Hacker Busted and Charged for the UPMC Cyberattack in 2014

The United States Attorney’s Office of the Western District of Pennsylvania announced the arrest of a person who was accused of the breach of the University of Pennsylvania Medical Center (UPMC) HR databases in 2014.

UPMC runs 40 hospitals in 700 outpatient sites and physicians’ offices and has over 90,000 staff. In January 2014, UPMC learned that a hacker viewed a human resources server Oracle PeopleSoft database where the personally identifiable information (PII) of 65,000 UPMC staff is stored. The stolen information in the breach was purportedly made available for sale on the darknet. There were names, birth dates, addresses, tax, and salary details, and Social Security numbers included.

The arrested person was Justin Sean Johnson. He’s 29 years old residing in Michigan who recently worked at the Federal Emergency Management Agency as an IT expert.

On May 20, 2020, Johnson was under the monikers TDS and DS when he was charged on 43 counts: one count of conspiracy, 5 counts of aggravated identity theft, and 37 counts of wire fraud. Apparently, Johnson hacked the database, copied PII, and marketed the stolen PII on darknet marketplaces including AlphaBay Market to many international buyers. Prosecutors furthermore claim that Johnson offered other PII on the darknet community aside from the PII of UPMC staff from 2014 to 2017.

The compromised UPMC PII was later employed in a massive plan to deceive UPMC workers. Hundreds of fake tax returns were submitted using the names of UPMC workers, which prosecutors state resulted in approximately $1.7 million in phony reimbursements being given. Those refunds were turned into Amazon gift cards that were used to acquire approximately $885,000 in goods, which were largely sent to Venezuela to be offered in marketplaces on the web.

Two more people were accused in 2017 regarding the UPMC hacking.
Maritza Maxima Soler Nodarse, from Venezuela who pleaded guilty to conspiracy to swindle the United States and was associated with reporting fake tax returns, got sentenced to time served and was expelled from the country.
Yoandy Perez Llanes, from Cuba who pleaded guilty to aggravated identity theft and money laundering, is awaiting his sentence in August 2020

The breach investigation showed that the hacker gained access to the OracleSoft database initially on December 1, 2023. After being able to access the database, the hacker conducted a test query and was able to access the information of around 23,500 people. From January 21, 2014 to February 14, 2014, the hacker viewed the database several times daily and stole the information of a huge number of UPMC employees.

Johnson encounters a long prison term in case he is determined guilty of the violations. The conspiracy charge holds a 5 years maximum imprisonment and a penalty of about $250,000. The wire fraud charges hold 20-years maximum imprisonment and a penalty of as much as $250,000 for every count and, there is going to be compulsory 2-year imprisonment for aggravated identity theft and a penalty of as much as $250,000 for every count.

The healthcare industry is an enticing target of hackers interested in taking personal data for use in scams; the Secret Service is fully committed to uncovering and arresting those that partake in criminal acts that exploit the Nation’s critical systems for their own benefit.

Cybercriminals like Johnson need to realize that the U.S. Secret Service won’t stop chasing them until they’re in custody and pay for their criminal acts.