Michigan Man Sentenced to Seven Years in Prison for Hacking Into Pittsburgh Medical Center Database

In October 2021, a Michigan man was sentenced to the statutory maximum sentence of five month’s of prison for Conspiracy to Defraud the U.S. and the statutory maximum of two years for Aggravated Identity Theft. The seven-year prison sentence is for hacking the human resources databases of a Pittsburgh Medical Center and stealing Personally Identifiable Information (PII) of more than 65,000 employees of the Pittsburgh Medical Center.

The man, with ties to the dark web, infiltrated and hacked into the Pittsburgh Medical Center’s human resource server databases in 2013 and 2014. He stole sensitive PII and W-2 information belonging to tens of thousands of the Medical Center’s employees. The man then sold the stolen information on the dark web forums for use by conspirators who filed hundreds of false 1040 tax returns in 2014 using the Medical Center’s employees PII. The false 1040 filings claimed hundreds of thousands of dollars of false tax refunds, which they converted into Amazon.com gift cards. The gift cards were then used to purchase items that were sent to Venezuela. The scheme resulted in approximately $1.7 million in false tax return refunds.

Beginning in 2014 through 2017, the Michigan man also stole and sold nearly 90,000 additional (non-Pittsburgh medical center employee) sets of PII to buyers on dark web forums, which could be used to commit identity theft and bank fraud.

Agents from the Internal Revenue Service Criminal Investigations unit, the United States Secret Service, the United States Postal Inspection Service, and the Office of Homeland Security Investigations conducted the probe leading to the prosecution of the Michigan man.

Issue:

Protecting your facility from cyberattacks should always be a priority for the information technology department. All staff members who have access to the facility’s electronic devices must be knowledgeable in best practices for preventing cyberattacks and the need to immediately report any suspicious activities on their accounts. Additional information is available in the Med-Net Corporate Compliance and Ethics Manual, Chapter 6, Data Integrity.

Discussion Points:

  • Review facility policies and procedures on cybersecurity. Ensure that policies are kept current based on best practices designed to prevent ransomware attacks.
  • Train all appropriate staff on best practices to prevent ransomware. Document that the trainings occurred and file in each employee’s education file. Provide additional training as new information becomes available.
  • Periodically audit to ensure that staff are knowledgeable and utilizing best practices in preventing ransomware attacks.