5 charged with fraud involving Johns Hopkins patients

Federal charges have been filed against five Maryland residents, one of whom was employed by Johns Hopkins Medicine. They are accused of a credit card scheme that involved information accessed fraudulently from the records of Johns Hopkins patients.

Experts say the case underscores the need for background checks and training for employees, and access controls to electronic medical record systems. But it also shows data are never completely secure.

The indictment alleging conspiracy to commit bank fraud and identity theft, announced in September by Rod J. Rosenstein, U.S. attorney for the District of Maryland, said Jasmine Amber Smith, who was employed at the hospital from August 2007 to March 2009, accessed patient records improperly to obtain personal information of patients and the parents of minor patients.

The information, including names, Social Security numbers, dates of birth and addresses, allegedly was passed along to two other defendants, who then turned the information over to two others.

From May 2008 to June 2009, the information was used to apply for "instant credit" at retail stores in Maryland, which was used to make purchases before fraudulently obtained credit cards were received, according to the indictment. In little more than a year, the accused allegedly obtained more than $600,000 in credit from more than 50 people.

Gary Stephenson, director of media relations for Johns Hopkins Medicine, said it has long been Johns Hopkins' procedure to conduct background checks on all employees. He said employees are trained in patient confidentiality, including training on technology systems, and asked to sign patient-confidentiality agreements.

"Unfortunately, while Johns Hopkins continuously reviews to see what additional precautions could be built onto the patient registration system, there is little way to stop an employee, at Johns Hopkins or anywhere else, who deliberately chooses to break the law," Stephenson said.

Brian Cleary, vice president of products and marketing for Aveksa, a data security solutions provider, said, "No process or technology can provide 100% protection when someone has criminal intentions." But, he added, not only can access controls limit the data employees can get to, but they also can make it easier to catch criminals when those controls have been ignored.

"Health care organizations are struggling to protect the privacy of their patients' confidential data, and this problem will only increase as the adoption of electronic medical records continues to grow," Cleary said.