Maximum 7-Year Sentence for University of Pittsburg Medical Center Hacker

A Michigan man who hacked into the human resources databases of University of Pittsburg Medical Center (UPMC) and stole the personally identifiable information (PII) of 65,000 UPMC employees has received the maximum sentence and will serve 84 months in jail for the offenses.

Sean Johnson, from Detroit, hacked the databases of UPMC in 2013 and 2014 and exfiltrated PII including tax information which he sold on hacking forums to identity thieves. According to the U.S. Department of Justice, Johnson also hacked other companies and stole the PII of an additional 90,000 individuals, which was also sold on darknet marketplaces under his online names TheDearthStar and Dearthy Star.

The stolen PII was used by Johnson’s co-conspirators to file fraudulent tax returns in the names of UPMC employees and others totaling around $2.2 million, $1.7 million of which was paid in tax refunds. Johnson’s co-conspirators converted the funds to Amazon gift cards, which were used to make high-value purchases, with the goods shipped to Venezuela. In addition to Johnson, three individuals were arrested and charged for their roles in the illegal activities.

In April 2017, Yolandy Perex Llanes, a Cuban national, was extradited to the United States and pleaded guilty to money laundering and aggravated identity theft. In 2017, he was sentenced to 6 months of time served. Venezuelan national, Maritza Maxima Soler Nodarse, was arrested and pleaded guilty in July 2017 to conspiracy to defraud the United States and was sentenced to 16 months of time served and was deported to Venezuela.

Justin A. Tollefson of Spanaway, Washington, was arrested and pleaded guilty to four counts of using the stolen identities of UPMC employees to file fraudulent tax returns. Tollefson had purchased the stolen data on a darknet marketplace. He was arrested before any funds were received and escaped a prison sentence, instead he received 3 years of probation in 2017.

Johnson was arrested and pleaded guilty to the hacking charges, and while a guilty plea often results in a shorter sentence, that proved not to be the case. Chief United States District Judge Mark R, Hornak opted for the maximum jail term due to the severity of the offenses, which was a 60-month jail term for the hacking plus the mandatory 24-month consecutive jail term for aggravated identity theft.

“Justin Johnson stole the names, Social Security numbers, addresses, and salary information of tens of thousands of UPMC employees, then sold that personal information on the dark web so that other criminals could further exploit his victims,” said Acting U.S. Attorney Kaufman. “Today’s sentence sends a deterrent message that hacking has serious consequences.”