Michigan Man Pleads Guilty to Theft and Sale of PII of UPMC Employees

A Michigan man has pleaded guilty to hacking into University of Pittsburgh Medical Center human resources databases in 2013 and 2014 and stealing the personally identifiable information (PII) and W-2 data of 65,000 UPMC employees.

Justin Sean Johnson, 30, of Detroit, MI, was a Federal Emergency Management Agency (FEMA) IT specialist known on darknet forums as The DearthStar and Dearthy Star. 6 years after hacking the databases and selling stolen data, Johnson was indicted by a federal grand jury in Pittsburgh and was arrested and charged with conspiracy, wire fraud, and aggravated identity theft.

Johnson initially hacked the Oracle PeopleSoft HR database of UPMC in December 2013 and accessed the PII of 23,500 UPMC employees. Between January 2014 and February 2014, Johnson accessed the databases multiple times each day and exfiltrated PII. Johnson then sold the stolen data on darknet marketplaces such as AlphaBay to criminals who used the data in 2014 to file hundreds of fraudulent 1040 tax returns.

According to a Department of Justice press release, the scheme resulted in fraudulent tax refunds being paid by the IRS totalling approximately $1.7 million. The tax refunds were converted to Amazon.com gift cards that were used to purchase high value goods that were shipped to Venezuela. Johnson was paid approximately $8,000 in Bitcoin for the stolen UPMC employee data.

In addition to the theft and sale of UPMC employee PII, between 2014 and 2017 Johnson stole and sold around 90,000 sets of PII on darknet forums. That information was subsequently used to commit identity theft and bank fraud.

Johnson recently pleaded guilty to 2 counts of a 43-count indictment and now awaits sentencing. Johnson faces a maximum jail term of 5 years and a fine of up to $250,000, together with a mandatory 24-months in jail and a fine of up to $250,000 for aggravated identity theft.

“The healthcare sector has become an attractive target of cyber criminals looking to update personal information for use in fraud; the Secret Service is committed to detecting and arresting those that engage in crimes against our Nation’s critical systems for their own profit,” U.S. Secret Service Special Agent in Charge Timothy Burke.

Three other individuals have pleaded guilty to crimes committed in relation to the scheme. Maritza Maxima Soler Nodarse from Venezuela pleaded guilty in 2017 to conspiracy to defraud the United States in relation to the filing of fraudulent tax refunds. Yoandy Perez Llanes from Cuba pleaded guilty in 2017 to purchasing Amazon.com gift cards to launder the money. Justin. A. Tollefson of Spanaway, WA pleaded guilty in 2017 to the use of stolen identities to file fraudulent income tax returns.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.