A Detroit man is the fourth individual to plead guilty in connection with hacking human resources databases at the University of Pittsburgh Medical Center and stealing the personally identifiable information of more than 65,000 UPMC employees, some of which was used to commit federal income tax fraud.
Court documents say Johnson hacked into the UPMC human resources server databases in 2013 and 2014, stealing sensitive PII and W-2 federal income tax documents for tens of thousands of UPMC employees.
“The information was sold by Johnson on dark web forums for use by conspirators, who promptly filed hundreds of false 1040 tax returns in 2014 using UPMC employee PII,” prosecutors say.
These fraudulent 1040 filings resulted in tax refunds, which conspirators converted into Amazon.com gift cards they used to purchase merchandise shipped to Venezuela, prosecutors say.
The criminals filed fraudulent tax returns seeking approximately $2.2 million in refunds; about $1.7 million was actually disbursed, prosecutors said.
Court documents note that Johnson received about $8,000 in bitcoin through selling the stolen UMPC employee data.
From 2014 through 2017, Johnson stole nearly 90,000 additional sets of PII – which could be used to commit identity theft and bank fraud – from sources other than UPMC and sold them to buyers on dark web forums, the Justice Department says.
Johnson is scheduled for sentencing on Sept. 22. He faces a maximum sentence of five years in prison and a fine of up to $250,000 for the conspiracy charge and a mandatory 24-month prison term and a fine of up to $250,000 for aggravated identity theft.
In July 2017, Maritza Maxima Soler Nodarse, a Venezuelan national, pleaded guilty to conspiracy to defraud the U.S. in connection with filing false U.S. federal tax returns using identities belonging to hundreds of UMPC employees. She was sentenced to time served and deported to Venezuela (see: Second Fraudster Pleads Guilty in UPMC Breach Case).
In April 2017, Yoandy Perez Llanes, a Cuban national, pleaded guilty to money laundering conspiracy and aggravated identity theft. He was extradited to the U.S. from Venezuela in August 2016 and was sentenced in 2017 to time served.
Prosecutors said Llanes laundered the money using Amazon.com gift cards that Nodarse and others used to purchase merchandise, which was then shipped to Venezuela and retrieved by Llanes, Nodarse and others.
Prosecutors say that in April 2017, Justin A. Tollefson of Spanaway, Washington, an enlisted U.S> Army staff sergeant at Joint Base Lewis-McChord in Tacoma, Washington, pleaded guilty to four counts of using stolen identities of UPMC employees to file four 2014 false federal income tax returns, collectively totaling approximately $56,000 in fraudulent refunds.
“Cyber investigations can be incredibly time-intensive and complex, and it’s great to see the federal government dedicating resources to identify and arrest attackers,” says attorney Michael Borgia, a partner at law firm Davis Wright Tremaine. “However, reading about these prosecutions can be incredibly frustrating because you realize that even after all the work that likely went into this case, it’s just a drop in the cybercrime bucket.”
Many cybercriminals are making millions of dollars and acting with impunity, largely because they are operating in countries that do not have extradition agreements with the U.S., Borgia notes.
“More international coordination will be needed to meaningfully reduce cybercrime, but that’s incredibly difficult,” he says. “Cybercrime is a hugely lucrative business in many countries, and authorities in those jurisdictions have no interest in addressing the problem.”
Class Action Lawsuit
Employees of UPMC whose PII was compromised in the hacking incidents filed a class action lawsuit in 2014, claiming that UPMC failed to take reasonable information security measures to protect its human resources records from unauthorized disclosure.
One of the claims was that UPMC failed to implement adequate security measures to protect the data, including early detection, proper encryption and authentication protocols, says privacy attorney David Holtzman of the consultancy HITprivacy LLC, who was not involved in the case.
“UPMC fought to have the case dismissed, claiming that it was not legally obligated to protect sensitive employee data that it collected and maintained in its information systems,” he says.
“The question was ultimately decided by the Pennsylvania Supreme Court, where, in a groundbreaking decision, it recognized the right in the common law to have one’s data kept secure,” Holtzman says. “Specifically, the court held that an employer has a legal duty to exercise reasonable care to safeguard its employees’ sensitive personal information stored by the employer.”
Holtzman notes that many states now require organizations to implement reasonable cybersecurity plans designed to protect individuals’ identification information from unauthorized disclosure.
“Organizations creating or maintaining sensitive personal information should start with performing an enterprisewide risk assessment to identify the threats and vulnerabilities to the confidentiality, integrity and availability to the data,” he says.
“Make it a management imperative in your organization to follow through on investment and attention to information security.”