
P: On December 31", 2020, your Affiant received the reszonse from Microsoft containing the requested
contents front Jonés’s OneDrive account.
@& Your Affiant confirmed the prior evidence of data éxfiltration (mentioned in Section3 paragraph J) by
locating the FDOH file within Jones's OneDrive account:
R; Further review of the FOOH user access logs showed additional unauthorized access attempts to the
ReadyOp system on November 12th, 2020. It. was deterntined. that 2.different IPve address wes
responsible for the attempted. access... second subpoena was drafted and served to Cavicast in
reference.to these additional access attempts. On. December 11, 2020 the subpoena was served to
Comicast by Vour Afiant. On December 31, 2020, your Afiant recelved the response from Comcast. In
résponse, Comcast réplied that the 1Pv6 acdress associated with the unauthorized access attempts on
November 12, 2020 was assigned to subscriber Rebekah Jones residing at Es The
attempts were blocked by FOOH's increased security settings implemented after the November:20"
incident which now required a two-factor authentication (2FA). 2FA is an extra layer of protection used
{0 ensure the security cf online accounts beyond just username and password,
S; In summary, your Affight Believes. the aforementioned: evidence proves that Rebekah’ jones wes
fesponsible for unauthorized access anid. severat unauthorized aécess attempts to'FDOH systems. The
evidence further proves that during the unauthorized access, Jones exfitrated FDOH intellectual property.(Di: 2662
Qn March 1st 2020, FOOH was designated the lead agenicy to combat the Covld-18 pandemic for the State
of Florida, Governor Ron DeSantis’s Executive Order 20-51 Section 4 states the following: “in accordance
with section 381.0011 {7), Florida Statutes, 1 designate the Florida Departenent of Health as the lead Staté
agency to coordinate emergency response: activities smong the various state agencies and: local
governments. The State Health Officer, or his designee, shall advise the Executive Office of the Governor
‘On the implementation of these emergency. response “activities.” During the. pandemic the State
Emergency Resportse Teams (SERT) grouped into 18 standard Emergency Support Functions (ESFs}. Each
ESF Is comprised of one primary agency and several suoport agencies and organizations. ESF@'s function
is Public Health & Medical. ESF8 coordinates the state's health and medicat resources, capabilities, and
capacities. They provide the means for public health response, triage, treatment, and transportation.
Some examples of ESF8 missions are Health & Medical Assessment Team Deployment; Medical Supply
Deployment and Support for Healthcare fe:
Vital to FOOH's role in carrying out this mandate is the use of an effective data management application
such as ResdyOp’s web-based platform to coordinate Healthcare Provider submhission. and approval
tracking as well as Mission Ready Package Development such as having a Health and & Medical Team.
Deployment. According to FDOH personnel, ReadyOp is to be used strictly for emergency and disaster
situations only. in fact, the ReadyOp system is governed by FDOH's information Security Policy with strict
procedures in place. In order to be granted access to and usé of ReadyOp, FDOH employees are provided
training omits use and procedures. in communicating with FDOH personnel your Affiant learned that these’
acts by Jones are the ony instances they can recall where the ReadyOp emergency messaging system was
abuséd or missed either by accident or in this case, intentionally. As ¢ former employee, Jones was made
aware of these security policies and procedures. Thisis due, in part, to Jones having been assigned to the
ESF:8 group and having access to the group's ReadyO¢ login information.
Jones's actions caused doubt and confusion amongst many of the working groups that share the multi-
user account for ESF-8 Planning and Preparedness és they were unsure whether this message was sent by
official personnel. {talso resuited in personnel with FOOH Information Technology Services having to stop
their. current. work assignments and divert thelr attention to addressing this possible cyber-attack.
Witness B is an ITS Manager with FOOH who stated thet when the message initially went out they
immediately began following protocols related to addressing’ cyber Intrusion or un-authidrized access
into the FOOH network. This included reaching out to the system administrator for ReadyOp to begin
‘working togetiier to address the issue. Witness B stated that “everyone who réceived the message on
our floor started protocol to report the issue ub." According to Witness B, this amounted to approximately
30 (thirty) FOOH employees having to cease their regular duties and begin addressing this incident.
It should be noted that the way FOOH uses ReadyOp to. conduct its business in combating the Covid-19
pandemic'is multi-faceted beyond just a simple messaging system. In fact, RezdyOp, in use by FDOH,
contains sensitive and confidential information to include personal identifying information {such as that
mentioned in section 3 paragraph L) as well as medical and epidemiological records that are exempt from
public record under Florida law.
‘Your Affiant was informed that Jones was not authorized to access the FDOH.ReadyOp system or any
systems pertaining to the Department of Health after her termination on May 25, 2020.ID#: 2562
‘The evidence provés'that tlie defendant, Retiekah Jorias, willfilly, knowingly, arid without authorization
or exceeding authorization, accessed or caused to be accessed any computer, computer systém, computer
network, or electronic device with knowledge that such access is unauthorized or the manner of use
exceeded authorization.
‘The offenses described herein occurred within the legal Boundaries of the State of Florida,
THE PRECEDING IS TRUE 11 KNOWLEDGE OR BELIEF.
SIGNATURE:
AGENCY: FLORIDA DEPARTMENT OF LAW ENFORCEMENT (FDLE).
NOTARIZATION:
SWORN AND SUBSCRIBED BEFORE. aw ves LY DAY or-sMavatd 2021
5A 902 Sao
NOTARY PUBLIC/ASSISTANT STATE ATTO! (leo)
ORDER
‘THIS CAUSE coming before me as a First Appearance Magistrate, and having reviewed
the yp esing affidavil, this court finds:
Probable Cause is Sufficient
Probable Cause is. NOT Sufficient
Leon Courky Judge.
JUDGEID#: 2562 Wertant # Xo (oF IQS
In the County Court Agency Case # ~ 1L85-0058
.: Officer 1D. # 1184
Leon County, Florida “ils. n Ofgnees BgaINeT TSS oF
WARRANT ZL JAN 1S AM IQ: 21 Degree of Charge. F3
Charee, computers (F3)
Statute No. 815.06 Oia
STATE OF FLORIDA
vs.
Rebekah Danielle Jones
Defendant,
Address
IN-THE NAME AND BY THE AUTHORITY OF THE
STATE OF FLORIDA
TO ALL-AND SINGULAR THE SHERIFF'S OF THE STATE.OF FLORIDA:
WHEREAS, @ Complaint hes this ¢ay been filed before me by |__ Special Agent Noel Pratts __- ‘who, being first duly sworn
saysthatonthe _ 10 dayof November VAD, 2020 in Leon County, Florida, the aforesaid defendant
wilfully, knowingly, and without authorization or exceeding authorization access or caused to be accessed any
‘computer, computer system, computer network, or electronic. device with knowlédge that such access is
uniauthorized or the manner of use exceeds authorization Florida State Statute 816,06 (2)(a).
contrary to Sec, 815.06 (2\(a)
‘contrary to the statute, rule, regulation or other provision of law in such case made and provided, and against the peace and
digrity of the State of Florida,
‘THESE ARE, THEREFORE, to commend you f arrest instanter the aforesaid defendant and bring him or her before me to be
deat wath according to law.
Given under my hand and seal this. day of } 4p) 02 { 20,
Vina _ABiiaeuife L
ean Sry tusge Aorerkt Rihrdson———___ (SEAL)
County Court Judge Lean County
EXTRADITION APPROVED:
Yes WARRANTIN THE:COUNTY COURT
LEON GOUNTY, FLORIDA
Received this Warrant on the
‘THE STATE OF FLORIDA, PLAINTIFF and served same on the
vs.
‘by delivering @ tue copy oF same to the within
Rebekah Danielie Jones named defendant,
WARRANT Sheri : ‘County, Florida.
Offenses against users of
computers (F3)
"THE AMOUNT OF BAIL IN-THIS.
CASE 1S HEREBY SET INTHE SUM
OF
dvd
pepeojumop
Sem BJep esoyM
SWUNOIA YIM JOB]UCS ON,
|
'$82008 JeUE]U! ON
Jayndwos 0} sseo0er ON
79Sz ‘#l