A Michigan man was arrested this week for allegedly stealing personal information from tens of thousands of employees from a prominent Pennsylvania medical center in 2014 and selling that data on the dark web.
Justin Sean Johnson was indicted by a federal grand jury in Pittsburgh on charges of conspiracy, wire fraud and aggravated identity theft related to the 2014 hack of the University of Pittsburgh Medical Center.
UPMC is a $21 billion health care provider in Pittsburgh. It is not only the largest nongovernmental employer in the state, but it's also the largest health care center in Pennsylvania.
Johnson is alleged to have hacked the human resources databases of the medical facility in 2014, obtaining personally identifiable information and W-2 information from 65,000 employees – or every employee at the center.
Prosecutors claim that information was sold to criminals on the dark web, who then used it to file fraudulent tax returns thereby stealing about $1.7 million in tax refunds. Those unlawfully obtained tax refunds were said to have been used to buy products on Amazon, which were shipped to Venezuela.
As previously reported by FOX Business, people often send money abroad in fraud cases as a way of essentially securing the fraud.
"Justin Johnson stands accused of stealing the names, Social Security numbers, addresses and salary information of every employee of Pennsylvania’s largest health care system," U.S. Attorney Scott Brady said in a statement. "After his hack, Johnson then sold UPMC employees’ PII to buyers around the world on dark web marketplaces, who in turn engaged in massive campaign of further scams and theft. His theft left over 65,000 victims vulnerable to years of potential financial fraud.”
It is alleged that Johnson sold other individuals’ information online between 2013 and 2017 in similar schemes.
As noted by the Department of Justice, the law provides for a maximum sentence of five years in prison and a fine of not more than $250,000 for the conspiracy to defraud the United States; 20 years in prison and a fine of not more than $250,000 for each count of wire fraud, and a mandatory 24 months in prison and a fine of not more than $250,000 for each count of aggravated identity theft.
The actual sentence imposed would depend on the severity of the offenses and whether the defendant had any criminal history.
FOX Business has reached out to Johnson’s court-appointed attorney for comment.