The United States Attorney’s Office of the Western District of Pennsylvania has released a statement that confirms a suspect has been arrested and charged in relation to the 2014 hacking of the human resources databases of University of Pennsylvania Medical Center (UPMC).
UPMC manages 40 hospitals around 700 outpatient sites and doctors’ offices and employs over 90,000 staff. In January 2014, UPMC discovered a hacker had obtained access to a human resources server Oracle PeopleSoft database that included the personally identifiable information (PII) of 65,000 UPMC employees. Data was taken in the attack and was allegedly offered for sale on the darknet. The stolen data included names, addresses, dates of birth, salary and tax information, and Social Security numbers.
The suspect has been identified as Justin Sean Johnson, a 29-year old man from Michigan who previously was employed as an IT specialist at the Federal Emergency Management Agency.
Johnson, who worked using the handles TDS and DS, was indicted on 43 counts on May 20, 2020: One count of conspiracy, 37 counts of wire fraud, and 5 counts aggravated identity theft. Johnson is alleged to have hacked into the database, stole PII, and sold the stolen data on darknet marketplaces such as AlphaBay Market to multiple globally based buyers. Prosecutors also claim that along with selling the PII of UPMC employees, between 2014 and 2017 Johnson sold other PII on the darknet platforms.
The PII stolen from UPMC was then used in a massive campaign to defraud UPMC employees. Hundreds of fraudulent tax returns were submitted in the names of UPMC employees, which prosecutors say resulted in around $1.7 million in false refunds being issued. Those refunds were transferred into Amazon gift cards that were used to obtain around $885,000 in goods, which were mostly shipped to Venezuela. The goods were subsequently sold online.
Two other people were charged in relation to the hacking of UPMC. In 2017, Venezuelan national, Maritza Maxima Soler Nodarse, pleaded guilty to conspiracy to defraud the United States and was participating in filing fraudulent tax returns. A Cuban national, Yoandy Perez Llanes, pleaded guilty to money laundering and aggravated identity theft in 2017. Maritza Maxima Soler Nodarse was sentenced to time served and was deported and Yoandy Perez Llanes will be sentenced in August 2020.
The breach investigation uncovered access to the OracleSoft database was first gained on December 1, 2023. After obtaining access to the database, a test query was performed and the data of around 23,500 people was accessed. Between January 21, 2014 and February 14, 2014, the database was accessed on multiple occasions each day and the data of tens of thousands of UPMC employees was illegally taken.
Johnson could be given a long prison term if found guilty of the crimes. The conspiracy charge carries a maximum prison term of 5 years and a fine that could be as high as $250,000. The wire fraud charges carry a maximum prison term of 20 years and a fine of up to $250,000 for each separate count and, there will be a mandatory 2-year prison term for aggravated identity theft and a fine of up to $250,000 for each count.
Timothy Burke, Special Agent in Charge, U.S. Secret Service, Pittsburgh Field Office stated “The healthcare sector has become an attractive target of cyber criminals looking to update personal information for use in fraud; the Secret Service is committed to detecting and arresting those that engage in crimes against our Nation’s critical systems for their own profit”.
U.S. Attorney Brady said: “Hackers like Johnson should know that our office will pursue you relentlessly until you are in custody and held accountable for your crimes”.