Justin Sean Johnson, a 30-year-old from Detroit, Michigan, has pleaded guilty to stealing the personally identifiable information (PII) of 65,000 employees of health care provider and insurer University of Pittsburgh Medical Center (UPMC) and selling it on the dark web.
UPMC is Pennsylvania’s largest health care provider that employs more than 90,000 employees in 40 hospitals and 700 doctors’ offices and outpatient sites.
Johnson (also known on the dark web as ‘TheDearthStar’ and ‘Dearthy Star’) was charged with conspiracy, wire fraud, and aggravated identity theft in a forty-three count indictment filed last year, in May 2020.
“Justin Johnson stands accused of stealing the names, Social Security numbers, addresses and salary information of every employee of Pennsylvania’s largest health care system,” U.S. Attorney Brady said in a press release issued in June 2020, after his arrest.
“After his hack, Johnson then sold UPMC employees’ PII to buyers around the world on dark web marketplaces, who in turn engaged in a massive campaign of further scams and theft.”
Data of tens of thousands stolen within one month
Johnson initially infiltrated UPMC’s HR database network in early December 2013 by hacking the company’s Oracle PeopleSoft human resource management system.
On the same day, he accessed the PII of approximately 23,500 UPMC employees after running a test query on the breached HR database.
Between January 21 and February 14, 2014, he continued accessing the database multiple times per day remotely to exfiltrate the PII of tens of thousands of UPMC employees.
Johnson sold the data he stole on dark web marketplaces like Evolution and AlphaBay Market to buyers who used it to fraudulently file Form 1040, 1040, and 1040EZ federal income tax returns.
According to the indictment, the fraudulent tax refunds, which amounted to $1.7 million in unauthorized federal tax returns, were later converted into Amazon gift cards used to buy Amazon merchandise that got sent to Venezuela via Miami reshipping services.
Johnson deposited the cryptocurrency he bought using the monies obtained by selling the stolen UPMC employees’ data into a Coinbase account.
Besides selling the PII of roughly 65,000 employees from UPMC’s breached HR databases, Johnson also stole and sold almost 90,000 additional (non-UPMC) sets of PII between 2014 and 2017, all of it potentially used by the buyers to commit identity theft and bank fraud.
Detained pending sentencing
Johnson is facing a maximum sentence of five years in prison and a fine of up to $250,000 for conspiracy to defraud the United States, as well as a mandatory two years in prison and a fine of up to $250,000 for each count of aggravated identity theft.
According to a DOJ press release, the investigation leading to Johnson’s prosecution was conducted by agents from the Internal Revenue Service-Criminal Investigation, the United States Secret Service, the United States Postal Inspection Service, and Homeland Security Investigations.
Johnson remains detained pending sentencing, as the Court ordered after his guilty plea was filed last week.
“Hackers like Johnson should know that our office will pursue you relentlessly until you are in custody and held accountable for your crimes,” U.S. Attorney Brady said last year.
“The healthcare sector has become an attractive target of cyber criminals looking to update personal information for use in fraud; the Secret Service is committed to detecting and arresting those that engage in crimes against our Nation’s critical systems for their own profit,” U.S. Secret Service Special Agent in Charge Timothy Burke added.