Second Fraudster Pleads Guilty in UPMC Breach CaseHacked Employee Data Used in Fake Tax Filings
A federal court has ordered the deportation of a Venezuelan citizen who was the second person to plead guilty for their role in a conspiracy to commit more than $2 million of federal tax return fraud using identities stolen by hackers from a University of Pittsburgh Medical Center employee database in 2014.
The U.S. Department of Justice says Maritza Maxima Soler Nodarse pleaded guilty to one count of conspiracy to defraud the U.S.
According to the terms of her plea, a federal judge sentenced Nodarse to a "time served" sentence, which represented approximately 16 months incarceration. She also agreed to be immediately deported back to Venezuela, federal prosecutors say.
Nodarse is the second person to plead guilty for their involvement in alleged crimes related to the filing of approximately 935 false U.S. federal tax returns using identities belonging to hundreds of UMPC employees whose personal information was stolen in an intrusion into UPMC's database in 2014.
In April, Yoandy Perez Llanes, a Cuban national, pleaded guilty to money laundering conspiracy and aggravated identity theft. He awaits sentencing on Aug. 18. He was extradited to the U.S. from Venezuela last August.
Prosecutors say that early in 2014, "tens of thousands of present and former employees of UPMC" had their personal information compromised by hackers, who intruded into a UPMC database and stole names, Social Security numbers, dates of birth and other personal identifying information.
UPMC has previously said that approximately 62,000 employees - or just about its entire workforce at the time of the breach - were impacted by the hacking incident (see Victim Tally in UPMC Breach Doubles).
The stolen UPMC employee data was used to file hundreds of false 2013 federal tax returns, which contained requests for tax refunds. The criminals filed fraudulent tax returns totaling approximately $2.2 million; about $1.5 million was actually disbursed in unlawful refunds, prosecutors said.
Llanes laundered the money using Amazon.com gift cards that Nodase and others used to purchase electronic merchandise, which was shipped to Venezuela and retrieved by Llanes, Nodarse and others, prosecutors say.
Approximately $156,000 worth of merchandise was ordered by and shipped to Nodarse, who was arrested in Colombia in March 2015 and then extradited to the U.S. to face criminal charges in November 2016.
Llanes in 2015 was charged in a 21-count indictment, including wire fraud, money laundering and aggravated identity theft, and using the stolen identities of UPMC employees to file false federal income tax returns to obtain unlawful refunds. Prosecutors said all of these acts occurred between January and April of 2014 (see Medical Center Fraud Cases: 2 Indicted).
A U.S. justice department spokeswoman says the investigation into the tax fraud conspiracy is ongoing.
Protecting Employee Data
The UPMC employee data breach offers an important reminder that healthcare organizations need to safeguard all information systems, not just those that house patient data.
"HIPAA provides a good framework for [safeguarding] protected health information, but organizations should consider leveraging the systems they put in place to protect PHI to also protect other critical information, such as sensitive employee records," says privacy attorney Adam Greene of the law firm David Wright Tremaine.
"For example, while HIPAA requires a risk analysis for electronic PHI, organizations should consider voluntarily addressing other types of sensitive or critical information in their risk analysis too, such as sensitive employee information or valuable research."
But healthcare organizations sometimes struggle to obtain adequate resources to effectively safeguard all their data, he acknowledges. "It can be hard to get sufficient resources to address regulatory requirements, such as HIPAA. It is even more challenging to get the resources to address information when there is not a clear regulatory mandate," he says.
When it comes to training human resources staff on information security and putting in place safeguards around employee information, there is not a regulatory scheme similar to HIPAA that security staff can point to as requiring certain actions, Greene notes.
"But it is important to stress to management that, even though not covered by HIPAA, such security provides a good return on investment to prevent potentially costly breach notification obligations, and it is imperative to protect employees from the growing threat to their personal information," he says.
UPMC did not immediately respond to an Information Security Media Group request for comment on the breach-related criminal cases.