Hospital Records Technician Sentenced for the Wrongful Disclosure of Patient Information

Baltimore, Maryland - U.S. District Judge Ellen L. Hollander sentenced Kenneth Elliott McDowell, age 47, of Baltimore, today to time served plus six months home detention as a special condition of three years of supervised release, for the wrongful disclosure of personal identifying information from patient records, in violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). McDowell admitted that he took patient files home and the files were accessed by others, who used the personal information of the patients to defraud financial institutions. Judge Hollander also ordered McDowell to pay restitution of $22,190.40.

The sentence was announced by United States Attorney for the District of Maryland Rod J. Rosenstein; Postal Inspector in Charge Gary R. Barksdale of the U.S. Postal Inspection Service - Washington Division; Baltimore Police Commissioner Anthony Batts; and Christa Phillips, Inspector General of the Housing Authority of Baltimore City.

McDowell worked as a health records technician at the University of Maryland Medical Center (UMMC) and Bon Secours Hospital (Bon Secours), both in Baltimore, for approximately 24 and 28 years, respectively. McDowell had access to patient data including individually identifiable health information covered by HIPAA. Throughout his employment, McDowell repeatedly signed acknowledgments with both UMMC and Bon Secours that he understood his obligations to safeguard patient data, including that he not remove patient records from the hospital buildings.

From at least June 2009 through July 2011, McDowell took home patient records in order to hide the fact that he was not completing his work during the time allotted and was submitting false reports that he had, in fact, completed his work. He kept the patient records in an unlocked room accessible to his nephew, Devin Smith, and Smith’s girlfriend, Wendy Hinton, both of whom collected personal identifiers and payment information from the files, including debit card and checking account information, of patients and others who had guaranteed payment for the medical treatment of a patient.

Even when he learned that Devin Smith and Wendy Hinton were committing identity theft, McDowell took no steps to return the patient records or to secure the records. Indeed, he continued to bring the patient records home. Smith and his co-conspirators used the personal information stolen from the patient files and from others to open new credit accounts in the identities of the victims, and to access the existing accounts for those victims who had payment information in their files.

As a result of McDowell’s unauthorized access and wrongful disclosure of individually identifiable health information, nearly 50 patients had their identities used in the bank fraud and identity theft scheme, resulting in a total loss of between $10,000 and $30,000.

Devin Jarmal Smith, a/k/a Sean Jones, age 20, of Baltimore, pleaded guilty to bank fraud and aggravated identity theft, and was sentenced to 61 months in prison and ordered to pay restitution of $22,190.40. Wendy Hinton, age 22; also of Baltimore, pleaded guilty to her role in the scheme and is scheduled to be sentenced on October 18, 2012 , at 9:00 a.m.

United States Attorney Rod J. Rosenstein praised the U.S. Postal Inspection Service, Baltimore City Police Department and the Housing Authority of Baltimore City - Office of Inspector General for their work and expressed appreciation to the University of Maryland Medical Center for their cooperation and assistance in the investigation. Mr. Rosenstein thanked Assistant United States Attorneys Tamera L. Fine and Mark W. Crooks who prosecuted the case.