Share this article on:
The United States Attorney’s Office of the Western District of Pennsylvania has announced a suspect has been arrested and charged over the 2014 hacking of the human resources databases of University of Pennsylvania Medical Center (UPMC).
UPMC owns 40 hospitals around 700 outpatient sites and doctors’ offices and employs over 90,000 individuals. In January 2014, UPMC discovered a hacker had gained access to a human resources server Oracle PeopleSoft database that contained the personally identifiable information (PII) of 65,000 UPMC employees. Data was stolen in the attack and was allegedly offered for sale on the darknet. The stolen data included names, addresses, dates of birth, salary and tax information, and Social Security numbers.
The suspect has been named as Justin Sean Johnson, a 29-year old man from Michigan who previously worked as an IT specialist at the Federal Emergency Management Agency.
Johnson, who operated under the monikers TDS and DS, was indicted on 43 counts on May 20, 2020: One count of conspiracy, 37 counts of wire fraud, and 5 counts aggravated identity theft. Johnson is alleged to have hacked into the database, exfiltrated PII, and sold the stolen data on darknet marketplaces such as AlphaBay Market to multiple worldwide buyers. Prosecutors also allege that in addition to selling the PII of UPMC employees, between 2014 and 2017 Johnson sold other PII on the darknet forums.
The PII stolen from UPMC was subsequently used in a massive campaign to defraud UPMC employees. Hundreds of fraudulent tax returns were filed in the names of UPMC employees, which prosecutors say resulted in around $1.7 million in false refunds being issued. Those refunds were converted into Amazon gift cards that were used to obtain around $885,000 in goods, which were mostly shipped to Venezuela to be sold in online marketplaces.
Two other people were charged in connection with the hacking of UPMC. In 2017, Venezuelan national, Maritza Maxima Soler Nodarse, pleaded guilty to conspiracy to defraud the United States and was involved in filing fraudulent tax returns. A Cuban national, Yoandy Perez Llanes, pleaded guilty to money laundering and aggravated identity theft in 2017. Maritza Maxima Soler Nodarse was sentenced to time served and was deported and Yoandy Perez Llanes will be sentenced in August 2020.
The breach investigation revealed access to the OracleSoft database was first gained on December 1, 2023. After gaining access to the database, a test query was performed and the data of approximately 23,500 individuals was accessed. Between January 21, 2014 and February 14, 2014, the database was accessed on multiple occasions each day and the data of tens of thousands of UPMC employees was stolen.
Johnson faces a long prison term if found guilty of the crimes. The conspiracy charge carries a maximum prison term of 5 years and a fine of up to $250,000. The wire fraud charges carry a maximum prison term of 20 years and a fine of up to $250,000 for each count and, there will be a mandatory 2-year prison term for aggravated identity theft and a fine of up to $250,000 for each count.
“The healthcare sector has become an attractive target of cyber criminals looking to update personal information for use in fraud; the Secret Service is committed to detecting and arresting those that engage in crimes against our Nation’s critical systems for their own profit,” said Timothy Burke, Special Agent in Charge, U.S. Secret Service, Pittsburgh Field Office.
“Hackers like Johnson should know that our office will pursue you relentlessly until you are in custody and held accountable for your crimes,” said U.S. Attorney Brady.