A man from Michigan has been charged with hacking into a medical center's database and stealing the personal information of 65,000 employees.
Federal prosecutors unsealed a 43-count indictment yesterday accusing Federal Emergency Management Agency (FEMA) IT specialist Justin Sean Johnson of illegally accessing data held by the University of Pittsburgh Medical Center (UPMC).
Johnson allegedly hacked into the center's Oracle PeopleSoft database in January 2014 using the nicknames "TDS" and "DS." The indictment accuses the 29-year-old of exfiltrating personal identifying information and tax data belonging to thousands of center staff, then selling it on the dark web for an undisclosed sum.
Data said to have been stolen and sold by Johnson included employees' names, dates of birth, Social Security numbers, addresses, and salary information.
Prosecutors said that over the course of 2017, unidentified conspirators used the exfiltrated data to file hundreds of phony tax returns that claimed approximately $1.7m in false refunds. These returns were then laundered by being converted into Amazon gift cards that were used to purchase goods worth about $885,000 that were shipped to Venezuela and later sold in online marketplaces.
The indictment charges the alleged cyber-criminal with wire fraud, conspiracy, and aggravated identity theft. If he is convicted on all charges, Johnson could spend 20 years locked up in federal prison.
Johnson is being held without bond after being arrested by police in Detroit on Tuesday.
In a statement, the special agent in charge of the US Secret Service field office, Timothy Burke, said: “The health care sector has become an attractive target of cybercriminals looking to update personal information for use in fraud."
UPMC spokesperson Gloria Kreps said identity theft protection monitoring services were provided free to employees affected by the cyber-attack prosecutors have attributed to Johnson.
In an email written to Detroit News, Kreps stated: “At the time of the breach, we helped our employees through the challenge and purchased LifeLock for them for five years for all UPMC employees, 65,000 at that time."
In June 2015, a Pennsylvania judge dismissed a health data breach lawsuit brought against UPMC the year before. The suit was filed by former UPMC employees after a data breach compromised the information of approximately 27,000 members of staff at the center.