MI Man Sentenced to 7 Years in Prison for UPMC PII Breach

October 26, 2021 - A Michigan man was sentenced to a total of 84 months of incarceration for hacking the human resources databases of the University of Pittsburgh Medical Center (UPMC) and stealing the personally identifiable information (PII) of over 60,000 of the medical center’s employees.

Chief US District Judge Mark R. Hornak imposed the sentence on Justin Sean Johnson for Conspiracy to Defraud the US and Aggravated Identity Theft.

Johnson, known on the dark web as TheDearthStar and Dearthy Star, hacked into UPMC’s databases between 2013 and 2014 and stole PII and W-2 information, later selling it on the dark web. The purchasers subsequently filed false 1040 tax returns using the stolen PII and made hundreds of thousands of dollars in profits.

Bad actors then converted the tax refund money into Amazon gift cards, which were used to purchase merchandise that was later shipped to Venezuela.

In a separate instance, Johnson sold an additional 90,000 non-UPMC PII records on the dark web between 2014 and 2017, resulting in $1.7 million in false tax return refunds.

“Justin Johnson stole the names, Social Security numbers, addresses and salary information of tens of thousands of UPMC employees, then sold that personal information on the dark web so that other criminals could further exploit his victims,” Stephen R. Kaufman, acting US attorney, explained in the statement.

“Today’s sentence sends a deterrent message that hacking has serious consequences.”

Many of today’s most successful threat actors work in extremely organized hacking groups and orchestrate large-scale attacks using ransomware. Over 70 percent of ransomware detections in Q2 2021 were credited to the notorious hacking group REvil/Sodinokibi. The group is known to exploit organizations using sophisticated and targeted attacks.

For the healthcare sector in particular, FIN12 ransomware group is currently a major threat to the industry. Research from Mandiant revealed that nearly 20 percent of FIN12’s cyberattacks were targeted at the healthcare sector, and over 70 percent of their attacks were targeted at US-based entities.

The group has been active since at least October 2018, and typically deploys the Ryuk ransomware variant. Health records and personally identifiable information are extremely lucrative on the black market.

“The U.S. Secret Service today sends a message to Justin Sean Johnson and anyone who seeks to conceal their criminal activity in cyberspace and on the dark web that there is no hiding place we cannot find,” Timothy Burke, US secret service Pittsburgh field office special agent, explained in the announcement.

“Information compromise and identity theft victimize not only the individuals whose information is stolen, but also threaten our collective global security. I am immensely proud of the agents involved in bringing a just end to these crimes.”

The US Secret Service, US Postal Inspection Service, Homeland Security Investigations, and the Internal Revenue Service-Criminal Investigation conducted the investigation.