Fraud Management & Cybercrime , ID Fraud

Ex-Hospital Worker Sentenced in $24 Million Fraud Case

9,000 Stolen Identities Used for False Tax Returns

Martin Army Community Hospital at Fort Benning, Georgia.

A former military hospital worker has been sentenced to 13-plus years of federal prison time for her involvement in a $24 million identity theft and tax fraud scheme, which also involved a former Alabama health department employee and several other co-conspirators.

See Also: Live Webinar | Leveraging AI in Next Generation Cybersecurity

On Aug. 10 in the U.S. District Court for the Middle District of Alabama, Tracy Mitchell, a former worker at a military hospital at Fort Benning, Georgia, was sentenced to serve 159 months in federal prison for crimes including one count of conspiracy to file false tax claims, one count of wire fraud and one count of aggravated identity theft, to which she pleaded guilty in April (see Nine Plead Guilty in $20 Million Fraud Scheme).

Eight others were also sentenced on Aug. 10 for their roles in the same fraud ring, which federal prosecutors say involved the theft of 9,000 identities stolen from the U.S. Army, various Alabama state agencies, an unidentified Georgia call center, and an unidentified Columbus, Georgia company.

Case Details

The U.S. Department of Justice in a statement says that while Mitchell worked at the military hospital, she had access to the identification data of military personnel, including soldiers who were deployed to Afghanistan. Mitchell stole personal information of soldiers and used them to file false tax returns. Court documents do not specify the job Mitchell held at the hospital.

Prosecutors say that between January 2011 and December 2013, Mitchell and a co-conspirator, Keisha Lanier, led the large-scale identity theft ring in which they and their co-defendants filed over 9,000 false tax returns that claimed in excess of $24 million in fraudulent claims. The IRS paid out close to $10 million in fraudulent refunds, the justice department says. Sentencing for Lanier is scheduled for Aug. 24.

Other members of the fraud ring who were sentenced on Aug. 10 included Sharondra Johnson, who worked at a Walmart money center in Columbus, Georgia. As part of her employment, Johnson cashed checks for customers of the money center. Prosecutors say Johnson cashed tax refund checks issued in the names of other individuals whose identities were stolen by the fraud ring. For her crimes, Johnson received a 24-month prison sentence.

Also, in another related case linked to the same fraud ring, Tamika Floyd, a former worker of the Alabama Department of Public Health from 2006 to May 2013, and the Alabama Department of Human Resources from May 2013 to July 2014, was sentenced in May to serve 87 months in federal prison after pleading guilty to fraud conspiracy and ID theft crimes. While working in her state jobs, Floyd had access to databases that contained identification information of individuals, which she stole and provided to the crime ring's co-conspirators for the filing of false tax returns, prosecutors say.

Of those sentenced so far, Mitchell received the stiffest penalty. Sentences for the other defendants in the case so far range from 60 months of prison time to two years of probation. Restitution will be determined at a later date, the DOJ says.

Preventing Insider Crimes

There are steps that healthcare organizations can take to deter insiders from committing fraud related crimes using patient data, say privacy and security experts.

Mac McMillan, CEO of security consulting firm CynergisTek suggests that entities enhance personnel screening, improve authorization practices, eliminate excess access, invest in monitoring technologies and diligently and proactively monitor users. Also, "we need to change our monitoring and audit practices and focus more on behavioral analysis," he adds.

Indeed, some healthcare CISOs say their organizations are putting those types of efforts in place to help safeguard patient data from being used in identity crimes.

"We are in close partnership with all the three-letter [law enforcement] agencies, and are constantly reviewing the crimes, such as identity theft, which continues to be on the FBI's top list of crimes throughout the nation in general," says Connie Barrera, CISO of Jackson Health System in Miami.

Unfortunately, "South Florida is a big repository of different kinds of issues, and crimes" involving identity fraud, including tax refund fraud, she says. "It's not only about educating our population [of workers] but having the right monitoring in place."

For instance, "with our medical records, we have various ways to monitor that [access], and we let our workforce and constituents know that we are monitoring, and we do that on a regular basis," she says. "Employees are made aware, and word spreads."

Also, the organization provides access to data only "on a need to know basis, and we review that on a periodic basis." Still, "ensuring that the people who do have [authorized] access to data are only using it appropriately, that's a huge challenge."

On top of those efforts, law enforcement, prosecutors and the justice system pursuing fraud cases involving patient identities are also an important deterrent, McMillan says.

"These sentences should send the message that the government is serious about punishing those that abuse their trust and take advantage of others," he says. "If you do the crime and get caught, you can get serious time."