Baltimore Inspector General Finds Fraud, Data Breach in Youth Diversion Program

Inspector General Isabel Mercedes Cumming released a 48-page audit Tuesday finding that Baltimore's SideStep youth diversion pilot generated fraudulent invoices and exposed the personal information of approximately 701 young people, with both findings referred to law enforcement for criminal investigation.

SideStep ran from January 2022 through 2024 under the Mayor's Office of Neighborhood Safety and Engagement, known as MONSE, in the city's Western District. The program partnered with the Baltimore City Police Department and the Department of Juvenile Services to divert youth offenders ages 17 and younger away from the formal criminal justice system. MONSE paid $694,000 in invoices under the program, and the OIG alleges some of those invoices were fraudulent. That figure could climb further: Cumming's office has accused the Mayor's Office of hindering the investigation by heavily redacting hundreds of previously subpoenaed documents, and the OIG has sued the city to enforce a January 20 subpoena that drew no response from the Law Department.

The data breach finding is equally troubling. According to the OIG report, a MONSE employee sent a diversion table containing post-arrest records for approximately 701 people, many of them juveniles, to a personal Gmail account that appeared to belong to a relative of that employee. The table covered cases from 2018 through September 2022 and included dates of birth and criminal charges. MONSE said it is "gravely concerned" about the exposure and that it has "not identified any malicious use of the data or further mishandling related to this singular email," but added: "Regardless of intent, such disclosure is completely unacceptable and violates MONSE's existing data policy, as well as state law." The office said it "wholeheartedly supports" referring the former employee for criminal charges.

Beyond the fraud and breach, the OIG found that MONSE could not account for the program outcomes it publicly claimed. MONSE previously reported that 48 of 51 youth referred to SideStep successfully completed it. Cumming's office found documentation for only 24 of those completions and concluded that "MONSE was not monitoring or tracking diverted youth in a measurable way."

The records dispute underlying the audit has been grinding through city legal channels since late 2025. On October 31, the Law Department told the OIG that Maryland law makes it a crime for MONSE to release juvenile information to anyone outside the agency. The OIG narrowed its request on November 3, asking only for case identification numbers rather than personal details. The Law Department replied on November 4 that even the police records MONSE obtained from BPD for the pilot cannot be released under subpoena. The Department of Juvenile Services suggested a workaround using case identifiers to avoid sharing names, but the Law Department's interpretation blocked that path as well. The OIG subpoenaed the redacted records on January 20, 2026, received no response, and subsequently filed suit.

The records fight carries additional context: MONSE uses Apricot for case management and Slack for internal messaging, and the OIG has previously reported that the city's Information and Technology department does not manage or monitor the Slack platform. A carve-out exception in Maryland law had granted MONSE access to juvenile and police records during the SideStep pilot period; that exception expired September 30, 2025, cutting off MONSE's access the following day. Mayor Brandon Scott has since requested that the carve-out be restored and extended to two additional mayoral offices.

"The OIG reiterates that this report clearly shows why oversight and direct access to City records and emails are necessary to identify fraud and prevent liability to the City," Cumming's office said.

MONSE, in a five-page memorandum responding to the audit, described the findings as "isolated incidents driven by individual actions that do not reflect broader systemic concerns" and said it is conducting an internal audit while reviewing data-breach notification requirements with the Law Department. The OIG's investigation remains open, and the outcome of the subpoena lawsuit will determine how much additional documentation Cumming's office can obtain. Tips can be submitted to the OIG fraud hotline at 443-984-3476 or by email at OIG@baltimorecity.gov.