Hacker Arrested For Stealing, Selling PII Of 65k Hospital Employees
29-year-old Michigan man Justin Sean Johnson was arrested earlier this week for allegedly being behind the 2014 hack of the health care provider and insurer University of Pittsburgh Medical Center (UPMC), stealing the PII and W-2 information of over 65,000 employees, and selling it on the dark web.
Pittsburgh-based UPMC is Pennsylvania’s largest healthcare provider with over 90,000 employees, integrating 40 hospitals and 700 doctors’ offices and outpatient sites.
Johnson, aka “TDS” and “DS”, was charged in a forty-three count indictment with conspiracy, wire fraud, and aggravated identity theft.
“Justin Johnson stands accused of stealing the names, Social Security numbers, addresses and salary information of every employee of Pennsylvania’s largest health care system,” U.S. Attorney Brady said in a press release.
“After his hack, Johnson then sold UPMC employees’ PII to buyers around the world on dark web marketplaces, who in turn engaged in a massive campaign of further scams and theft.”
Info of tens of thousands of employees stolen within a month
According to the indictment, Johnson purportedly initially infiltrated UPMC’s HR database network around December 1, 2013, by hacking the company’s Oracle PeopleSoft human resource management system.
On the same day, he ran a test query on the HR database which resulted into the PII of roughly 23,500 UPMC employees being accessed.
Between January 21 and February 14, 2014, he supposedly continued remotely accessing the HR database multiple times per day to steal the PII of tens of thousands of other UPMC employees.
Johnson sold the stolen data on darknet marketplaces like AlphaBay Market and Evolution, who later used it to fraudulently filed Form 1040, 1040, and 1040EZ federal income tax returns which allowed them to claim thousands of dollars in false tax refunds.
These tax refunds, which amounted to $1.7 million in unauthorized federal tax returns, were converted into Amazon gift cards, later used to buy Amazon merchandise that got sent to Venezuela using Miami reshipping services.
“Additionally, the indictment alleges that Johnson, since 2014 through 2017, as TDS or DS, regularly sold other PII to buyers on dark web forums, which could be used to commit identity theft and bank fraud,” a Department of Justice press release says.
Johnson deposited roughly $8,258.97 worth of cryptocurrency bought with the monies obtained by selling the exfiltrated UPMC employees’ data into a Coinbase account.
Tens of years in prison if found guilty
According to an indictment memorandum, if found guilty, Johnson faces a maximum sentence of five years in prison and a fine up to $250,000 for conspiracy, 20 years in prison and a fine of up to $250,000 for each count of wire fraud, and a mandatory 2 years in prison and a fine of up to $250,000 for each count of aggravated identity theft.
Per the DoJ press release, the defendant is presumed innocent until proven guilty in a court of law.
“Hackers like Johnson should know that our office will pursue you relentlessly until you are in custody and held accountable for your crimes,” U.S. Attorney Brady concluded.
“The healthcare sector has become an attractive target of cyber criminals looking to update personal information for use in fraud; the Secret Service is committed to detecting and arresting those that engage in crimes against our Nation’s critical systems for their own profit,” U.S. Secret Service Special Agent in Charge Timothy Burke added.