The US government accused a Michigan man this week of stealing personal information of tens of thousands of workers from a Pennsylvania medical center in 2014 and selling it on the dark web. (Foxbusiness.com)
Justin S. Johnson was indicted by a Pittsburgh grand jury on federal charges of conspiracy, wire fraud, and aggravated identity theft related to the 2014 hack he committed at the University of Pittsburgh Medical Center (UPMC).
UPMC is the largest non-governmental employer in Pennsylvania and provides $21 billion of healthcare in the state each year. It also is the biggest healthcare center in Pennsylvania.
Perp Allegedly Hacked HR Databases
Federal charging documents allege that Johnson hacked the HR databases of UPMC in 2014. He stole personally identifiable information and W-2 information from more than 65,000 employees – every employee at UPMC.
Federal prosecutors say that data was sold on the dark web to criminals. They then used it to file fake tax returns and stole $1.7 million in tax refunds. Those illegal tax refunds were used to buy products on Amazon, which were sent to Venezuela.
The tax files directed all of the refunds be issued on Amazon gift cards, which the criminals used to buy electronics. It is estimated that $885,000 of electronic merchandise was bought, such as games and cell phones.
It is common for criminals to send money overseas in fraud cases to secure the fraud.
US Attorney Scott Brady stated this week that Johnson is accused of stealing the names, Social Security numbers, addresses, and salary data of every worker at UPMC. After the hack, Johnson sold the personal information on various dark web marketplaces, who then engaged in a huge campaign of theft and fraud. The theft left tens of thousands of healthcare workers vulnerable to many years of financial fraud.
It also has been alleged that Johnson sold other peoples’ information online from 2013 to 2017 in similar frauds.
Identity Theft Victims Can Be Victimized for Years
Tom Fattorusso, an agent in IRS Criminal Investigation, stated that victims of stolen identification cases such as the 65,000 UPMC employees can be victimized for years by criminals after their information is stolen. He said that fraud victims have to deal with the stress of knowing their personal data is on the dark web and is used to file fake tax returns or sold to other criminals who do the same thing. (Post-Gazette.com)
This causes a tremendous hardship for innocent victims when they attempt to file their own tax returns. Victims also have to deal with many credit problems caused by the illegal activities of fraudsters.
A UPMC nurse whose information was stolen and sold to file fake tax returns said her sense of security has been violated. The nurse said recently that while Johnson’s crime was against the US government and she got her IRS refund money back, she was deeply affected by the invasion of her privacy.
Hack Sparked a Long-Running Legal Case
The hack that occurred in 2014 led to a long-running legal case after UPMC workers sued the healthcare system for breach of contract and negligence. A 2015 judgment by a common pleas court in the state said UPMC is not responsible for keeping workers’ information safe.
The case then moved to the Pennsylvania Supreme Court. The high court had to decide whether UPMC has a legal responsibility to protect the personal information of its workers when they choose to store their data on a computer network and whether workers may seek monetary damages if their data is stolen.
The Pennsylvania Supreme Court ruled in 2018 that the healthcare system is responsible for safeguarding workers’ personal information from hackers. That decision by the state supreme court overturned two other rulings from lower courts that had thrown out the case.
The state Supreme Court also stated that UPMC could be on the hook for monetary damages if the plaintiffs can show the healthcare system acted negligently. It is not known at this time if UPMC will end up paying damages in civil liability lawsuits, but the state supreme court decision does open the door to the possibility.
Johnson Faces Years in Federal Prison
Federal law provides a sentence of up to five years in prison and a fine of up to $250,000 for the fraud; 20 years in prison and a fine of up to $250,000 for each count of wire fraud; and at least 24 months in prison and a fine of up to $250,000 for each count of aggravated identity theft.
Johnson’s actual sentence will largely depend on the severity of the offenses and whether he has a criminal history.