Judicial approval has been given to a multi-million-dollar settlement concerning a data breach that happened at the University of Pittsburgh Medical Center (UPMC) seven years ago.
The agreement will see UPMC pay $2.65m to 66,000 employees whose personal data was pilfered by former Federal Emergency Management Agency (FEMA) IT specialist Justin Sean Johnson.
Detroit resident Johnson (aka TheDearthStar and Dearthy Star on the dark web) hacked into the center’s Oracle PeopleSoft database in 2013 and 2014 using the nicknames “TDS” and “DS.”
After gaining access to the Center’s human resources server databases, Johnson stole sensitive PII and W-2 information belonging to UPMC employees that included names, addresses, Social Security numbers, salaries, and bank information.
Johnson later sold this information via forums on the dark web to cyber-criminals, who used it to file false tax returns. The Department of Justice said that hundreds of false 1040 tax returns were filed in 2014 using UPMC employee PII, with the result that hundreds of thousands of dollars of false tax refunds were claimed.
After converting this money into gift cards for online retailer Amazon, the cyber-criminals who had filed the false returns bought goods and shipped them to Venezuela. The scheme caused the IRS to lose $1.7m.
Johnson was arrested in June 2020. In May this year, he pleaded guilty to counts 1 and 39 of a 43-count indictment.
Following the breach, a class-action lawsuit was filed accusing the University of Pittsburgh Medical Center of negligence. The suit alleged that UPMC had failed “to comply with widespread industry standards relating to data security.”
The claim was initially dismissed by the trial court and later by the Superior Court; however, it was then upheld on appeal by the Supreme Court of Pennsylvania. The Court decided in favor of the plaintiffs, stating that an employer has a legal duty to exercise reasonable care in how they store employees’ personally identifiable information.
Earlier this year, UPMC was embroiled in another data breach after a cyber-attack on a third-party vendor exposed the PHI of more than 36,000 patients.