Hacker Arrested and Accused for the UPMC Cyberattack in 2014

The United States Attorney’s Office of the Western District of Pennsylvania reported the arrest of a suspect who was charged for hacking the University of Pennsylvania Medical Center (UPMC) human resources databases in 2014.

UPMC operates 40 hospitals in 700 outpatient sites and doctors’ offices and has more than 90,000 employees. In January 2014, UPMC found out that a hacker accessed a human resources server Oracle PeopleSoft database where the personally identifiable information (PII) of 65,000 UPMC employees is contained. The stolen data in the attack was allegedly offered for sale on the darknet. There were names, dates of birth, addresses, salary and tax data, and Social Security numbers included.

The suspect was named as Justin Sean Johnson. He is 29 years old from Michigan who formerly worked at the Federal Emergency Management Agency as an IT specialist.

On May 20, 2020, Johnson, who worked under the monikers TDS and DS, was accused of the following 43 counts: one count of conspiracy, 37 counts of wire fraud, and 5 counts aggravated identity theft. Allegedly, Johnson hacked into the database, exfiltrated PII, and offered for sale the stolen information on darknet marketplaces like AlphaBay Market to several global buyers. Prosecutors additionally state that Johnson sold other PII on the darknet forums besides the PII of UPMC workers from 2014 to 2017.

The stolen UPMC PII was eventually used in an extensive campaign to dupe UPMC employees. Hundreds of bogus tax returns were filed in the names of UPMC employees, which prosecutors point out led to about $1.7 million in fake refunds being released. Those refunds were converted into Amazon gift cards that were used to get about $885,000 in goods, which were mostly delivered to Venezuela to be marketed in marketplaces online.

Two other folks were charged in 2017 in association with the hacking of UPMC:

  • Maritza Maxima Soler Nodarse, a Venezuelan national who pleaded guilty to conspiracy to defraud the United States and was engaged in submitting bogus tax returns was sentenced to time served and was deported.
  • Yoandy Perez Llanes, a Cuban national who pleaded guilty to money laundering and aggravated identity theft, is waiting for his sentence in August 2020

The breach investigation revealed that the hacker got access to the OracleSoft database first on December 1, 2023. After accessing the database, the hacker performed a test query and accessed the data of roughly 23,500 individuals. Between January 21, 2014 and February 14, 2014, the hacker accessed the database multiple times every day and stole the data of thousands of UPMC employees.

Johnson faces a long prison term if found at fault of the offenses. The conspiracy charge carries a 5 years maximum prison term and a fine of as much as $250,000. The wire fraud charges carry a 20-years maximum prison term and a fine of approximately $250,000 for each count and, there will be an obligatory 2-year prison term for aggravated identity theft and a fine of about $250,000 for each count.

The healthcare sector is a major target of cybercriminals wanting to steal personal information for use in fraudulence; the Secret Service is determined to discovering and arresting those that participate in offenses that exploit the Nation’s critical systems to turn a profit.

Hackers like Johnson ought to know that the U.S. Secret Service will not stop going after them until they are in custody and made accountable for their crimes.