Authorities Arrest Suspect in 2014 UPMC Data BreachIndictment Describes Hacking of HR Database at Medical Center in Pittsburgh
Authorities have arrested a suspect accused of hacking the University of Pittsburgh Medical Center's human resources database in 2014 and stealing personally identifiable information from 65,000 employees. UPMC owns 40 hospitals plus other facilities.
Justin Sean Johnson, a/k/a "TDS" or "DS", was indicted May 20 on 43 counts, including conspiracy, wire fraud and aggravated identity theft (see Victim Tally in UPMC Breach Doubles). The fraudulent efforts resulted in hundreds of false tax returns being filed and almost $2 million in fraudulent refunds being issued, according to documents filed in the U.S. District Court for the Western District of Pennsylvania.
The indictment was unsealed Thursday and Johnson was arrested in Detroit on Tuesday.
Security blogger Brian Krebs reports that Johnson worked as an IT specialist at the Federal Emergency Management Agency.
"Justin Johnson stands accused of stealing the names, Social Security numbers, addresses and salary information of every employee of Pennsylvania’s largest healthcare system," U.S. Attorney Scott Brady says in a statement.
"After his hack, Johnson then sold UPMC employees’ PII to buyers around the world on dark web marketplaces, who in turn engaged in massive campaign of further scams and theft."
Johnson Faces 43 Counts
Johnson is charged with one count of conspiracy, 37 counts of wire fraud and five counts of aggravated identity theft. Court documents allege Johnson began his operation in November 2013 and continued it through March 2017.
If convicted, Johnson faces a maximum sentence of five years in prison and a fine up to $250,000 for conspiracy to defraud the U.S.; 20 years in prison and a fine up to $250,000 for each count of wire fraud, and a mandatory 24 months in prison and a fine up to $250,000 for each count of aggravated identity theft.
The indictment alleges Johnson hacked into the UPMC human resources database in January 2014 and stole PII and W-2 tax information. This information was then sold on darknet forums and then used by other conspirators to file hundreds of sham tax returns resulting in about $1.7 million in false tax return refunds, prosecutors allege.
Co-Conspirators Plead Guilty
Johnson is at least the third person charged in connection with the UPMC data breach.
In July 2017, Maritza Maxima Soler Nodarse, a Venezuelan national, pleaded guilty to one count of conspiracy to defraud the U.S. in connection with filing false U.S. federal tax returns using identities belonging to hundreds of UMPC employees. She was sentenced to time served and deported to Venezuela (see: Second Fraudster Pleads Guilty in UPMC Breach Case).
In April 2017, Yoandy Perez Llanes, a Cuban national, pleaded guilty to money laundering conspiracy and aggravated identity theft in connection with the case. He awaits sentencing on Aug. 18. He was extradited to the U.S. from Venezuela last August.
Prosecutors said Llanes laundered the money using Amazon.com gift cards that Nodase and others used to purchase merchandise, which was then shipped to Venezuela and retrieved by Llanes, Nodarse and others.