Man Gets 7 years In Prison For Hacking 65K Health Care Employees

Justin Sean Johnson, also known as TheDearthStar and Dearthy Star, was sentenced this week to seven years in prison for the 2014 hack of the health care provider and insurer University of Pittsburgh Medical Center (UPMC).

After breaching UPMC’s human resources databases, Johnson stole the Personally Identifiable Information (PII) and W-2 info (including names, Social Security numbers, addresses and salary information) of more than 65,000 employees and sold it on the dark web.

UPMC is Pennsylvania’s largest healthcare provider with over 90,000 employees working in 40 hospitals and 700 doctors’ offices and outpatient sites.

Also Read: Revised Technology Risk Management Guidelines of Singapore

In 2020, Johnson was charged in a forty-three count indictment with conspiracy, wire fraud, and aggravated identity theft. One year later, he pleaded guilty to stealing and selling the PII and W2 info of tens of thousands of UPMC employees.

“Justin Johnson stole the names, Social Security numbers, addresses and salary information of tens of thousands of UPMC employees, then sold that personal information on the dark web so that other criminals could further exploit his victims,” said Acting U.S. Attorney Kaufman on Monday.

“Today’s sentence sends a deterrent message that hacking has serious consequences.”

Massive campaign of further scams and theft

Johnson breached UPMC’s network in early December 2013 after hacking the health care provider’s Oracle PeopleSoft human resource management system.

The same day, he gained access to the PII of roughly 23,500 UPMC employees after running a test query on the compromised HR database.

Between January 21 and February 14, 2014, he continued querying the database multiple times per day to steal the PII of tens of thousands of UPMC employees.

Also Read: September 2021 PDPC Incidents and Undertaking: Lessons from the Cases

In 2014 alone, the stolen UPMC employee PII sold by Johnson on the dark web was used by fraudsters to file hundreds of false 1040 tax returns and claim approximately $1.7 million in false tax refunds which were converted into Amazon.com gift cards.

In all, between 2014 and 2017, Johnson stole and sold almost 90,000 additional (non-UPMC) sets of PII data to his dark web clients, who likely used it for identity theft and bank fraud.

“The actions of criminals like Justin Johnson can have long-lasting and devastating effects on the lives of innocent people,” added Yury Kruty, Acting Special Agent in Charge of IRS-Criminal Investigation.

“Johnson carried out his intricate scheme with no regard for his victims. Today’s sentencing will hopefully be a deterrent to other potential crooks who may be considering carrying out similar conduct.”