Justin Sean Johnson was apprehended in Detroit this week

Suspect behind 2014 UMPC healthcare data breach arrested

The man who allegedly hacked into the human resource databases of University of Pittsburgh Medical Center (UPMC) and stole data relating to more than 65,000 employees was arrested this week.

Justin Sean Johnson, 29, was arrested in Detroit, Michigan, on June 16 and indicted by a federal grand jury in Pittsburgh on charges of conspiracy, wire fraud, and aggravated identity theft associated with the 2014 hack of UPMC.

As outlined in a press release from the US Attorney’s Office for the Western District of Pennsylvania, Johnson is alleged to have then sold employees’ personally identifiable information (PII) on the dark web, resulting in the filing of “thousands of false IRS tax returns”.

“Justin Johnson stands accused of stealing the names, Social Security numbers, addresses, and salary information of every employee of Pennsylvania’s largest healthcare system,” said US attorney Scott Brady.

Multiple charges

According to the 43-count indictment that was unsealed this week, Johnson is alleged to have gained unauthorized access to the UPMC human resource server databases in January 2014.

He is accused of stealing sensitive PII, including W-2 tax return information, belonging to tens of thousands of UPMC employees.

“Johnson then sold UPMC employees’ PII to buyers around the world on dark web marketplaces, who in turn engaged in massive campaign of further scams and theft,” said Brady.

“His theft left over 65,000 victims vulnerable to years of potential financial fraud. Hackers like Johnson should know that our office will pursue you relentlessly until you are in custody and held accountable for your crimes.”

False filings

After Johnson sold the information, “hundreds” of false tax returns were filed using UPMC employee data, the Department of Justice said.

These false 1040 filings claimed hundreds of thousands of dollars of false tax refunds, which were converted into Amazon.com gift cards.

These gift cards were used to purchase Amazon merchandise, which was shipped to Venezuela.

“The scheme resulted in approximately $1.7 million in false tax return refunds,” the DoJ said.

If found guilty, Johnson faces a maximum sentence of five years in prison and a fine of not more than $250,000 for the conspiracy to defraud the US; 20 years in prison and a fine of not more than $250,000 for each count of wire fraud; and a mandatory 24 months in prison and a fine of up to $250,000 for each count of aggravated identity theft.

READ MORE WeTransfer banned in India over supposed national security concerns