Federal prosecutors Thursday unsealed an indictment accusing a Detroit man of hacking a University of Pittsburgh Medical Center database and stealing the personal information of more than 65,000 employees. Justin Sean Johnson, 29, using the nicknames “TDS and “DS,” infiltrated human resource server databases in January 2014, stole personal and tax information belonging to employees and sold the data on the dark web, according to the indictment.
Through 2017, unidentified conspirators used the employees’ Social Security numbers, addresses and salary information to file hundreds of false tax returns that claimed approximately $1.7 million in false refunds, prosecutors said. The returns were converted into Amazon gift cards spent on merchandise ultimately shipped to Venezuela.
The indictment charges Johnson with conspiracy, wire fraud and aggravated identity theft. If convicted, Johnson faces up to 20 years in federal prison. Johnson was arrested Tuesday in Detroit and is being held without bond. His court-appointed lawyer, Benton Martin, declined comment Thursday.
“The health care sector has become an attractive target of cybercriminals looking to update personal information for use in fraud,” said Timothy Burke, Special Agent in Charge of the U.S. Secret Service field office in Pittsburgh, in a statement. In another statement, medical center spokeswoman Gloria Kreps praised investigators and said employees were provided identify-theft protection monitoring.
“At the time of the breach, we helped our employees through the challenge and purchased LifeLock for them for five years for all UPMC employees, 65,000 at that time,” Kreps wrote in an email.