Michigan Man Arrested for 2014 Hack of UPMC HR Databases and Theft of Employees’ Personal Information

PITTSBURGH, PA – The man who allegedly hacked the human resource databases of University of Pittsburgh Medical Center and stole PII of over 65,000 UPMC employees was arrested Tuesday morning in Detroit, Michigan, United States Attorney Scott W. Brady announced today. Justin Sean Johnson was indicted by a federal grand jury in Pittsburgh on charges of conspiracy, wire fraud and aggravated identity theft associated with the 2014 hack of UPMC. Johnson is alleged to have then sold employees’ Personally Identifiable Information (PII) and W-2 information on the dark web, resulting in the filing of thousands of false IRS tax returns.

The 43-count indictment, returned on May 20 and unsealed today, named Justin Sean Johnson, a/k/a "TDS", a/k/a "DS", 29, originally from Michigan. Johnson made an initial appearance yesterday in Federal Court in the Eastern District of Michigan. The government intends to seek the detention of the defendant pending trial.

"Justin Johnson stands accused of stealing the names, Social Security numbers, addresses and salary information of every employee of Pennsylvania’s largest health care system," said U.S. Attorney Brady. "After his hack, Johnson then sold UPMC employees’ PII to buyers around the world on dark web marketplaces, who in turn engaged in massive campaign of further scams and theft. His theft left over 65,000 victims vulnerable to years of potential financial fraud. Hackers like Johnson should know that our office will pursue you relentlessly until you are in custody and held accountable for your crimes."

"Investigating identity theft and refund fraud cases is a priority for our office," said Tom Fattorusso, Special Agent in Charge of IRS-Criminal Investigation. "Unfortunately, through no fault of their own, the people whose identities are stolen in cases like this are often victimized repeatedly. Initially, they have to deal with the stress of knowing their personal information was stolen. Criminals then use the stolen information to file false tax returns, or they sell it to other criminals who use it to file false returns. This causes a hardship for the innocent victims when they try to file their own tax returns. Victims are then left to deal with credit issues caused by the unscrupulous actions of the criminals."

"This case is another example of the commitment of the U.S. Secret Service, IRS-Criminal Investigations, the U.S. Postal Inspection Service, and our other law enforcement partners to investigate and bring to justice individuals who commit complex cyber fraud", said Timothy Burke, Special Agent in Charge, U.S. Secret Service, Pittsburgh Field Office. "The healthcare sector has become an attractive target of cyber criminals looking to update personal information for use in fraud; the Secret Service is committed to detecting and arresting those that engage in crimes against our Nation’s critical systems for their own profit."

"This investigation was an excellent example of a partnership between law enforcement agencies, working together to bring down a nationwide fraud conspiracy. I fully commend the hard work and countless hours put forth by all of the law enforcement agencies involved, which resulted in bringing this individual and the other co-defendants in this case to justice," stated James Giehl, Acting Inspector in Charge.

According to the Indictment, Johnson, using a dark web moniker identified by an acronym in the Indictment as "TDS" or "DS" in 2014 infiltrated and "hacked" into the human resource server databases at UPMC in January 2014, and stole sensitive PII and W-2 information belonging to tens of thousands of UPMC employees. The information was sold by Johnson on dark web forums for use by conspirators, who promptly filed hundreds of false form 1040 tax returns in 2014 using UPMC employee PII. These false 1040 filings claimed hundreds of thousands of dollars of false tax refunds, which they converted into Amazon.com gift cards, which were then used to purchase Amazon merchandise which was shipped to Venezuela.

Additionally, the indictment alleges that Johnson, since 2014 through 2017, as TDS or DS, regularly sold other PII to buyers on dark web forums, which could be used to commit identity theft and bank fraud.

The scheme resulted in approximately $1.7 million in false tax return refunds.

The law provides for a maximum sentence of five years in prison and a fine of not more than $250,000 for the conspiracy to defraud the United States; 20 years in prison and a fine of not more than $250,000 for each count of wire fraud, and a mandatory 24 months in prison and a fine of not more than $250,000 for each count of aggravated identity theft. Under the Federal Sentencing Guidelines, the actual sentence imposed is based upon the seriousness of the offenses and the criminal history, if any, of the defendant.

Assistant United States Attorney Gregory C. Melucci is prosecuting this case on behalf of the government.

Agents from the Internal Revenue Service-Criminal Investigation, the United States Secret Service and the United States Postal Inspection Service conducted the investigation leading to the indictment in this case.

An indictment is an accusation. A defendant is presumed innocent unless and until proven guilty.