Hacker arrested for 2014 UPMC data breach involving 65K employees

A 29-year-old hacker has been indicted and arrested for allegedly hacking the University of Pittsburgh Medical Center's (UPMC's) human resources database back in 2014.

Justin Sean Johnson, also known by dark web monikers identified by acronyms "TDS" or "DS," was arrested Tuesday morning in Detroit.

He was indicted by a federal grand jury in Pittsburgh on charges of conspiracy, wire fraud and aggravated identity theft associated with the UPMC hack, the U.S. Attorney’s Office for the Western District of Pennsylvania announced Thursday.

Johnson allegedly stole 65,000 UPMC employees' personal information during the data breach.

Johnson is alleged to have then sold employees’ personally identifiable information (PII) and W-2 information on the dark web, resulting in the filing of thousands of false IRS tax returns. The thefts resulted in approximately $1.7 million in false tax return refunds, prosecutors said.

The 2014 breach did not implicate patient data.

The 43-count indictment, returned on May 20, was unsealed Thursday. The government is trying to detain Johnson until trial.

"Justin Johnson stands accused of stealing the names, Social Security numbers, addresses and salary information of every employee of Pennsylvania’s largest health care system," said U.S. Attorney Scott W. Brady in a statement.

RELATED: Pennsylvania Supreme Court says UPMC must safeguard employee data

"After his hack, Johnson then sold UPMC employees’ PII to buyers around the world on dark web marketplaces, who in turn engaged in a massive campaign of further scams and theft. His theft left over 65,000 victims vulnerable to years of potential financial fraud," Brady said.

In a statement emailed to Fierce Healthcare, a UPMC representative said: “We appreciate the diligent and thorough work of the U.S. Attorney’s Office for the Western District of Pennsylvania, Internal Revenue Service, U.S. Secret Service, U.S. Postal Inspection Service, Department of Homeland Security Office of Inspector General and all authorities who contributed to solving this case.”

The hack six years ago a sparked long-running legal case after employees sued the health system for negligence and breach of contract. An initial 2015 judgment by a Pennsylvania Common Pleas Court ruled UPMC was not responsible for keeping its information safe.

In 2018, the Pennsylvania Supreme Court ruled the health system is responsible for protecting personal employee data from hackers. That decision by Pennsylvania's highest court overturned two initial rulings from lower courts that initially threw out the case.

The state Supreme Court also ruled that UPMC may be on the hook for monetary damages if the plaintiffs can prove the health system acted negligently.

According to the indictment, Johnson infiltrated and hacked into the human resource server databases at UPMC in January 2014 and stole sensitive personal information and W-2 information belonging to tens of thousands of UPMC employees.

RELATED: Pennsylvania Supreme Court to hear UPMC data breach case involving employee information

The information was sold by Johnson on dark web forums for use by conspirators, who promptly filed hundreds of false 1040 tax returns in 2014 using UPMC employee names and Social Security numbers, prosecutors said.

These false 1040 filings claimed hundreds of thousands of dollars of false tax refunds, which they converted into Amazon.com gift cards. These cards were used to purchase Amazon merchandise which was shipped to Venezuela, according to prosecutors.

Additionally, the indictment alleges that Johnson, from 2014 through 2017, regularly sold other hacked data to buyers on dark web forums that could be used to commit identity theft and bank fraud.

The law provides for a maximum sentence of five years in prison and a fine of not more than $250,000 for the conspiracy to defraud the U.S., 20 years in prison and a fine of not more than $250,000 for each count of wire fraud, and a mandatory 24 months in prison and a fine of not more than $250,000 for each count of aggravated identity theft.