The University of Pittsburgh Medical Center has reached judicial approval on a multi-million-dollar settlement concerning a data breach that occurred almost seven years ago. The settlement consists of UpMC paying a total of $2.65 million to employees whose personal data was stolen by former Federal Emergency Management Agency IT specialist Justin Sean Johnson. Johnson, who resided in Detroit, was able to breach the center’s Oracle PeopleSoft database under the nicknames TDS and DS in 2013 and 2014. Johnson then stole sensitive personally identifiable information and W-2 information belonging to UPMC employees. This information included salaries, names, addresses, Social Security numbers, and bank account information, leaving the victims vulnerable to further attacks such as identity fraud, identity theft, phishing, and social engineering attacks.
Johnson sold the information on dark web forums to other cybercriminals, who then used it to file false tax returns and commit identity fraud. The Department of Justice found that hundreds of false 1040 tax returns were filed in 2014 using the stolen employee information. Due to these crimes, hundreds of thousands of dollars of false tax refunds were claimed by cybercriminals. The whole scheme resulted in the IRS taking a hit of $1.7 million. Johnson was later arrested in June of 2020 and plead guilty in May of 2021 to counts 1 and 39 of a 43 count indictment. After the breach, a class-action lawsuit was filed against UPMC, alleging that the institution was guilty of negligence and failing to comply with industry standards relating to data security.