Pfizer Alleges Worker Took COVID Vaccine, Trade Secrets


Notification of Breach, COVID-19, Endpoint Security

Experts say case highlights challenges of protecting intellectual property

Marianne Kolbasuk McGee (InfoSantéSec) •
November 29, 2021

Pfizer has filed a lawsuit against a former employee, alleging that she downloaded thousands of files to personal devices and accounts containing confidential information and trade secrets relating to the company’s vaccines and drugs, including his COVID-19 vaccine, potentially to be provided to his new employer, a competing biopharmaceutical company.

See also: Live Chat | Driving Business Growth: The Path to 24/7 Threat Detection and Response

In a lawsuit filed Nov. 23 in federal court in California, New York-based Pfizer alleges that Chun Xiao “Sherry” Li for several days in late October downloaded more than 12,000 files – including confidential documents from company – from their Pfizer laptop to a personal Google Drive account and other personal devices. The complaint alleges that Li had informed Pfizer that she planned to quit on November 24, and Pfizer believed that she was planning to join Xencor Inc., a competitor based in Monrovia, California.

“Going out the door, [Li] transferred over 12,000 files to personal accounts and devices, dozens of which contain Pfizer confidential information and trade secrets, and attempted to cover his tracks on several occasions, ”the lawsuit alleges.

Li “went so far as to provide Pfizer’s security team with a decoy laptop, which led Pfizer to believe it was the one she used to download the 12,000 files from her Google Drive account. Forensic analyzes confirmed that this was not the case, and Li – or someone else… – probably remains in possession of the actual computer that contains these files, ”the complaint alleges.

Pfizer’s complaint states that Li was hired in 2006 and served as associate director of statistics at Pfizer’s global product development group at Pfizer’s facilities in La Jolla, California.

The Pfizer lawsuit has also been filed against five other as yet unnamed defendants, who Pfizer says “are individuals or companies who acted or are acting in concert with Li” in connection with the hijacking, acquisition or disclosure of Pfizer trade secrets and confidential information. in violation of federal and state laws.

Among other demands, the company in its lawsuit seeks a temporary injunction to prevent Li from disclosing or transmitting confidential information or Pfizer trade secrets while Pfizer initiates arbitration proceedings under the terms of a confidentiality agreement. that Li found in the course of his employment. with Pfizer.

Case allegations

In its complaint, Pfizer says that as part of its tracking of employee activity on company devices, the company’s security team discovered on October 29 that between October 23 and October 26 , while “away from the office,” Li transferred over 12,000 files from her Pfizer laptop to an online Google Drive account.

“Pfizer immediately initiated a digital review of Li’s e-mail, file access and Internet activity on his Pfizer-issued laptop,” the complaint states. An investigation into Li’s Pfizer email account revealed that she had interviewed Xencor and received a job offer from Xencor, according to the lawsuit.

Pfizer’s human resources, security and digital forensics staff spoke to Li twice on October 29, according to the lawsuit.

In the first conversation, Pfizer alleges that Li admitted to transferring the files, claiming that she did so because she wanted to organize her files offline and have them for her personal use, and did not copy them. files elsewhere, the complaint alleges.

“A few hours later, Pfizer’s digital forensics staff had a second conversation with Li via video conference. In between the two conversations, Li logged into his Google Drive account and deleted all the files stored there,” indicates the complaint.

During the second conversation with Pfizer later today, Li revealed that she deleted all files from her Google Drive account. Pfizer staff then requested that Li go to Pfizer’s La Jolla office on November 1 to hand over his external hard drive and personal laptop for inspection, according to the lawsuit.

Li expressed reluctance to provide his personal laptop, explaining that it contained personal information, but ultimately agreed to do so. Later that night, Pfizer staff then disabled access to Pfizer’s system. Li, his laptop and his badge, “said the lawsuit.

When Li walked into Pfizer’s La Jolla office on November 1 to return her Pfizer laptop, she also provided a personal laptop “which she made to believe in Pfizer” was the one she had used to download. Pfizer documents from its Google Drive. relies on its external hard drive, as well as the external hard drive itself, according to the complaint.

Pending completion of Pfizer’s forensic analysis of the devices, Pfizer placed Li on paid administrative leave. “The forensic examination of Li’s devices revealed that Li … provided Pfizer with a personal laptop computer other than the one she used to download the 12,000 files,” the complaint alleges.

The forensic analysis also revealed that the laptop that Li provided to Pfizer had hardly been used during the week of October 25 when the downloads took place, corroborating that she most likely used a different laptop to start the downloads… indicating that another unknown laptop probably contains the 12,000 files it downloaded, ”the lawsuit alleges.

“Since Li is leaving Pfizer to start working for a competitor … and appears to remain in possession of Pfizer’s trade secret and confidential information, Pfizer has no choice but to take this action and seek a temporary injunction. against her.”

Pfizer statement

In a statement provided to Information Security Media Group, Pfizer said it was investigating and pursuing civil action against an employee who it said inappropriately uploaded thousands of documents prior to a planned exit from the company.

“Pfizer takes the protection of sensitive and confidential information very seriously. Protecting this information is essential to scientific innovation, ultimately enabling us to deliver breakthroughs to patients, ”the company says.

Neither Li nor Xencor immediately responded to ISMG’s requests for comment.

Ongoing challenges

Some experts say the Pfizer case highlights the challenges many companies face when it comes to intellectual property.

“Corporate espionage by competitors or foreign countries on state-owned enterprises is a very real problem for companies,” said former federal prosecutor Andrew Wirmani, lawyer at the law firm Reese Marketos LLP .

“To avoid the potentially devastating consequences of this and similar crimes, it is important that companies have strict policies that restrict how employees handle confidential information and trade secrets and an active IT department that ensures that these policies are being followed, ”he said.

Wirmani, who is not involved in the Pfizer case, notes that, so far, it is difficult to say for sure whether the pandemic or organizations with more employees working from home have had a direct impact on these. types of suspected corporate trade secret theft problems.

“Since most information is digital these days, employees can abuse confidential information from their offices as easily as they can from their homes,” he says.

“And where an employee works has little to do with an employer’s ability to monitor their use of digital devices,” he says.

However, given that the pandemic appears to have led more employees to change jobs, “this could certainly increase the number of employees attempting to hijack confidential information for the benefit of their new employers.”

Detection tools

Regulatory attorney Rachel Rose says the use of surveillance tools, such as those that apparently helped Pfizer quickly detect the alleged transfer of sensitive files in her case involving Li, is increasingly critical for organizations in their defense against many types of threats.

“As you can imagine, a pharmaceutical company, a medical device company, a healthcare system or a biotech company has a lot of stakes in terms of intellectual property, ransomware attacks and data exfiltration.” , she says.

Depending on the circumstances of the Pfizer case, for example if the information allegedly collected by Li contained personally identifiable patient information or protected health information – and to whom potential disclosures were made – the incident could also trigger a notification of violation of HIPAA and other reporting obligations. for Pfizer, notes of rose.


Comments are closed.