Fraud lessons from the ‘killer nurse’

Charles Cullen, a former registered nurse, is serving 11 consecutive life sentences for murdering 29 patients in 16 years at New Jersey and Pennsylvania hospitals. The author, who helped investigate the case, shares organizational deficiencies that have helped him in subsequent fraud investigations.

“Most of the hospitals I’ve worked at, they strongly suspected that there were deaths associated with me,” says Charles Cullen, in the Netflix documentary, “Capturing the Killer Nurse.” Cullen, a former registered nurse, was charged and convicted in 2006 with murdering 29 patients in 16 years at New Jersey and Pennsylvania hospitals.

“Why do you think they didn’t take it further?” asks Tim Braun, the then-commander of the Somerset (New Jersey) Major Crime Unit during an interview. “I think they were worried about the publicity,” Cullen says.

Apparently, the hospitals that employed Cullen had lacked a strong “tone at the top” in which management shows its staffers — through its words and actions — that dishonest or unethical behavior won’t be tolerated. Management at these hospitals also didn’t create cultures in which employees felt safe to speak up when they suspected Cullen. And the hospitals didn’t run background checks, so he was allowed to continue to market his nursing skills, plus they had poor internal controls that freed him to access medications that he’d use to poison patients.

Discovering control gaps

In 2003, I investigated the Cullen case as the lead detective for Morris County (New Jersey) Prosecutor’s Office, and I ultimately interviewed Cullen. I was one of many detectives who worked the case in several jurisdictions. (After retiring from my 27-year law enforcement career, I went on to become the vice president of corporate investigations in the internal audit department of a major bank.)

As a career detective back then, internal controls and audits meant little to me. I focused my Cullen case efforts on reviewing medical records, securing evidence and conducting numerous interviews. When I later began working at the bank and earned my CFE credential, I learned that controls were central to any audit plan. While I was impressed with the dedication and technical skills of most auditors, I found that some at the bank were only focused on auditing existing controls rather than discovering control gaps. I was concerned that they often rushed to complete audits and didn’t take the time to conduct adequate interviews and observe verbal or written clues of deception — basic CFE skills. I recognized from the Cullen case that a serial killer nurse can live in one of these gaps, remain employed and murder patients — much like how fraudsters perpetuate their crimes when inadequate controls exist to prevent them.

The failures of hospitals’ internal controls to catch Cullen much earlier in his yearslong killing spree is emblematic of the failures of many organizations to properly implement controls and, of course, to guarantee they follow and regularly audit those controls.

Weak and nonexistent controls allowed Cullen to move from hospital to hospital (sometimes after he was fired for sloppy nursing practices) to commit more murders of patients. In 16 years, Cullen worked for nine hospitals and was fired or forced out of six. While Cullen eventually pleaded guilty to 29 murders in New Jersey and Pennsylvania, some estimates place the actual number of murders to be as high as 400. This would make Cullen the most prolific serial killer in U.S. history. [See “The Good Nurse: A True Story of Medicine, Madness, and Murder,” (on which the documentary and the feature film, “The Good Nurse,” were based) by Charles Graeber, 2022, Hachette Book Group Inc.]

How did this happen and why?

Cullen, who grew up in West Orange, New Jersey, began his nursing career at Saint Barnabas Hospital in Livingston, New Jersey, where he probably committed his first murders, according to the book, “The Good Nurse.” Investigators confronted him after they suspected him of injecting insulin into patients’ IV bags. His response? “You can’t prove that.” Obviously, that was a poor denial and the beginning of the first control failure.

Cullen resigned from Saint Barnabas Hospital in 1992 and began working one month later as an RN at Warren Hospital in Phillipsburg, New Jersey, where he later admitted to murdering three elderly patients after giving them overdoses of the heart medication digoxin. The final victim there told family members and hospital employees that a “sneaky male nurse” had injected her with something while she was sleeping. No one believed her, and she soon died.

This pattern — Cullen’s dismissals or resignations, sometimes under suspicion, and then taking new hospital jobs — showed an unbelievable failure of controls in the health care system from many layers of ethical lapses or the lack of publicized methods for employees to report concerns.

Cullen, by many accounts, was an excellent nurse. He was working in the Somerset (New Jersey) Medical Center Critical Care Unit when this case finally broke. He had prior experience working in intensive care units as well as the burn unit of a prestigious hospital. He was very articulate and well-spoken when I interviewed him over two days about his involvement in causing patient deaths or harm. His grasp of medical procedures, pharmacology, cardiology and respiratory conditions rivaled that of any physician or specialist I’d interviewed.

Clearly, this was an individual who knew what he was doing and impressed hospital interviewers when applying for new jobs. Once hospitals hired him, he’d offer to work nights and weekends — the least desirable shifts and the most difficult to staff — but opportune times for him to harm patients.

Lack of background checks

Of the nine hospitals Cullen worked at, he was fired or forced to resign from six. During the time frame of Cullen’s employment, background checks at the hospitals were minimal at best, according to the book, “The Good Nurse.” During our detectives’ meetings, we learned that prior employers would only reveal dates of employment, job titles and salaries. His disciplinary actions and counseling sessions also weren’t included in at least one instance when Cullen was placed on the “Do Not Hire” list. A new employer would have no idea what the potential new nurse’s work history really meant.

Although New Jersey has since instituted laws (which most other states have adopted) to allow more robust exchanges of information among health care institutions, background checks of prospective employees for any organization should include prior personnel files. When I worked at the bank, our internal investigation group would routinely request copies of personnel files from human resources as part of our internal investigations. Our group found gaps, errors and omissions in the files, which helped improve the onboarding processes. We often used statement analysis on handwritten job applications, cover letters and resumes.

Ethical organizational cultures

You might expect a health care institution to fully cooperate with law enforcement and be anxious to address the issue of an employee intentionally harming patients. But you’d be wrong to assume this.

According to the Netflix documentary, the conduct of the Somerset Medical Center administrators was reprehensible. They not only didn’t cooperate with law enforcement but arguably impeded investigations. The documentary alludes to the hospital’s fear of losing patients and donations because of bad publicity.

Multiple interviews of some nurses and other employees at Somerset and other hospitals at which Cullen had worked showed they didn’t feel safe reporting their concerns because they feared their employers’ retribution. Fellow nurses suspected Cullen may have been harming patients, but they didn’t report their concerns because they thought they’d place their jobs at risk, or their suspicions were minor and difficult to prove. Many of the hospitals he worked at didn’t have anonymous ethics hotlines at the time.

In the Netflix documentary, Graeber, author of the book, “The Good Nurse,” says that he’s often asked how a nurse can kill over and over for 16 years. “Why didn’t he get caught? And the answer turns out to be, he was. … [T]hose that caught him, or had reason to suspect that something was wrong, they passed him on with positive or neutral references. … Those [hospital administrators] … have never been held responsible,” Graeber says. None of the administration or employees at Somerset (or the hospitals where Cullen had worked) were ever charged with any crimes. Of course, protecting organizational reputations at all costs has been one of the causes of fraud and malfeasance in all organizations in public and private sectors.

We all know about the benefits of a healthy “auditing organizational culture” (looking for mission statements, procedures of employees reporting concerns, consistency of dispositions and disciplinary actions, etc.) and the pitfalls of a bad one. But we still have a long way to go in understanding what we’re auditing for and why.

For example, in some audit planning meetings at the bank I worked for, I’d ask the internal auditors if they were looking for fraud during their audits. Their mixed answers made it clear to me that additional training and/or brainstorming for possible fraud scenarios was necessary. As CFEs, we shouldn’t be shy to share with our colleagues and business partners our expertise in investigating various types of fraud.

I’ve always advocated for a quality tone at the top that will permeate throughout organizations and will engender transparency about internal employee issues. Anything less than that usually results in a public outcry after citizens or customers discover you’ve covered up or downplayed an investigation to protect your organization. The facts will eventually emerge.

Poor controls on medication access

Investigators determined that Cullen often used the heart medication, digoxin, to kill his patients. Cardiologists carefully prescribe digoxin, which helps make the heart beat stronger and rhythmically, to treat heart failure and atrial fibrillation. However, misuse and overdose can cause death.

A control failure in a common mobile medication dispensing system at Somerset Medical Center, the Pyxis MedStation, allowed Cullen to access drugs when they hadn’t been prescribed. A nurse would obtain a prescribed medication by typing its name and ID number on the Pyxis keyboard plus the patient’s name and type of drug, which would then unlock one of the dispensing trays containing the requested drug. At Somerset Medical Center, digoxin was in the same drawer as Tylenol — a common over-the-counter pain medication. The investigation determined that Cullen would often type into the system that he needed Tylenol, but he’d remove digoxin from the dispensing tray. Cullen would then administer digoxin to a targeted patient, which often was someone to whom he wasn’t assigned.

Investigators’ review of the Pyxis records also revealed that Cullen had ordered multiple medications from the device but would then immediately cancel the requests on the keyboard. Regardless, the Pyxis drawer containing his canceled orders would still open, which allowed him to remove the drugs. The hospital had tracked pharmacy inventories to manage replenishments and supply-chain orders, but shrinkage of meds didn’t raise any red flags.

Somerset Medical Center further complicated the investigation by initially telling detectives that the Pyxis system only retained dispensing records for 30 days. But, according to the book, “The Good Nurse,” a detective from the Office of the Somerset County Prosecutor learned from the device’s manufacturer that every Pyxis entry was retained in the hard drive. Hospital administrators had lied to impede the investigation.

Cullen wasn’t engaging in fraud to obtain money, but he was using a fraudulent practice to defeat the Pyxis system and obfuscate the fact that he was removing drugs to kill patients — either on the same days he withdrew medications or for opportune times.

In retrospect, the case exhibited many other red flags. Cullen would often volunteer to work evenings and weekends. He’d close the blinds of patients’ rooms when attending to them and used a medical records cart to block the doorways.

As CFEs, we’re trained to look for suspicious conditions, regardless of the environments in which we work. When something doesn’t pass the smell test, we must follow up. While you may be conducting an internal investigation about a specific issue, you could be only one employee or document away from a much larger and unrelated crime. Also, as was aptly demonstrated in this case, information from interviews, business records and documents may not be complete, accurate or truthful. In fact, they could be intentionally misleading.

The Cullen case was lengthy, complicated and fraught with never-ending strings of technical questions and details. At the time, all of us investigators felt immense pressure to produce results. Our phones never stopped ringing with calls from bosses, the news media and family members of loved ones who’d been patients under Cullen’s care and, of course, wanted to know if he was responsible for their deaths.

The investigators were all highly experienced and weren’t going to take any shortcuts and risk missing patients who Cullen might have murdered. We developed a close network and supported each other with insights, technical advice and comradery. To this day, we remain friends and exchange stories some 20 years after Cullen’s guilty pleas.

Our investigative efforts have helped encourage changes. According to the book, “The Good Nurse,” the New Jersey State Legislature passed the 2004 Patient Safety Act, which increased the responsibility of hospitals to report “all serious preventable adverse events” that occur at their health care facilities to the New Jersey Department of Health and Senior Services. In 2005, New Jersey supplanted that act with the Health Care Professional Responsibility and Reporting Enhancement Act, which requires hospitals to report to the New Jersey Division of Consumer Affairs (including the Board of Nursing) certain limited facts about the health care professionals at their facilities and to keep records of all complaints and disciplinary actions related to care of their patients for seven years.

Also, the 2017 Health Care Professional Responsibility and Reporting Enhancement Act (“Cullen Law”) requires New Jersey health care entities to notify the state’s division of consumer affairs about “any employed healthcare professional’s impairment, incompetence or professional misconduct relating to patient safety, as well as to inquire with other healthcare entities about the disciplinary and employment records of current or prospective healthcare professionals within their own organizations.” (See “New Jersey’s Final ‘Cullen’ Regulation and Updated ‘Cullen Form’,” Certiphi, July 18, 2017.)

Common traits

A final thought on Cullen and a warning to anyone who conducts fraud investigations. I found an interesting commonality in behaviors between this serial killer and several suspects in purely financial crime cases. Though fraudsters I’ve known were never driven to murder (so-called red-collar crime), the personality disorders afflicting some of these offenders, like Cullen, also can include psychopathy, sociopathy, narcissism, and a host of other behavioral or neurological disorders.

Cullen, like many fraudsters, had a troubled childhood. Both his parents died while he was young. His first suicide attempt was as a child using a chemistry set. Looking perhaps for his station in life, Cullen joined the Navy and was in the submarine service. He found that being locked in a steel tube beneath ocean waves wasn’t for him. He didn’t fit in, was hazed and attempted suicide again. Cullen left the service and got married. The relationship failed, and the family dog disappeared. He began drinking heavily and again tried to kill himself many more times. He was often hospitalized in psychiatric facilities, but he continued to work as a nurse when he was out. Many of us have had rough family backgrounds that never led to a propensity to fraud or other crimes. But the Cullen case has taught me to include early life circumstances of subjects in fraud investigations.

Also, during our investigations we found Cullen had exhibited such frivolous behavior as removing nurses’ station chairs and hiding them in an adjacent room. Such conduct, which might indicate employees’ anger toward management or organizations, can also be fraud red flags.

Stop all offenders

Many media outlets called Charles Cullen “the Angel of Death.” While some speculated that Cullen murdered patients as an act of mercy, many of his victims were getting better and expected to recover. Why Cullen murdered patients and how he selected his victims are, even now, a mystery. (Charles Graeber, the author of “The Good Nurse,” writes that Cullen’s access to the vulnerable allowed him “to manifest death without dying. He’d learned to kill himself by proxy.”) The best answer Cullen ever provided when asked why, is perhaps the most disturbing. “Because no one stopped me.” Hopefully, you’ll never have to prevent murder, but the lessons I learned in the Cullen case could help your organizations avoid some serious frauds.

Barry Bittenmaster, CFE, is a fraud training consultant. Contact him at barry.bittenmaster@gmail.com.