Case #3: New York City Office of Chief Medical Examiner
The Target: New York City Office of Chief Medical Examiner (OCME) provides forensic services to support criminal investigations and DNA testing, and manages the city's mortuary. OCME's budget is $50 million; it has 510 employees.
The Subjects: Natarajan "Raju" Venkataram, former director of the medical examiner's management information systems department, and Rosa Abreu, former director of records.
In the aftermath of the 2001 World Trade Center attacks, more than 20,000 human remains were ferried to the chief medical examiner's office in New York City.
The Midtown Manhattan building, a fading 60's-era structure with a turquoise tile facade, was transformed into an armed camp after the towers collapsed; city police, state troopers, and FBI and Secret Service agents conducted investigations and ringed the building's perimeter, admitting only those involved with managing the disaster.
Despite the abundance of law enforcement personnel, crimes went undetected at the medical examiner's office while the incinerated and crushed bodies of 2,749 men, women and children pulled from the wreckage were tagged, analyzed and, in the best-case scenario, identified, according to a criminal complaint filed against Natarajan Venkataram and Rosa Abreu in December 2005 in the U.S. District Court, Southern District of New York.
The criminal complaint accuses them of running a scheme of shadow companies and fake contract bids to embezzle funds sent by the Federal Emergency Management Agency (FEMA) soon after the Sept. 11 attacks, when the medical examiner was overwhelmed by the huge and delicate task of identifying nearly 3,000 victims. The two defendants have been charged with theft from a program receiving federal funds, according to court documents. If convicted, the two face up to 10 years in prison, according to a December 2005 press release issued by the New York City Department of Investigation, a city agency that investigates cases of fraud, corruption and unethical conduct by New York City employees, contractors and others who receive city money.
Venkataram's and Abreu's lawyers, Gerald Shargel and Lee Ginsberg, respectively, say their clients are not guilty. Both defendants have pleaded not guilty in court.
From 2000 to 2005, according to the complaint, Venkataram, director of the medical examiner's management information systems department, and Abreu, director of records (and Venkataram's primary assistant), took at least $8 million of municipal and federal dollars via phony companies and improper relationships with vendors.
That Venkataram and Abreu might have bilked the city and federal governments when so many around them were suffering was particularly galling to Tom Brondolo, the former deputy of the medical examiner's office, and Venkataram and Abreu's manager. "When Raju and Rosa created this scheme to defraud the city, they violated more than the public trust," says Brondolo, who now runs Brondolo Associates, a New York-based disaster management consultancy. "They violated a truly sacred trust and commitment that everyone in the office made to do what was needed during 9/11." OCME declined to comment on the case.
Stephan Zander, deputy inspector general with the New York City Department of Investigation, said in the complaint that OCME, at the direction of Venkataram, awarded technology contracts to a number of companies - some that provided services to the department, some that did not. These companies then colluded with "shell" entities created and controlled by Venkataram and Abreu, the complaint alleges.
Three companies that had contracts with the medical examiner's office - Comprehensive Computer Resources (CCR), HS Group and Infotech - issued checks totaling more than $575,000 to a company called A&D Marketing, according to the complaint. Venkataram's home address, according to the complaint, is listed as the headquarters for A&D.
Venkataram, who worked at the medical examiner's office for 13 years before his December 2005 arrest, was responsible for procuring hardware and software and supervising outside consultants at the medical examiner's office, according to the complaint. He is alleged to have been a close associate of the head of CCR, an Internet consulting, Web development and training firm. The CCR employee was not named in the complaint and is said in the court document to be serving as a confidential informant in the case. The two met at a training course led by CCR prior to 2001, the complaint alleges. CCR was alleged to have been awarded contracts by OCME in the aftermath of the Sept. 11 attacks, including an $11.4 million project funded with federal emergency dollars. Approximately $5.5 million of the contract payment was allegedly transferred from CCR to bank accounts in India at Venkataram's direction by way of blank CCR checks signed by the unnamed CCR employee, the complaint states. The complaint also says that Venkataram transferred $400,000 from CCR to A&D and another $86,000 to another shell company.
The medical examiner's office is normally responsible for the forensic investigation of homicides, suicides and unusual deaths in New York City. After the World Trade Center attacks, the agency, which operates under the city's Department of Health and Mental Hygiene, was responsible for tracking, identifying and releasing the human remains recovered at ground zero. Immediately after 9/11, the agency had to quickly create a tracking system - with the help of technology vendors - to ensure that all remains were properly cataloged, analyzed, X-rayed and stored where they could be found, according to Brondolo. It also had to find a way to make available to investigators all of the data it had collected.
Shortly following Sept. 11, the medical examiner's office awarded CCR an initial $1.3 million contract on an emergency basis to provide hardware and software support for OCME's World Trade Center-related activities and the laboratory systems used to keep track of DNA samples of victims, Brondolo says.
In January, February and August 2002 and April 2003, CCR's contract was increased for unanticipated work requirements and ongoing maintenance, according to a contract and contract addendums that Baseline obtained through a Freedom of Information Act request. (The contract would eventually total $11.4 million.)
Those requirements included integrating 20 disparate systems that contained information ranging from DNA samples and analyses, to victims' personal profiles, to photographs of personal effects, according to a copy of the original CCR contract from January 2002. CCR created a Web-based portal so that workers at the medical examiner's office, the New York Police Department and other investigative groups could gain access to the disparate systems from a single Web page, according to a contract addendum filed with the Comptroller's office in May 2003.
In addition, CCR was asked to implement a laboratory information management system to help identify the remains and a document management system for DNA case files, the addendums state. Brondolo says he recalls that CCR completed the information systems it was contracted to build.
FEMA, a division of the U.S. Department of Homeland Security, reimbursed the entire $11.4 million contract to OCME, according to the criminal complaint. But New York City's Department of Information Technology and Telecommunications alleges in the complaint that the work CCR did "could have been performed for a fraction of the $11.4 million and would have been performed substantially better by other companies operating in the marketplace." Baseline attempted to contact CCR, but the company's Web site had been taken down and a call to the number listed for CCR in the phone directory found the number to be disconnected.
Because of the unusually strained circumstances in the months and years after Sept. 11, Venkataram and Abreu were able to bypass some procurement controls by awarding contracts under emergency conditions. That meant the usual procedures and approvals were not required, according to Marla Simpson, director of the Mayor's Office of Contracts, which oversees the city's procurement policy and process.
"Many city agencies required the purchase of goods and services on an emergency basis after Sept. 11," says Steve Stein Cushman, chief of the contracts and real estate division at the city's Law Department, also called the Corporation Counsel, which ensures that the terms of contracts valued at more than $100,000 are legal and appropriate. For roughly three months following the disaster, Cushman says city agencies were given "blanket approval" for the emergency procurement of goods, services and construction necessary to respond to the emergency. "That meant they could select a vendor and procure such goods, services or construction without individual approval for each purchase from the Law Department or the City Comptroller's office. In addition, the Mayor's Office of Contract Services does not approve emergency contracts," Cushman explains.
But Venkataram allegedly managed to circumvent procedures even when it wasn't an emergency, according to the complaint. In order to create the appearance of competitive bidding in awarding some contracts, Venkataram allegedly asked the head of CCR to use other companies the informant controlled to bid on work at the medical examiner's office. For example, the agency paid $166,000 to HS Group and Infotech, which bid on and won contracts with the medical examiner. Baseline could not track down contact information for either company, both of which are alleged to have been operated by the informant and performed no services, according to the complaint. However, at Venkataram's direction, the companies issued checks to A&D Marketing and Trade A2Z, another alleged shell company operated by Venkataram and Abreu. The complaint states that Rosa Abreu admitted to Zander in an August 2005 interview that A&D, Trade A2Z and a third company, Infodata, were shell companies.
Venkataram and Abreu were eventually apprehended by New York City police after an unnamed employee in the medical examiner's office alerted the Department of Investigation's Zander to possible procurement irregularities involving the two, according to the complaint.
Resolution: In December 2005, Venkataram and Abreu were arrested on fraud charges and have pleaded not guilty. Venkataram is incarcerated at the Metropolitan Detention Center in Brooklyn. Abreu was released on $500,000 bail in December; her lawyer declined to say where she is living. A trial date has not yet been scheduled.
New York City Office of Chief Medical Examiner
Headquarters: 520 First Ave., New York, NY 10016
Phone: (212) 447-2030
Business: Investigates deaths of those who die as a result of violence, suicide or under suspicious circumstances.
Chief Executive Officer: Charles S. Hirsch, M.D.
Financials: Annual budget of $50 million.
Incident: The medical examiner's former management information systems director and director of records allegedly absconded with federal dollars through phony companies.
Case #4: The Electric Reliability Council of Texas (ERCOT)
The Target: The Electric Reliability Council of Texas (ERCOT) is the organization entrusted to keep electric power flowing to approximately 20 million Texas customers - representing 85% of the state's electric load and about 75% of Texas' land area.
The Subjects: Kenneth Shoquist, ERCOT's former chief information officer; Stephen Wallace, former program development director; Chris Uranga, ERCOT's ex-director of I.T. operations and corporate security; Chris Douglas, former senior manager, data warehouse; Carlos Luquis, former physical security manager; and John Benito Cavazos, a non-employee contractor.
For an organization such as the Electric Reliability Council of Texas (ERCOT) that puts a premium on security, the November 2002 hiring of Kenneth Shoquist as chief information officer seemed like a well-considered move. As it turned out, however, the company could have made a better choice, given the outcome of his tenure.
Founded in 1970, ERCOT, based in Taylor, Texas, is an independent, third-party, not-for-profit organization responsible for overseeing the reliable and safe transmission of electricity over Texas' main electricity power grid. ERCOT's staff grew from 50 employees in January 2000 to more than 400 employees in September 2004.
As such in a post- Sept. 11 world, its job is to safeguard the state's electric grid from everything from hurricanes to cyberthreats and terrorists. To this end, the company frequently conducts security reviews and drills with a number of outside organizations, including the U.S. Department of Homeland Security and the Public Utility Commission of Texas.
Shoquist, who reported directly to ERCOT's then-CEO, Tom Noel, seemingly put a premium on security from the outset. Shoquist was a veteran technology executive; he had served as the CIO of Dell Financial Services, Dell's financial arm, and worked at major companies including MasterCard International and Texas Instruments, according to the news release ERCOT issued when it hired him on Nov. 19, 2003. Shoquist soon began beefing up ERCOT's internal security capabilities with new hires, experienced men with whom he had worked before. Two months after signing on with ERCOT, Shoquist hired Stephen Wallace - a longtime friend, according to the Texas Attorney General's office - as program development director to oversee ERCOT's multi-million-dollar annual program budget. He also brought in Chris Uranga as director of corporate security and information-technology operations, the Texas AG's office said. According to the AG's office, Shoquist also hired Chris Douglas to serve as senior manager for data warehouse and security while putting Carlos Luquis, a former FBI agent, in charge of ERCOT's physical security.
As The Dallas Morning News was the first to report, these men all had links to Shoquist and to one another. Uranga, Douglas and Wallace, for instance, had worked at both Dell and EDS under Shoquist. Uranga and Luquis had also served together as Navy cryptologists in Japan, held top-secret government security clearances and had performed work for the National Security Agency (NSA).
With his hiring out of the way, Shoquist brought in a computer services company, DSS Group, to provide I.T. services and consulting, according to the Attorney General's office. A month later, in March 2003, ERCOT signed with another consultancy called ECT Global Solutions to evaluate ERCOT's security, the AG's office states. Soon after, the company also signed security-related contracts with Tri Force Security and Cyberensics, the AG's office states. "Security, ever since 9/11, has been center stage [at ERCOT]," Shoquist told a reporter from Public Utilities Fortnightly in an October 2003 interview. He and Uranga also made regular presentations to the ERCOT board, updating them on progress in securing the state electric gird and ERCOT's computer systems.
For ERCOT, which then had a $133 million budget, the cost for these efforts was substantial - far more so than the ERCOT board or its CEO were aware. The San Antonio-based DSS Group, for example, sent ERCOT 13 invoices totaling nearly a million dollars, according to the Texas Attorney General's office, for work that for the most part was never performed. The only person who actually worked on the ERCOT account on behalf of DSS was a nephew of Wallace, says the Attorney General's office.
DSS proved to be a shell company, the Attorney General's office discovered, headed by a San Antonio stage actor and private contractor named John Benito Cavazos and allegedly run by Stephen Wallace. Cavazos would submit invoices for work that had never been done to Shoquist, who approved them in exchange for part of the fee. In the space of a little less than a year, Shoquist's take amounted to $220,000 while Wallace allegedly cleared $800,000, according to the AG's office.
Meanwhile, Uranga, Douglas and Luquis were allegedly raking in illicit funds as well through contracts with ECT, Cyberensics and Tri Force Security, which, like DSS, were allegedly shadow companies headed by what the Attorney General's office would later call "puppet presidents." Each of the companies billed ERCOT for hundreds of thousands of dollars for services for work that was never done and equipment that was never delivered, the Attorney General's office charges. In one instance, Uranga charged his employer for the services of a consultant who had died long before. In less than a year, Uranga and Douglas each allegedly misappropriated more than $300,000, while Luquis's alleged take topped $100,000.
Shoquist and Wallace allegedly signed and approved the contracts with DSS; Luquis and Douglas allegedly signed and approved contracts and payments with Cyberensics; and Uranga signed and approved invoices from ECT and Tri Force, says the AG's office.
Emboldened by their success, some of the men, who were paid between $80,000 and $120,000 at ERCOT, allegedly began living large, buying expensive cars, luxury homes on golf courses and even yachts. "Fellow employees sometimes wondered how they were able to afford expensive houses and expensive cars," Texas Attorney General Greg Abbott said in a Jan. 28, 2005, news conference.
Still, Shoquist and the others might never have been apprehended had it not been for several whistle-blowers within ERCOT.
Beginning in late 2004, these employees e-mailed members of the Texas Public Utilities Commission (PUC) and Randy Chapman, executive director of the Texas Legal Services Center, with numerous allegations concerning Shoquist and the others, Chapman says. The first reaction was shock, says one of the recipients, Paul Hudson, chairman of the Texas PUC: "The second was concern about the systems' vulnerability based on the materials that we had received." There was ample reason for concern. Most of the so-called security work that had supposedly gone into protecting ERCOT over the previous year was as shadowy as the companies that provided it.
Resolution: When the whistle-blowers initially surfaced with their anonymous e-mails, ERCOT's reaction was to attack the messengers and ignore the message. In November 2004, it sued two Internet service providers, Yahoo and Time Warner, in the Travis County District Courthouse to force them to reveal the identities of the employees who had leaked information about the fraud. The suits were filed based on ERCOT's claim that the e-mails were defamatory and "solicited ERCOT employees to turn over confidential information to outside entities."
"The lawsuits had a chilling effect at a time when we required absolute openness and accuracy," says Texas PUC chairman Hudson. Within a few days, the Public Utilities Commission and various state politicians convinced ERCOT to drop the lawsuits. At the same time, the PUC held an emergency open meeting to review ERCOT's audit procedures and controls. "It was a sad state of affairs," says Chapman, who met with the ERCOT board. "There were no checks and balances in place. At the time, ERCOT wouldn't even allow a state auditor to come in because they claimed that an outsider would be too intrusive."
As the result of the emergency meeting, a number of reforms were put in effect, including strengthening contracting procedures and putting strong internal controls in place, according to ERCOT chief executive officer Thomas F. Schrader's statements in a company press release. Schrader recently resigned from the company. Law enforcement was notified during the same time frame and began an investigation. On Jan. 29, 2005, a grand jury in Williamson County issued 23 indictments against the former ERCOT managers and one outside contractor, Cavazos.
On Aug. 17, 2005, Chris Uranga pleaded guilty to misapplication of funds and admitted he owes ERCOT $500,000 for illegal profits he obtained. He awaits sentencing and could receive up to 15 years in prison, the Texas Attorney General's office says.
On Dec. 20, 2005, John Benito Cavazos of San Antonio pleaded guilty to misapplication of fiduciary property enhanced to organized criminal activity, a third-degree felony. He returned $8,700 to ERCOT, which is the amount he was illegally paid as a security contractor. He will receive four years of probation or deferred adjudication, according to the Texas Attorney General's office, and will also testify at Luquis's trial.
On April 12, 2006, Chris Douglas pleaded guilty to two charges, one for engaging in organized criminal activity for misapplication of fiduciary property, and one for theft. They are first-degree felonies, and he has also agreed to repay ERCOT more than $500,000 in illegal profits he obtained. Prosecutors have agreed to recommend no more than nine years in prison upon sentencing.
Former chief information officer Kenneth Shoquist pleaded guilty on March 24, 2006, to engaging in organized criminal activity for commercial bribery, and said he received $120,000 in bribes from Wallace. He will be repaying the money prior to his Aug. 1 sentencing. He accepted a plea deal for a nine-year sentence and could be eligible for parole in 2 1/2 years if the judge abides by the plea.
Meanwhile, Wallace and Luquis have opted to go to trial and are contesting their cases. Wallace has a pre-trial hearing scheduled this month. His lawyer, Daniel Castro, did not return Baseline's phone calls. His trial date has not yet been set. Luquis is scheduled to go to trial July 24. His lawyer, Patricia Cummings, has asked to have the indictments against her client dismissed, according to a published newspaper report. She did not return Baseline's phone calls.
Shoquist and the others could not be located, and their lawyers failed to return phone calls in regard to this story.
Of CIO Shoquist, Attorney General Abbott said, "This defendant was the gatekeeper who made the scope of this white-collar crime possible by hiring and enabling the other criminals in the first place. It is safe to say that none of the fraud that occurred at ERCOT would have been possible except for the insider dealing he encouraged."
Cyber-Sleuths
As procurement fraud becomes increasingly sophisticated, it becomes all the more difficult to ferret out, says LECG's Anastasi. As a result, companies that believe they are being victimized but are not sure - or don't know whom might be responsible - sometimes turn to cyber-sleuths, private detectives for the digital age who rely on computer forensics to catch the bad guys.
Recently, Anastasi, who served as the global leader of Deloitte's forensics investigation practice before joining LECG, was called in by a client on such a case. "They suspected their I.T. chief was running some kind of a procurement scam, but they couldn't figure out how he was doing it," he says.
The first thing Anastasi and his investigative team did was deploy SilentRunner as a network forensics tool. "SilentRunner produces this three-dimensional map of your entire system," Anastasi says. "You can see every node on your network."
Using this map of the client's I.T. infrastructure, Anastasi was able to track all of the digital traffic going in and out of the client's system. As it developed, considerable traffic - and client funds - were being transmitted out to several Web sites. These proved to be shell Internet companies that were supposedly providing services to the client, but in actuality were the fictitious creations of someone with the client company. "We knew someone within the company was communicating with these sites by wireless, so we had an investigator go through the client headquarters to see where the transmitter was hidden," he says.
He didn't have to look far. "The transmitter was hidden under the CIO's desk," Anastasi says. "We had him dead to rights."
Unfortunately, however, that is the exception, not the rule. Shane Shook, a colleague of Anastasi's and managing director in LECG's electronic discovery practice, says that at most 40% of procurement fraudsters are nabbed. As Shook explains, "They're getting more sophisticated in the ways they access the systems and cover their tracks."
Electric Reliability Council of Texas (Ercot) Base Case
Headquarters: 2705 W. Lake Drive, Taylor, TX 76574
Phone: (512) 248-6800
Business: Responsible for overseeing the reliable and safe transmission of electricity over Texas' main electricity power grid.
Chief Executive Officer: None. Thomas F. Schrader had been CEO, but resigned on May 16. The company is seeking to replace him.
Financials: ERCOT is an independent, third-party, not-for-profit organization. Its $126.9 million annual budget is funded by mandatory fees paid by electricity customers or their power providers.
Incident: The company's CIO and four other senior I.T. and security managers, plus one outside contractor, allegedly defrauded ERCOT through shell vendors.
No comments:
Post a Comment