Is BlackCat/ALPHV faking its own ‘death’? (updated) HHS and CMS come to Change affected providers’ assistance with ‘flexibilities’

March 7, 2024 | by

BlackCat/ALPHV blames the FBI for another ‘shutdown’ and exits, stage left. BlackCat put up a copy of the shutdown screen (left) that appeared on their old leak website back in December [TTA 22 Dec 23] on their new leak website, claiming that law enforcement shut them down. This was not confirmed by the FBI either way, but Europol and the NCA confirmed to Bleeping Computer that they had no recent activity involving BlackCat. The other tell was that the source code on both screens was different–it was served up on another server.

On a Russian hacker forum called Ramp, BlackCat/ALPHV claimed that they “decided to completely close the project” and “we can officially declare that the feds screwed us over. The source code will be sold, the deal is already being negotiated”. The source code is reportedly up for sale for $5 million.

As to the $22 million, BlackCat/ALPHV never admitted it was paid by Optum/Change (nor is Optum confirming), but the affiliate called “notchy” which didn’t get paid [TTA 5 Mar] shared (to Bleeping Computer) that “a cryptocurrency payment address that recorded only one incoming transfer of 350 bitcoins (about $23 million) from a wallet that appears to have been used specifically for this transaction on March 2nd.” That wallet distributed (seven) equal payments of $3.3 million in bitcoin to other wallets.

(Update) Speaking of “notchy”, let’s not forget that this affiliate claims to have 4 TB of PHI/PII data from Change that could be sold or leaked. Since they never got paid by BlackCat/ALPHV, it’s safe to assume that information will be up, so to speak, for grabs.

When it all adds up–the fake FBI ‘raid’, shutting down servers, the signoff on Tox of “GG’ (good game?), the cutting off of affiliates (which also confirmed this to DataBreaches.net–and may or may not have been paid)–it resembles an exit scam.

(Update) Another excellent summary about ALPHV in Krebs On Security also updates LockBit, which was seized in an international takedown in February, and about governmental entities they ransomwared.  To be continued….

The lobbying of HHS by Congress, the American Hospital Association, and UHG to help out providers has produced some results. On 5 March, Health and Human Services (HHS) issued a statement that summarized various ‘flexibilities’ and workarounds to aid providers who cannot access systems or have to resort to alternatives to ensure continuity of services to patients. These will be administered through the Center for Medicare & Medicaid Services (CMS) and range from prior authorization, advance funding, and claims processing for Medicare. From the statement:

  • Medicare providers needing to change clearinghouses that they use for claims processing during these outages should contact their Medicare Administrative Contractor (MAC) to request a new electronic data interchange (EDI) enrollment for the switch.
  • CMS will issue guidance to Medicare Advantage (MA) organizations and Part D sponsors encouraging them to remove or relax prior authorization, other utilization management, and timely filing requirements during these system outages.
  • CMS is also encouraging MA plans to offer advance funding to providers most affected by this cyberattack.
  • CMS strongly encourages Medicaid and CHIP managed care plans to adopt the same strategies
  • If Medicare providers are having trouble filing claims or other necessary notices or other submissions, they should contact their MAC for details on exceptions, waivers, or extensions, or contact CMS regarding quality reporting programs. CMS has contacted all of the MACs to make sure they are prepared to accept paper claims from providers who need to file them.

Many payers are also making funds available while systems are offline. Hospitals may also face “significant cash flow problems from the unusual circumstances impacting hospitals’ operations, and – during outages arising from this event – facilities may submit accelerated payment requests to their respective servicing MACs for individual consideration.”

The statement closes with a reminder of HHS’ December concept paper on cybersecurity strategy for healthcare. DataBreaches.net (full statement), Becker’s

(Update) More on how this is affecting patient care focusing on cancer treatment, from the point of view of a Community Oncology Alliance spokesman. In addition, how consolidation is making healthcare more vulnerable to cybercriminals, and comments on UHG and Federal processes and payment offers to date. HealthcareITNews.

And DDoS attacks and questionable downtimes are now common.

Editor’s Update 11 Mar: The DataBreaches.net website had a major DDoS attack on 7 March and was down for two days thru 8 March. It is now fully up and running with our links working.

Multiple US Government websites went down Thursday evening 7 March based on news reports: Department of Homeland Security (DHS), Customs and Border Protection (CBP), Immigration & Customs Enforcement (ICE), Citizenship and Immigration Services (USCIS), US Secret Service and Federal Emergency Management Agency (FEMA). The timing based on the State of the Union address to Congress is, well, interesting. Daily Express   Later reports announced restoration later in evening. Cyberincidents are not exactly unknown on government websites.

Short takes: Humana’s big MA loss (updated); Medicare telemental care bill back in Senate; HHS releases cybersecurity performance goals; Texas Healthcare Challenge hackathon 23-24 February

January 26, 2024 | by

Humana apparently surprised Wall Street with their Q4 losses, driven by escalating Medicare Advantage (MA) costs.  While revenues ($26.5 billion) for MA’s second largest plan provider were up from prior year’s $24 billion, MA expenses drove an adjusted Q4 loss of $361 million under the insurance segment. From Humana’s earnings statement: “The sector is navigating significant regulatory changes while also absorbing unprecedented increases in medical cost trends. We believe the elevated MA medical costs are an industry dynamic, not specific to Humana, and that they may persist for an extended period or, in some cases, permanently reset the baseline.” On the earnings call, their CFO cited increased inpatient costs, especially for short stays, and more spending in outpatient surgeries and supplemental benefits–trends that Humana expects to continue into 2024 and even into 2025. Home health under CenterWell were tidily profitable and growing. Perhaps MA’s sector problems were the reasons why Cigna, selling off their MA plans, backed out of their acquisition/merger? Q4 press release, management remarks, Becker’s, Healthcare Dive

Updated Humana announced the appointment of a President of Enterprise Growth, David Dintenfass, to spearhead customer growth and retention. His background is not healthcare but Fidelity Emerging Growth Markets, with previous stints at Procter & Gamble and Bank of America. This assumes that the cost problem can be grown out of. Expect more departures and arrivals to roil Humana, as their current CEO moves to a planned retirement transition later this year and has already laid off staff in January Healthcare Dive

A bipartisan Senate bill proposes to continue coverage of virtual-only telemental health for Medicare beneficiaries. The ‘Telemental Health Care Access Act of 2023″ is sponsored by four Senators: Bill Cassidy, R-La., Tina Smith, D-Minn., John Thune, R-S.D., and Ben Cardin, D-Md. and is designed to make permanent the pandemic waiver of in-person requirements that expires at the end of 2024. The senators cited rural health and overall access to mental healthcare. Mental health remains the leading claim line for telehealth. Healthcare Dive, draft bill

The Department of Health and Human Services (HHS) published voluntary cybersecurity performance goals for healthcare and public health organizations. These fit within the HHS 405(d) Program and Health Sector Coordinating Council Cybersecurity Working Group’s Healthcare Industry Cybersecurity Practices as well as the NIST Cybersecurity Framework and the Cybersecurity and Infrastructure Security Agency’s National Cybersecurity Strategy. (Whew!) The two voluminous sets of goals, Essential and Enhanced, directly address common attack vectors against U.S. domestic hospitals as identified in the 2023 Hospital Cyber Resiliency Landscape Analysis. As noted earlier this week, there were 116 million patient records exposed in 2023 data breaches, doubling that in 2022.

HHS means well, but this is another ‘blood out of a rock’ situation. Health IT departments all over the US, from providers to payers, have had or are facing layoffs in the ongoing clash of business versus technology, which won’t cease because HHS would like it to. HealthcareDive, HealthcareITNews

The Texas Healthcare Challenge Hackathon is back! After three years dark, this year’s edition will be held this year 23-24 February in Dallas. Sponsored by the Health Wildcatters, a Dallas-based accelerator in the DFW area, it is open to just about anyone who can apply–you don’t have to code or hack. Friday kicks off with “problem pitching,” where participants form teams around identified issues, with Saturday starting with morning motivation and intensive team hacking, moving to participants developing viable solutions, assessing market potential, creating functional business models, and addressing risks with mentor support from industry experts. The day culminates in team presentations, with judges awarding cash and in-kind prizes to winning solutions. Learn more and apply here (application form is under the numbers, click on “Hackathon Sign-Up”). Sponsorship is the second button.

News roundup: ONC recommends ‘nutrition labeling’ for healthcare AI apps but Google moves forward; CVS’ health services rebranding as Healthspire (updated); Clover Health repots out of ACO REACH

December 6, 2023 | by

Straining toward a model for AI app information? The latest grope by Federal regulators towards the “trustworthy use of artificial intelligence”, as the American Telemedicine Association terms it, is a labeling system that has been likened to ‘nutrition labeling’. This near-incomprehensible analogy to food labeling was proposed back in April by the Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC), now headed by Micky Tripathi, Ph.D. This disclosure would consist of how the app was trained, how it performs, how it should be used, and how it shouldn’t, which does not sound onerous at all. The disclosures are designed to forestall issues around performance and bias that have previously appeared, such as Epic’s AI system designed to predict sepsis risk and an algorithm designed to flag patients needing assistance with complex treatment regimens. 

An optional proposed disclosure around how the app was trained and tested would be important to healthcare organizations but potentially problematic to developers. There are quite a few caveats expressed by Silicon Valley investors around hurting startups and even giants like Epic through over-disclosure of proprietary information, enabling reverse engineering and poaching of intellectual property. Everyone likes transparency, trust, safety, and efficacy, but the conundrum is to disclose what is needed for proper and cautious use without providing an entreé to IP. Wall Street Journal, Becker’s, ATA release and AI principles 

Google, predictably, damns the torpedoes, full speed ahead with healthcare AI. And intends to write the rules. They’ve deployed AI tools already with Mayo Clinic and HCA Healthcare–Mayo for medical records and research papers, HCA for clinical notes. EHR Meditech is using Google’s AI for clinical documentation and to summarize patient histories. Bayer is also working with Google. Their products include a licensed algorithm for breast and lung cancer detection, a tool for diagnosing diabetic retinopathy, and a question-answering bot. Google makes no secret that they plan to influence Federal efforts at setting standards by hiring lobbyists, most of whom are out of the Food and Drug Administration (FDA), and playing a large role in industry groups such as the Coalition for Health AI (CHAI).  If you believe that Google, Microsoft, Amazon (playing catchup), or other healthcare service companies like UnitedHealth Group’s Optum will twiddle their thumbs and wait for the Feds to set standards and (good grief) enforce disclosure on AI tools, this Editor has several lovely bridges for sale. POLITICO, Becker’s

CVS Health grouping health services and multi-payer assets under CVS Healthspire. Monday’s announcement at the Forbes Healthcare Summit will roll up new $20 billion acquisitions Oak Street Health and Signify Health along with 1,100 MinuteClinics, the CVS Caremark pharmacy benefit manager (PBM), CVS Specialty, and its new Cordavis operation that works with pharmaceutical companies to bring to market  biosimilars. The rebranding, a clever melding of ‘health’ and ‘inspire’, will start this month into 2024. It’s not revealed whether the current names will be sunsetted for CVS Healthspire, or whether they will keep their established brand names. The parallels are with Evernorth (Cigna), Optum (UnitedHealth Group), and Carelon (Elevance, the former Anthem) in creating a vertically integrated healthcare company. At Investor Day, CVS Pharmacy announced a cost-plus arrangement for retail prescriptions built on the cost of the drug, a set markup, and a fee that reflects the care and value of pharmacy services–clearly in competition with Mark Cuban CostPlus.  Forbes, FierceHealthcare, CVS release, Investor Day release  

Clover Health exits the advanced value-based primary care program, ACO REACH. Clover’s exit at the end of the 2023 performance year after two years disbands their practice arrangements for CMS’ advanced original Medicare shared savings program, formerly Direct Contracting, and provision of beneficiary services after completing their required wrapups and reporting. It is part of their recent moves to become profitable, focusing on their Medicare Advantage business and Clover Assistant management. They outsourced their Medicare Advantage plan administration to UST HealthProof for a savings of $30 million and laid off 10% of staff as part of restructuring. A 2021 SPAC on Nasdaq debuting above $16 that survived investigations by the SEC and DOJ now has shares trading currently under the $1.00 minimum for listing. Clover also finally settled seven shareholder lawsuits over its non-disclosure of the DOJ investigation at the time of the SPAC. Cleaning house is all part of living to fight another day, like other ‘insurtechs’ such as Oscar Health. Clover release, FierceHealthcare  Also: Looking back at insurtechs and their ‘disruption’,  Insurtechs in the widening gyre

This ‘n’ that: HHS settles *2017* ransomware breach, Carbon Health lays off 114 in restructuring, why oh why VC General Catalyst wants a $3B health system, when Larry Met Billy, a lexicon of workplace terms

November 2, 2023 | by

It only took five years to levy a $100,000 fine. Doctors’ Management Services, a Massachusetts-based medical management company, had a ransomware attack back in 2017 that exposed 206,695 individuals to personal health information violations. The Health and Human Services (HHS) Office for Civil Rights (OCR), which is charged with actually enforcing penalties and remedies for data breaches, decided that Doctors’ management hadn’t done quite enough to protect their patients. The cyberattack was identified in December 2018, but Doctors’ didn’t report the breach to OCR until April 2019. Their network had been infected with GandCrab ransomware. After determining various protection failures, HHS put them on a three-year corrective plan to protect their data and collected the $100,000 fine, their very first. But still, nearly four years later? And with breaches, ransomware, and hacking going on every day?  Healthcare Dive

Another Covid unicorn comes down with a bang. Carbon Health, a 13-state network of primary care clinics along with virtual care in areas such as mental health, says ‘bye’ to 114 or 5% of its staff. It grew and got funded big during Covid as it set up testing and vaccine initiatives, achieving a valuation of $3 billion. In 2021, Covid accounted for 60% of their revenue, but as it waned in 2022, so did their revenue by 23%. To date, their funding has been over $622 million, with $100 million in January in a Series D funded by CVS Health Ventures. This isn’t their first big layoff–200 staffers said goodbye in January as well as 250 in mid-2022 which was about 8%. Becker’s

General Catalyst’s newest venture into Health Transformation Land, HATco, The Health Assurance Transformation Corporation, is in the market for a health system in the “$1 billion to $3 billion” range. Not too small to not have an impact in their communities, and large enough to have capabilities around value-based care plus a track record of excellence. This is to create their ‘blueprint’ for healthcare transformation. Interested parties should contact CEO Marc Harrison, MD. Their other plans to get there were announced at HLTH. As to why…General Catalyst has had a lot of experience with companies, and perhaps they feel they have a Better Way to Get There. Becker’s, TTA 10 Oct.

Of Note…The second wealthiest executive in healthcare, Oracle’s Larry Ellison, wasn’t too busy to hang out with the third wealthiest on Forbes’ list, former senator and HCA honcho Bill Frist, in Nashville at the inaugural Frist Cressey Ventures Forum. Ellison is also investing in a 70-acre, $1.35 billion campus on Nashville’s riverfront. It’s always nice to make nice with the neighbors, especially when they have major holdings in a large health corporation. Becker’s

To wrap up This ‘N’ That, Becker’s has a useful article that will keep you au courant on those workplace terms you see on places like LinkedIn. ‘Quiet quitting’, so popular in 2021-2, has had its day with layoffs leading to real ‘quitting’, leaving behind ‘grumpy stayers’ who try to get away with ‘Bare Minimum Mondays’. ‘Coffee badging’ was a new one on your Editor. The rest are catchy phrases for things as old as time in the workplace.

Short takes: follow up on Cano Health’s survival moves, eMed transitioning Babylon Health UK but Babyl Rwanda shuts, DEA extends telehealth prescribing for controlled substances thru 2024

October 11, 2023 | by

Cano Health takes the reverse stock split option to stay solvent. In Cano’s latest telenovela episode, a familiar stratagem for companies to drive up a dangerously low share price is to reverse stock split, usually in a large ratio. Cano is facing delisting on the NYSE as its shares traded, as of 11 September, below the $1 minimum for 30 days. [TTA 29 Sept]  Shareholders are being asked to approve a 1 for 60 ratio with the board having the right to adjust it down to 1-for-5 and up to 1-for-100, for both Class A and B common stock. At the current share price of $0.21, a new share’s value would be $12.60. No meeting date has been set, though the press release bluntly states that 30% shareholder ITC Rumba, LLC and the 20% held by current and former members of management and the board intend to vote in favor of it, achieving the necessary simple majority. 1:60 does sound last-ditch, reminiscent of Babylon Health’s late 2022 moves in a 1 for 25 exchange, before attempting to go private–and we know how that turned out. Release

eMed transitioning Babylon Health services in the UK. A check on Babylon Health’s UK website provides FAQs for current users. It leads with promises to expand digital-first primary care services on this registration page for visits, and to develop a chronic care management service starting with medical weight management using Wegovy. The FAQs also state there will be no disruptions to GP at Hand. There is a rebranding (left/above) that sunsets the Babylon name but retains the stylized heart. 

Babyl Rwanda‘s separate website and the eMed pages for Babyl Rwanda are still up, but a local report from 24 September states that the company has ceased operations in Rwanda. As of August, the government was scrambling to find buyers and to maintain operations to 2.4 million Rwandans. “According to Julien Mahoro Niyingabira, the Rwanda Health Communication Centre (RHCC) Division Manager, the Ministry of Health is in discussions with Babyl Rwanda to ensure continuity of services despite the closure of Babylon Health.” How that will be possible without a buyer to pay employees and maintain the operation is debatable. The New Times (Rwanda)

As for the US, the Babylon Health US site also remains up and intact with a small disclaimer at the top that US services are no longer available and to contact your health plan. It is the same as on our last visit on 14 September. It is odd to see, after another month, that no one has disabled the US services or corporate pages such as Investors. This is possibly because the architecture for the US pages are off the UK site (the tab at top has the eMed logo) and nobody is in the US operation to take down the pages. The US operation, in Chapter 7 bankruptcy liquidation, is now in the tender hands of the US bankruptcy courts, where filings, documentation, and processes move slowly indeed with no further public news.

And when you can’t decide, extend. The Drug Enforcement Administration (DEA) and Health and Human Services (HHS) once again are extending Covid-time flexibilities for prescribing controlled substances through 2024.  After 38,000 comments on the proposed changes to rules after the last extension in May, DEA and HHS punted again on reimposing Ryan-Haight Act restrictions that would require in-person evaluations/visits prior to prescribing. This allows clinicians to prescribe Schedule II–V controlled medications via audio-video telemedicine encounters, including Schedule III–V narcotic controlled medications approved by the Food and Drug Administration (FDA) for maintenance and withdrawal management treatment of opioid use disorder. Final rules will be timed for Fall 2024. Another year’s breathing room for  6 Oct DEA announcement, Federal Register 10 October “Second Temporary Extension of COVID-19 Telemedicine Flexibilities for Prescription of Controlled Medications”, Healthcare Dive

Short takes: CVS’ $1.12M Q2 net income loss, forecast spurs 5,000 layoffs; Signify’s in-home kidney exams; Indonesia’s Halodoc $100M D; FeelBetter raises $5.9M; Medicare breach hits 612,000 beneficiaries

August 3, 2023 | by

A mixed picture for CVS Health. Their Q2 reporting was almost schizophrenic, depending on whose reporting you read. Healthcare Finance highlighted their $1.12M net income loss–tiny when compared to the size of the company– but apparently one of the factors driving a layoff of 5,000 corporate, non-customer facing staff. From FierceHealthcare, CVS is still quite profitable at $1.9 billion, but that is down 36%. Revenue of $88.9 billion was up 10% from prior year. The results beat Wall Street analyst estimates of $2.12/share with adjusted earnings of $2.21/share. 

Despite the overall good picture of Q2, financial projections trended down for the full year. CVS in Q2 started a restructuring plan which cost $496 million in pre-tax income, expected to be completed by year’s end. 2023 is projected to have increased Medicare Advantage costs, higher drug utilization, and lower consumer spending expectations affecting retail operations. Added to their acquisition binge of Signify Health and Oak Street Health, which together totaled $18.6 billion, their 2024 earnings per share projections for 2024 fell from $9 to a range of $8.50 to $8.70. Timing was not disclosed for the 5,000-person reduction among corporate staff. It is not known whether this will affect Aetna and CVS Caremark (pharmacy benefit). CVS has 300,000 employees (75% full time) including part and full-time retail workers. They are also reducing corporate travel, plus the use of consultants and vendors. (CVS is known to have extremely low contractor rates already.) The restructuring is projected to save $700 to $800 million next year, but cold comfort to the 5,000 who won’t be there.  FierceHealthcare. We’ll see.

One of those CVS purchases, Signify Health, is moving forward with an in-home option for evaluating kidney function as part of in-home exams of Medicare Advantage members. This evaluation will include urinalysis and estimated glomerular filtration rate testing which are relatively simple and cost-effective to administer in-home. It fits within their in-home exam protocols and will support early detection and diagnosis of kidney disease plus management of those with chronic kidney disease for earlier and better treatment. End-stage renal disease (ESRD) costs $37.3 billion to Medicare. FierceHealthcare

Going far, far East to Indonesia, virtual health provider Halodoc scored $100 million in a Series D funding round. Lead investor was Astra International with Openspace and Novo Holdings. This brings their total funding to $245 million. Halodoc provides online and app-based health services for 20 million active platform users claimed. Services include telehealth, medicine ordering, lab test, and doctor appointment booking. They also manage third-party health insurance purchase and at-home health testing. Their network includes more than 20,000 medical practitioners, 3,300 hospitals, and 4,900 pharmacies. On the website, there are a wide variety of services, including wellness. Unfortunately, to read it, you’ll have to know Indonesian (Malay)–and there are some pictures of intriguing recipes there! Mobihealthnews

Contrasting this to an exceedingly modest raise by a new Boston/Tel Aviv medication management company, FeelBetter. Their $5.9 million unlettered raise was led by Firstime Ventures and Shoni Health Ventures, with participation from Random Forest VC, The Group Ventures, and previous investor Triventures for a total of $8 million. FeelBetter uses AI tools to create what they call Pharmaco-Clinical Intelligence to identify patients at risk and deliver insights on gaps in care to personalize medication management to change the risks of polypharmacy. Release, Mobihealthnews  They also issued a study on how FeelBetter could be used to effectively risk stratify emergency department use and hospitalizations among patients 65+ with multiple chronic conditions and complex medication regimens to avoid the 10-30% of hospitalizations that include medication issues. Release

No week seems to pass by without a data breach of some sort, but it’s unusual when Health and Human Services (HHS) and the Centers for Medicare and Medicaid Services (CMS) are attached to it. A contractor to the Medicare program, Maximus Federal Services, Inc. (Maximus), used a vendor, Progress Software, and their MOVEit Transfer software, which is a popular file transfer software for transmitting sensitive data. There was a vulnerability in this software that has previously been exploited by Russian ransomwareistes CLOP with Johns Hopkins currently being sued for their breach [TTA 19 July]. Maximus detected the unusual activity, an outside entity copying files, from 27 to 31 May. CMS is reporting that about 612,000 Medicare beneficiaries may have been affected by the breach which may have exposed personally identifiable information (PII) and/or protected health information (PHI). CMS and Maximus are notifying the beneficiaries this week and offering 24 months of free credit monitoring service. CMS release, Federal News Network, Progress page,  Deep Instinct backgrounder on MOVEit’s zero-day vulnerability

FTC, HHS OCR scrutiny tightens on third-party ad trackers, sends letter to 130 hospitals and telehealth providers

July 27, 2023 | by

If you’ve checked on your legal department, they may resemble Pepper (left). Hospitals and telehealth companies have been put on notice by letter agencies HHS Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) that personal health information–not just protected health information (PHI) covered by HIPAA–that can be transmitted to third-parties by ad trackers like Meta Pixel is now forbidden, verboten, not permitted. In the joint statement by OCR and FTC, hospitals, providers, and telehealth providers were explicitly told that use of these online trackers is being equated with violations of consumer privacy. Their release specified “sensitive information” such as health conditions, diagnoses, medications, medical treatments, frequency of visits to health care professionals, and where an individual seeks medical treatment. Hospitals and telehealth companies also cannot plead ignorance of what their developers did, as the responsibility is being put squarely on them to monitor the data going to third parties out of websites and apps. 

“The FTC is again serving notice that companies need to exercise extreme caution when using online tracking technologies and that we will continue doing everything in our powers to protect consumers’ health information from potential misuse and exploitation.” Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said. At OCR, which historically had its hands full with HIPAA violations and data breaches, their scope has broadened. “Although online tracking technologies can be used for beneficial purposes, patients and others should not have to sacrifice the privacy of their health information when using a hospital’s website,” said Melanie Fontes Rainer, OCR Director. “OCR continues to be concerned about impermissible disclosures of health information to third parties and will use all of its resources to address this issue.” Both HHS and FTC can take action without the time-consuming legal actions that DOJ must undertake.

True to FTC’s renewed use of the 2009 Health Breach Notification Rule, the letter sent to 130 hospital systems and telehealth providers came down hard on anything that could be interpreted as personal health information. Even for health organizations not covered by HIPAA, the letter is explicit on their obligation to protect against disclosure to third parties and to monitor the flow to third parties even if not used for marketing. Without explicit consumer authorization, it can “violate the FTC Act as well as constitute a breach of security under the FTC’s Health Breach Notification Rule.” Previous TTA coverage on third-party trackers and FTC actions here. Health IT Security

Between the DOJ and FTC alone, with actions on ad trackers and changes to antitrust guidelines, they have made the spring and summer of 2023 a most interesting and busy one for hospital and healthcare company legal departments. It’s even more amazing that given this background and on notice, Amazon just keeps flouting basic regulations about health information usage, such as for Amazon Clinic–which to date has not rolled out. TTA 27 June

‘KillNet’ Russian hacktivist group targeting US, UK health info in Ukraine revenge: HHS HC3 report

January 18, 2023 | by

Warnings about DDoS (distributed denial of service) ramped up at the end of last year–only three weeks ago. Here’s one reason why.KillNet” is a pro-Russian hacktivist (hackers who advance a cause) group that recently claimed responsibility for DDoS attacks as payback for US and UK military support of Ukraine. A senior member of KillNet with the nom de guerre Killmilk has threatened the US in general “with the sale of the health and personal data of the American people because of the Ukraine policy of the US Congress”. 

The US Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center (HC3)’s Analyst Note (link to PDF) gave two examples of KillNet claims:

  • A “US-based healthcare organization that supports members of the US military and claimed to possess a large amount of user data from that organization”
  • Hacking threats against the NHS, specifically ventilators in hospitals and the Ministry of Health. This was in reaction to the May 2022 arrest of a 23-year-old alleged KillNet member accused of being connected to attacks on Romanian government websites. KillNet demanded his release in return for not attacking. Daily Mail  

Other institutions are hardly exempt. In the UK, KillNet DDoS attacks in November reportedly affected Bankers Automated Clearing Service (BACS), the London Stock Exchange, and the official website of the Prince of Wales. Computer Weekly

DDoS attacks are their leading weapon. KillNet uses publicly available DDoS scripts and IP stressers for most of its operations although it has its own. Before aligning with Russian state interests, it was a hacking-for-hire operation available for $1,350 per month, including a single botnet with a capacity of 500GB per second and 15 computers. This Editor noted previously that DDoS attacks may be a convenient cover or smokescreen for other cybercrime activity. While IT goes into crisis mode over the DDoS, other attacks and information gathering on systems preparing for future attacks may be taking place. [TTA 22 Dec 22].

This updates an earlier Cybersecurity & Infrastructure Security Agency (CISA) Cybersecurity Advisory (CSA) jointly issued by the US, UK, Australia, and New Zealand (the Five Eyes group), that broadly assessed multiple threats from Russian state organizations such as the Federal Security Service (FSB) and the Foreign Intelligence Service (SVR), as well as cybercrime groups like KillNet which have aligned themselves for the duration with Russia. KillNet has grown over the past year and now has subgroups organized under Cyber Special Forces of the Russian Federation and LEGION 2.0. SOC Radar

The best defense is a good offense. HC3’s advice on preparation to mitigate a DDoS threat includes enabling web application firewalls to mitigate application-level DDoS attacks and implementing a multi-content delivery network (CDN) solution to minimize the threat of DDoS attacks by distributing and balancing web traffic across a network. The HC3 Analyst Note is heavily footnoted with other sources for additional incidents. SC Media, Cybernews

Wednesday news roundup: Oracle scrutinizing outside vendors, cloud change coming for Cerner EHRs, audio-only telehealth can continue after PHE–HHS, Proximie connected surgery raises $80M (UK)

June 15, 2022 | by

Oracle moving quickly to change Cerner’s outside vendors to Oracle products and move their EHRs to Oracle cloud services. Will this fly with health systems and providers? An immediate change that will resonate with current Cerner EHR users is Oracle’s immediate moves to replace Cerner’s current third-party vendors with Oracle services and technology. So if your Cerner EHR has something you like but it comes from a third-party vendor, enjoy it while you can. Do expect that Oracle will be selling other products like Enterprise Resource Planning Cloud, administrative systems, and supply chain into providers and health systems–hard. From the earnings call, CEO Safra Katz: “We remain confident in our ability to grow Cerner’s top line and bottom line faster than they were able to do so on their own as these changes are implemented.”

The major and quickest move specified in yesterday’s Oracle earnings call (transcript) will be to move Cerner to OCI–Oracle Cloud Infrastructure. Further down into Mr. Katz’s remarks, Cerner is expected to account for 20 points of their cloud growth in Q1 2023 (starting 1 June 2022). When Cerner has added $15.8 billion of debt to the balance sheets, it’s to be expected.  HISTalk, Becker’s

What happens to audio-only telehealth at the end of the pandemic Public Health Emergency (PHE)? HHS has just issued guidance that will permit telehealth, including audio-only, services to continue. According to the HHS release, “HIPAA covered entities can use remote communication technologies to provide telehealth services, including audio-only services, in compliance with the HIPAA Privacy Rule. ” There are specific requirements such as how the HIPAA Security Rule applies to electronic media and electronic protected health information (ePHI). The full guidance is here.

UK surgical connectivity platform Proximie raises $80 million. London-based Proximie, a system that connects surgeries with pre-operative patient information, collaborative tools, and post-operative content distribution, completed a Series C with participation from Emerson Collective – the impact investor founded by Laurene Powell Jobs, SoftBank Vision Fund 2, British Patient Capital, Mubadala Investment Company, and the Minderoo Foundation, plus previous investors. The raise is unusually large (in this Editor’s opinion) for the UK, particularly at this uncertain time. Proximie has supported over 13,000 surgeries in 100 countries, contracts with over 35 major medical device companies such as Stryker and Abbott, and has been used in 500 hospitals across 50 countries. The company is a partner with Teladoc and Vodafone Business.  Release.  

Weekend short takes: ATA, APA call for permanent in-person evaluation waiver, mental healthtech raised $5.5B in 2021, Allscripts sells hospital/large physician EHRs to Harris Group for $700M, Cognizant-Microsoft extends telehealth-RPM

March 5, 2022 | by

72 groups asking for permanent telehealth in-person evaluation waiver prior to prescribing controlled substances. The American Telemedicine Association (ATA), ATA Action, and the American Psychiatric Association (APA) plus 69 other healthcare groups have written the Drug Enforcement Administration (DEA) and the Department of Health and Human Services (HHS) to make the temporary waiver of in-person patient evaluation prior to prescribing controlled substances permanent, and to remove restrictions on patient location. The rationale is to increase access to care, specifically for mental health and substance use disorder treatment. Currently, under the soon-to-be ending COVID-19 public health emergency (PHE), mental health providers can prescribe controlled substances remotely through a telemedicine consult. The letter points out that studies confirm efficacy, clinician and dispensing would remain under current restrictions, and that DEA and HHS can work together to prevent drug diversion. Other signatories include Babylon Health, Teladoc, Zipnosis, One Medical, and Northwell Health. ATA release, ATA/APA letter.

Mental healthtech’s banner 2021 totaled $5.5 billion across 324 international deals. Industry researcher CB Insights found that:

  • Investment was up 139% versus 2020
  • Exits were also up 87% (43 versus 23). Of the 43, there were 35 M&As, five SPACs and three IPOs.
  • US companies dominated in mental health, raising $4.5 billion; EU $651 million, and Asia $289 million
  • Mega-rounds ($100 million+) totaled 15, all US and in Q4, versus four in 2020.

State of Mental Health Tech 2021 Report free download available on the CB Insights page. Mobihealthnews

Allscripts is unloading its declining hospital and large physician practice EHRs to Ottawa-based Harris Group for $700 million in a cash plus contingent deal. The Allscripts EHRs in the transaction are Sunrise, Paragon, Allscripts TouchWorks, Allscripts Opal, and dbMotion. Although the unit generated gross revenue of $928 million in 2021, its revenue was expected to decline 3-4% and EBITDA to shrink 10-15% in 2022. Allscripts is retaining Veradigm, which is growing 6-7% annually, and stated that expected after-tax proceeds of $600 million will be used for share repurchase and potential M&A related to Veradigm. Harris Group acquires and manages computer systems companies in North America, Europe, Asia, and Australia covering four sectors: public, private, healthcare, and utilities. It is owned by Toronto-based Constellation Software. HISTalk reports on the Allscripts investor call, Constellation release

Cognizant announced a collaboration with Microsoft Cloud for Healthcare to extend telehealth and remote patient monitoring (RPM) capabilities for their offerings combining remote patient monitoring and virtual health, utilizing connected devices such as smartwatches, blood pressure monitors, and glucose meters to collect and communicate patient health data to providers. Cognizant release

CMS clarifies telehealth policy expansion for Medicare in COVID-19 health emergency, including non-HIPAA compliant platforms (US)

March 18, 2020 | by

Today (17 March), the Center for Medicare and Medicaid Services (CMS) issued a Fact Sheet and FAQs explaining how the expanded telehealth provisions under the Coronavirus Preparedness and Response Supplemental Appropriations Act and the temporary 1135 waiver will work. The main change is to (again) temporarily expand real-time audio/video telehealth consults in all areas of the country and in all settings. The intent is to maintain routine care of beneficiaries (patients), curb community spread of the virus through travel and in offices, limit spread to healthcare providers, and to keep vulnerable beneficiaries, or those with mild symptoms, at home. Usage is not limited to those who suspect or already are ill with COVID-19.

Previously, only practices in designated rural health areas were eligible for telehealth services, in addition to designated medical facilities (physician office, skilled nursing facility, hospital) where a patient would be furnished with a virtual visit. 

The key features of the 1135 telehealth waiver are (starting 6 March):

  • Interactive, real-time audio/video consults between the provider’s location (termed a ‘distant site’) anywhere in the US and the beneficiary (patient) at home will now be reimbursed. The patient will not be required to go to a designated medical facility.
  • Providers include physicians and certain non-physician practitioners such as nurse practitioners, physician assistants and certified nurse-midwives. Other providers such as licensed clinical social workers (LCSW) and nutritionists may furnish services within their scope of practice and consistent with Medicare benefit rules.
  • Surprisingly, there is ‘enforcement discretion’ on the requirement existing in the waiver that there be a prior relationship with the provider. CMS will not audit for claims during the emergency. (FAQ #7)
  • Even more surprisingly, the requirement that the audio/visual platform be HIPAA-compliant, as enforced by the HHS Office of Civil Rights (OCR), is also being waived for the duration (enforcement discretion again), which enables providers to use Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype–but not public-facing platforms such as Facebook Live, Twitch, or TikTok. Telephones may be used as explicitly stated in the waiver in Section 1135(b) of the Social Security Act. (FAQ #8) More information on HHS’ emergency preparedness page and OCR’s Notification of Enforcement Discretion.
  • On reimbursement, “Medicare coinsurance and deductible would generally apply to these services. However, the HHS Office of Inspector General (OIG) is providing flexibility for healthcare providers to reduce or waive cost-sharing for telehealth visits paid by federal healthcare programs.”

Concerns for primary care practices of course are readiness for real-time audio/video consults, largely addressed by permitting telephones to be used, as well as Skype and FaceTime, and what services (routine care and COVID-19 diagnosis) will be offered to patients.

This significant expansion will remain in place until the end of the emergency (PHE) as determined by the Secretary of HHS.

In 2019, CMS also expanded telehealth in certain areas, such as Virtual Check-Ins, which are short (5-10 minute) patient-initiated communications with a healthcare practitioner which can be by phone or video/image exchange by the patient. This could be ideal for wound care where this Editor has observed, in one of her former companies, how old phones are utilized to send wound images to practices for an accurate ongoing evaluation via special software. E-Visits use online patient portals for asynchronous, non-face-to-face communications, initiated by the patient. These both require an established physician-patient relationship. Further details on both of these are in the Fact Sheet, the FAQs, and the HHS Emergency Preparedness page with links.

The American Medical Association issued a statement today approving of the policy changes, and encouraged private payers to also cover telehealth. The American Telemedicine Association didn’t expand upon its 5 March statement praising the passage of the Act but advocated for increased cross-state permission for telehealth consults.

Additional information at HISTalk today and Becker’s Hospital Review.

Google’s ‘Project Nightingale’–a de facto breach of 10 million health records, off a bridge too far?

November 14, 2019 | by

Breaking News. Has this finally blown the lid off Google’s quest for data on everyone? This week’s uncovering, whistleblowing, and general backlash on Google’s agreement with Ascension Health, the largest non-profit health system in the US and the largest Catholic health system on the Planet Earth, revealed by the Wall Street Journal (paywalled) has put a bright light exactly where Google (and Apple, Facebook, and Amazon), do not want it.

Why do these giants want your health data? It’s all about where it can be used and sold. For instance, it can be used in research studies. It can be sold for use in EHR integration. But their services and predictive data is ‘where it’s at’. With enough accumulated data on both your health records and personal life (e.g. not enough exercise, food consumption), their AI and machine learning modeling can predict your health progression (or deterioration), along with probable diagnosis, outcomes, treatment options, and your cost curve. Advertising clicks and merchandising products (baby monitors, PERS, exercise equipment) are only the beginning–health systems and insurers are the main chance. In a worst-case and misuse scenario, the data modeling can make you look like a liability to an employer or an insurer, making you both unemployable and expensively/uninsurable in a private insurance system.

In Google’s latest, their Project Nightingale business associate agreement (BAA) with Ascension Health, permissible under HIPAA, allowed them apparently to access in the initial phase at least 10 million identified health records which were transmitted to Google without patient or physician consent or knowledge, including patient name, lab results, diagnoses, hospital records, patient names and dates of birth. This transfer and the Google agreement were announced by Ascension on 11 November. Ultimately, 50 million records are planned to be transferred from Ascension in 21 states. According to a whistleblower on the project quoted in The Guardian, there are real concerns about individuals handling identified data, the depth of the records, how it’s being handled, and how Google will be using the data. Ascension doesn’t seem to share that concern, stating that their goal is to “optimize the health and wellness of individuals and communities, and deliver a comprehensive portfolio of digital capabilities that enhance the experience of Ascension consumers, patients and clinical providers across the continuum of care” which is a bit of word salad that leads right to Google’s Cloud and G Suite capabilities.

This was enough to kick off an inquiry by Health and Human Services (HHS). A spokesperson confirmed to Healthcare Dive that “HHS’ Office of Civil Rights is opening an investigation into “Project Nightingale.” The agency “would like to learn more information about this mass collection of individuals’ medical records with respect to the implications for patient privacy under HIPAA,” OCR Director Roger Severino said in an emailed statement.”

Project Nightingale cannot help but aggravate existing antitrust concerns by Congress and state attorneys general on these companies and their safeguards on privacy. An example is the pushback around Google’s $2.1 bn acquisition of Fitbit, which one observer dubbed ‘extraordinary’ given Fitbit’s recent business challenges, and data analytics company Looker. DOJ’s antitrust division has been looking into how Google’s personalized advertising transactions work and increasingly there are calls from both ends of the US political spectrum to ‘break them up.’ Yahoo News

Google and Ascension Health may very well be the ‘bridge too far’ that curbs the relentless and largely hidden appetite for personal information by Google, Amazon, Apple, and Facebook that is making their very consumers very, very nervous. Transparency, which seems to be a theme in many of these articles, isn’t a solution. Scrutiny, oversight with teeth, and restrictions are.

Also STAT News , The Verge on Google’s real ambitions in healthcare, and a tart take on Google’s recent lack of success with acquisitions in ZDNet, ‘Why everything Google touches turns to garbage’. Healthcare IT News tries to be reassuring, but the devil may be in Google’s tools not being compliant with HIPAA standards.  Further down in the article, Readers will see that HIPAA states that the agreement covers access to the PHI of the covered entity (Ascension) only to have it carry out its healthcare functions, not for the business associate’s (Google’s) independent use or purposes. 

Breached healthcare records down 72% but incident numbers steady. Then there’s MyFitnessPal’s 150 million…

April 5, 2018 | by

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]Hackermania in healthcare may be running less wild…but what about consumer health devices? Year-end and top-of-year analyses indicate that the flood of breached records may be starting to drain. A Bitglass analysis of 2017 US Department of Health and Human Services (HHS) data from its infamous ‘Wall of Shame’ is encouraging. They found that the number of breached records decreased over the 2015-2017 period by 72 percent between 2015 and 2017 and by 95 percent from 2016. The calculation excludes the huge spike in breaches due to two 2015 incidents at Anthem and Premera Blue Cross [TTA 9 Sep 15]. Numerically, the breach incident numbers decreased but are relatively steady: 2017 at 294, 2016 at 328. Data security company Protenus in its tracking found more incidents in 2017 versus 2016 (477 in 2017 v. 450 in 2016) but the same reduction in records affected, with five times fewer records in 2017 versus 2016’s 27.3 million records.

What’s been successful has been reducing mega-breaches and containment of healthcare device loss and theft through education and enforcement of employee practices. What continues is the major cause of breaches continue to be insider-related via error and wrongdoing; this includes the major annual Verizon report. Healthcare Informatics

Protenus’ February report, while continuing the reduction trend, had its share of hacking and insider incidents. Of the 39 incidents in their report affecting over 348,000 records, insider actions such as the misuse of system credentials accounted for 51 percent of breached records while hacks were 46 percent, with the majority involving ransomware or malware. Hacking as a cause hasn’t disappeared but perhaps has shifted to easier targets.

UnderArmour’s MyFitnessPal delivers another breach blow. Late last month, the company revealed that 150 million user records were hacked in February. The MyFitnessPal mobile app (more…)

Babylon Health’s ‘GP at hand’ not at hand for NHS England–yet. When will technology be? Is Carillion’s collapse a spanner in the works?

January 16, 2018 | by

NHS England won’t be rolling out the Babylon Health ‘GP at hand’ service anytime soon, despite some success in their London test with five GP practices [TTA 12 Jan]. Digital Health cites an October study by Hammersmith and Fulham CCG (Fulham being one of the test practices) that to this Editor expresses both excitement at an innovative approach but with the same easy-to-see drawback:

The GP at Hand service model represents an innovative approach to general practice that poses a number of challenges to existing NHS policy and legislation. The approach to patient registration – where a potentially large volume of patients are encouraged to register at a physical site that could be a significant distance from both their home and work address, arguably represents a distortion of the original intentions of the Choice of GP policy. (Page 12)

There are also concerns about complex needs plus other special needs patients (inequality of service), controlled drug policy, and the capacity of Babylon Health to expand the service. Since the October report, a Babylon spokesperson told Digital Health that “Commissioners have comprehensively signed off our roll-out plan and we look forward to working with them to expand GP at Hand across the country.” 

Re capitation, why ‘GP at hand’ use is tied into a mandatory change of GP practices has left this Editor puzzled. In the US, telemedicine visits, especially the ‘I’ve got the flu and can’t move’ type or to specialists (dermatology) are often (not always) separate from whomever your primary care physician is. Yes, centralizing the records winds up being mostly in the hands of US patients unless the PCP is copied or it is part of a payer/corporate health program, but this may be the only way that virtual visits can be rolled out in any volume. In the UK, is there a workaround where the patient’s electronic record can be accessed by a separate telemedicine doctor?

Another tech head-shaker: 45 percent of GPs want technology-enabled remote working. 48 percent expressed that flexible working and working from home would enable doctors to provide more personalized care. Allowing remote working to support out-of-hours care could not only free up time for thousands of patient appointments but also level out doctor capacity disparities between regions. The survey here of 100 GPs was conducted by a cloud-communications provider, Sesui. Digital Health. This is a special need that isn’t present in the US except in closed systems like the VA, which is finally addressing the problem. The wide use of clinical connectivity apps enables US doctors to split time from hospital to multiple practices–so much so on multiple devices, that app security is a concern. 

Another head-shaker. 48 percent of missed NHS hospital appointments are due to letter-related problems, such as the letter arriving too late (17 percent), not being received (17 percent) or being lost (8 percent). 68 percent prefer to manage their appointments online or via smartphone. This preference has real financial impact as the NHS estimates that 8 million appointments were missed in 2016-2017, at a cost of £1bn. Now this survey of 2,000 adults was sponsored by Healthcare Communications, a provider to 100 NHS trusts with patient communications technology, so there’s a dog in the hunt. However, they developed for Barnsley Hospital NHS Foundation Trust a digital letter technology that is claimed to reduce outpatient postal letters by 40 percent. Considering my dentist sends me three emails plus separate text messages before my twice-yearly exam…. Release (PDF).

Roy Lilley’s daily newsletter today also engages the Tech Question and the “IT desert” present in much of the daily life of the NHS. Trusts are addressing it, junior doctors are WhatsApping, and generally, clinicians are hot-wiring the system in order to get anything done. It is much like the US about five to seven years ago where US HHS had huge HIPAA concerns (more…)

Hacking, insider actions 81 percent of healthcare data breaches: Protenus

September 27, 2017 | by

Healthcare data security company Protenus’ monthly Breach Barometer always contains interesting–and somewhat discouraging–surprises. August’s report topped July’s for the number of patients affected, with 674,000 patients involved in 33 incidents. Over 54 percent of breaches (N=18) were due to hacking (five incidents were attributed to ransomware), with over 27 percent (N=9) were from insider error (the main cause) or wrongdoing–over 81 percent in total. The remainder were due to loss, theft, or ‘unknown’. Another interesting finding was that discoveries of hacking are relatively quick at an average of 26 days from start to finish, due to the disruption they create, while insider attacks can go on for months (209.8 days)–or years. Protenus’ July report highlighted a breach at Tewksbury Hospital in Massachusetts that went unreported for a record-setting 14 years–an insider action that affected 1,100 records. Reporting to HHS is improving with reporting to HHS, the media or state attorneys general on average of 53 days. Protenus crunches its data from databreaches.net. (If you look at their reporting on TheDarkOverlord (@tdo_hackers), including their recent threats on a small Montana school system, you’ll be scared indeed.) MedCityNews 25 Sept, 23 August   Hat tip to Guy Dewsbury via LinkedIn

Want to know effectiveness of telehealth, interoperability? NQF reports take their measure.

September 15, 2017 | by

There’s been an increase in doubt about the efficacy of telemedicine (virtual visits) and telehealth (vital signs monitoring) as a result of the publication of two recent long-term studies, one conducted by the University of Wisconsin and the other by CCHSC for Telemonitoring NI [TTA 13 Sep]. These follow studies that were directionally positive, and in a few cases like the VA studies conducted by Adam Darkins, very much so, but mostly flawed or incomplete (low N, short term, differing metrics). What’s missing is a framework for assessing the results of both. In an exceptionally well-timed announcement, the National Quality Forum (NQF) announced their development of a framework for assessing the quality and impact of telehealth services. 

In a wonder of clarity, the NQF defines telehealth’s scope as telemedicine (live patient-provider video), store-and-forward (e.g. radiology), remote patient monitoring (telehealth), and mobile health (smartphone apps). Measurement covers four categories: patients’ access to care, financial impact to patients and their care team, patient and clinician experience, and effectiveness of clinical and operational systems. Within these categories, NQF identified six areas as having the highest priority for measurement: travel, timeliness of care, actionable information, added value of telehealth to provide evidence-based practices, patient empowerment, and care coordination. Finally, the developing committee identified 16 measures that can be used to measure telehealth quality.

The NQF also issued a similar framework for interoperability, a bête noire that has led many a clinician and developer to the consumption of adult beverages. Again there are four categories: the exchange of electronic health information, its usability, its application, and its impact—on patient safety, costs, productivity, care coordination, processes and outcomes, and patients’ and caregivers’ experience and engagement. And it kept the committee very busy indeed with, from the release, “53 ideas for measures that would be useful in the short term (0-3 years), in the mid-term (3-5 years) and in the long-term (5+ years). It also identified 36 existing measures that serve as representative examples of these measure ideas (sic) and how they could be affected by interoperability.”

Both reports were commissioned and funded a year ago by the US Health & Human Services Department (HHS). We will see if these frameworks are extensively used by researchers.

NQF release, Creating a Framework-Telehealth (download link), Creating a Framework-Interoperability (download link), Mobihealthnews