Jeffrey R. Luke Sentenced for Stealing Patient Data from Cloud

Jeffrey R. Luke, 42, of Collierville, Tennessee, is headed to federal prison after being convicted of breaking into a secure cloud system to steal sensitive patient records following his firing from a behavioral therapy center. The ex-employee’s digital heist targeted confidential files from Transformations Autism Treatment Center (TACT) in Bartlett—data meant to stay locked down and out of reach.

After Luke was terminated in February 2017, TACT administrators moved fast to lock him out—changing passwords and revoking access to their password-protected Google Drive, where patient files were stored. But by March, alarms went off when the clinic’s IT specialist discovered that the employee login email had been compromised. Someone had wormed their way back in. Investigators traced the intrusion to an IP address registered at Luke’s home.

Federal agents executed a search warrant and found the proof: TACT patient records, assessment forms, and internal templates were stored on Luke’s computer hard drive. The digital footprint was undeniable—he’d accessed and copied files long after losing authorization. The breach exposed personal information of vulnerable individuals, including children undergoing autism treatment.

On March 2, 2018, U.S. District Judge John T. Fowlkes, Jr. handed down a 30-month federal prison sentence, followed by three years of supervised release. Luke was also ordered to pay $14,941.36 in restitution to cover damages caused by the unauthorized access and data theft.

“With new and ever-changing technology, criminals are using more creative and disturbing ways to commit cyber-crimes against vulnerable victims, including identity theft,” said U.S. Attorney D. Michael Dunavant for the Western District of Tennessee. “This case demonstrates the commitment and ability of the U.S. Attorney’s office, working with our federal and local law enforcement partners, to detect compromises of personal and sensitive information and hold offenders accountable for such fraudulent schemes.”

The FBI and Bartlett Police Department led the investigation, unraveling the digital trail that led straight to Luke. Assistant U.S. Attorney Deb Ireland prosecuted the case, underscoring the growing threat of insider cyber threats in healthcare—where trust is broken not with a gun or a mask, but with a keystroke and a stolen login.