HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

UPMC Hacker Who Stole PII of 65,000 Employees Gets Maximum 7-Year Sentence

The hacker who gained access to the databases of University of Pittsburgh Medical Center (UPMC) and stole the personally identifiable information (PII) and W-2 information of approximately 65,000 UPMC employees has been handed the maximum sentence for the offenses and will serve 7 years in jail.

Sean Johnson, of Detroit, Michigan – aka TheDearthStar and Dearthy Star – hacked into the databases of UPMC in 2013 and 2014 and stole highly sensitive information which was then sold on dark web hacking forums and was used by identity thieves to file fraudulent tax returns in the names of UPMC employees. The Department of Justice (DOJ) also alleged Johnson conducted further cyberattacks between 2014 and 2017 and stole the PII of an additional 90,000 individuals. Those sets of data were also sold to identity thieves on dark web forums.

In total, fraudulent tax returns totaling $2.2 million were filed and around $1.7 million was dispersed by the IRS. The funds received were converted to Amazon gift cards, which were used to purchase high-value goods that were shipped to Venezuela.

Three of Johnson’s co-conspirators were arrested and charged for their roles in the UPMC cyberattack. In August 2016, Cuban national Yolandy Perex Llanes was extradited to the United States and pleaded guilty in April 2017 to money laundering and aggravated identity theft. He was sentenced in 2017 to 6 months of time served.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

In April 2017, Justin A. Tollefson of Spanaway, Washington, a staff sergeant at Joint Base Lewis-McChord in Tacoma, Washington, pleaded guilty to four counts of using the stolen identities of UPMC employees to file fraudulent tax returns. He had purchased the PII on a dark web forum and used the data to file fraudulent tax returns in the names of four UPMC employees. $56,333 was paid by the IRS in income tax refunds, but Tollefson was arrested before he received any funds. The judge was lenient as Tollefson had not profited from the fraud and sentenced him in 2017 to 3 years of probation.

Maritza Maxima Soler Nodarse, a Venezuelan national, pleaded guilty to conspiracy to defraud the United States in July 2017 for her role in the identity theft and tax fraud crimes. She received a 16-month time-served sentence and was deported to Venezuela.

Johnson received the maximum sentence despite pleading guilty to the hacking charges due to the severity of the offenses and the impact they had on the lives of his victims. Chief United States District Judge Mark R, Hornak said Johnson’s behavior was like a “bulldozer” through people’s lives and his indiscriminate hacking activities showed no regard for his victims. “The actions of criminals like Justin Johnson can have long-lasting and devastating effects on the lives of innocent people,” said Yury Kruty, Acting Special Agent in Charge of IRS-Criminal Investigation.

Johnson was sentenced to serve 60 months in jail for the conspiracy to defraud the United States charge and a mandatory 24-month sentence for aggravated identity theft, with the sentences to run consecutively.

“Justin Johnson stole the names, Social Security numbers, addresses, and salary information of tens of thousands of UPMC employees, then sold that personal information on the dark web so that other criminals could further exploit his victims,” said Acting U.S. Attorney Kaufman. “Today’s sentence sends a deterrent message that hacking has serious consequences.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.