News roundup: GoodRx pays $1.5M to FTC on Meta Pixel use, ATA concerns on Covid PHE end, defending Livongo sale to Teladoc, Philips lays off 18K, Amazon health layoffs–and big ’22 loss, Ireland HSE digital head quits, Matt Hancock assaulted on Tube

February 3, 2023 | by

Rounding up the week–and it’s not over. 

Prescription discounter GoodRx settled with the FTC for $1.5 million for the unauthorized sharing of user health data with Facebook, Google, Criteo, and other advertising sites. GoodRx used the Meta Pixel and other Javascript trackers in software development kits (SDK) for sharing user data with third-party advertisers. They would then be capable of serving personalized health and medication-specific ads to GoodRx users. This differs from the earlier Meta Pixel incidents which involved hospitals using the tracker on their website appointment schedulers and patient portals which exposed personal health information (PHI) under HIPAA regulations. GoodRx is not a covered entity, thus does not fall under HIPAA violations of PHI.

For the first time, the Federal Trade Commission (FTC) used the Health Breach Notification Rule, created in 2009, in charging GoodRx in a Federal court with misuse of consumer health information. The action was taken in US District Court for the Northern District of California, which has yet to approve the FTC order and the settlement.

GoodRx responded to the charges in their release that they stopped using pixel trackers in 2019 to protect user privacy. The trackers transmitted no PHI but primarily IP addresses and web page URL information. GoodRx maintains that this is a “novel application” of the Health Breach rule. But they settled with the FTC to avoid ‘the time and expense of protracted litigation’ on privacy issues they’ve already updated. HISTalk, The Markup, FierceHealthcare  TTA’s Meta Pixel articles

The good news for most of us is that the Public Health Emergency for Covid-19 will be ending 11 May. Not such good news, according to ATA and ATA Action, for mental health patients. While the omnibus budget passed at the end of the 117th Congress last year extended many telehealth provisions for two years [TTA 4 Jan], it did not extend the remote prescribing of controlled substances as part of the Ryan Haight Act. They are urging the Drug Enforcement Administration to release its rules for special registration for telemedicine as a first step. Release

With Teladoc’s $6.6 billion writeoff of the costs of acquiring Livongo in Q1 2022 [TTA 4 May 22], did Teladoc pick up an $18 Billion Bunch of Lemons in Livongo? Or did Teladoc mess up the expensive buy? You have to hand it to MedCityNews’ Arundhati Parmar for asking that burning question of Zane Burke, who was Livongo’s CEO at the time and the engineer of the sale, now CEO of Quantum Health. Not surprisingly, he said that “When we left the business, it was a freaking good business”, had just turned a big funding, was EBITDA positive, and wasn’t seeking a buyer. The massive difference was in the cultures, a ‘chasm’ that wasn’t bridged. One indicator: none of the top 16 Livongo executives stayed with Teladoc–and they were not required to as a condition of the sale. Teladoc considered it a ‘roll up’. 

This Editor was skeptical about it from the start–see TTA analyses 6 August and 11 August, as it happened in 2020. And while many smart observers were enthusiastic, others were not–the synergies (forgive me) they saw and the bottom line boosts were not there as predicted. In retrospect, which is always 20/20, it’s now proven to be a terrible buy. Teladoc has rebooted Livongo as of last month. More than the writeoff cost for Teladoc, it cost the industry, and affected lives.  It’s an important read in today’s situation.

Philips will be laying off 6,000 globally over the next two years, in addition to 4,000 booted this past October. Reasons why are the 2021 recall of Respironics ventilators, BiPAP machines, and CPAP machines because of the potential health risks of deteriorating polyester-based polyurethane (PE-PUR) foam, supply-chain challenges, lower sales in China, and the fallout from the Russia-Ukraine war. Their new focus will be on R&D and fewer ‘more impactful’ projects. Dataquest India, Mobihealthnews

Amazon’s layoffs of 18,000–and huge 2022 loss–also affected their developing healthcare areas. The shutdown of Amazon Care affected 159 jobs. But surprisingly, growth areas that had just rolled out new programs also lost staff. Amazon Pharmacy, which just rolled out RxPass, a $5 per month medication prescription service, laid off some of its program managers, risk compliance managers, and billing managers. Employees working on Halo health and fitness trackers were also laid off.  Becker’s Hospital Review  Yet many health executives see Amazon as the #1 threat to health systems’ core business. In a survey by Health Tech Nerds (sic), these execs predicted that Amazon might buy Color, Walgreens, and Smile Digital Health–in addition to a health plan! At this point, their One Medical buy is under scrutiny by both the DOJ and FTC [TTA 15 Sept 22] and on 2 February they reported a $2.7 billion net loss for 2022, the first since 2014 (The Verge) so those predictions on aggressive healthcare moves might be very blue side up.  Becker’s Hospital Review

In Ireland, Prof. Martin Curley, who headed digital innovation for the Health Services Executive (HSE), resigned in an unusual fashion. On LinkedIn announcing his resignation effective immediately, he said he has “called off this particular ascent on Everest”. In the post, he expressed frustration with supply chain and funding blockages, but later interviewed by the Irish Times cited poor IT infrastructure creating patient adverse outcomes, even death–and that senior administrators blocked new technology solutions. He is now a visiting professor at the University of Bath and a professor of innovation at Maynooth University. Irish Times 16 Jan, 25 Jan

And former Health Secretary Matt Hancock cannot catch a break. First, he was suspended from the Conservative Party in November, having decided that traveling to Australia for several weeks to appear in a reality show was more important–while he was Conservative Whip and Commons was still sitting. Now as an independent representing West Suffolk, in December he announced he will not stand for re-election next year. The insult upon injury was being assaulted last month by a 61-year-old man on the London Underground, following Mr. Hancock through Westminster station and onto a train, and earlier by the same man on Parliament Street. The Lancashire man was arrested. Lately quite in the BBC News.

Killnet racks up 22 more healthcare cybervictims and data thefts; whitepaper on best defense practices

February 3, 2023 | by

Ransomware attacks keep rolling through healthcare organizations. The latest tally just for Killnet, the rogue group of pro-Russian hacktivists, is up to 22 hospitals from Los Angeles to Egg Harbor, NJ. Becker’s HealthIT on Tuesday reported on 17 listed by BetterCyber on 31 January with another six yesterday. (BetterCyber’s Twitter feed subtracted Dartmouth Health Cheshire Medical Center from the victim list yesterday, thus 22.) Most affected are regional and community hospitals.

According to SC Media’s report on an HHS Cybersecurity Coordination Center (HC3) Alert, health and personal data were ‘exfiltrated’ onto the Killnet list. Quite oddly, and this Editor is sure it’s just a coincidence, the HC3 analyst note linked is offline; on a search to cross-check the link, the HHS pages show up in index form. Also Becker’s HealthIT 1 Feb 

The attacks were DDoS (distributed denial of service), described by HC3 as “thousands of connection requests and packets to be sent to the target server or website per minute, slowing down or even stopping vulnerable systems.” This ties up IT and slows down services such as websites or information portals. The danger in DDoS attacks, as noted in previous coverage [TTA 22 Dec 22] is that DDoS can be cover for other cybercrimes or information gathering in preparation for same. 

How can a healthcare organization ‘keep calm’ and lessen the impact of cyberattack, as it’s ‘not if, but when?’ A whitepaper by Cynerio,  focuses on microsegmentation, a network security technique that logically divides the data center into distinct security segments down to the individual workload/workflow level, and then defines security controls. (In marketing, market profiling down to buyer personas is similar.) The paper looks at how organizations should focus on four areas: visibility, risk mitigation, real-time defense, and regulatory compliance, then work through multiple considerations. Happily, the whitepaper (no registration required) is mostly understandable to those outside of IT. It also provides three case studies and checklists. Cynerio is a NYC-based healthcare-focused cybersecurity management company that helps hospitals to manage risk and secure their IoT, IoMT, and unmanaged IT and mobile devices.

Pull the plug on Oracle Cerner in the VA! Two House Representatives urge return to VistA, send bill to Veterans’ Affairs committee

February 1, 2023 | by

Hold your hand up if this comes as a complete surprise. A Congressman who was the top Republican on a subcommittee overseeing technology at the Department of Veterans Affairs (VA) has evidently had quite enough of the Oracle Cerner problems in implementing Cerner Millenium. Rep. Matt Rosendale of Montana has introduced H.R.608, titled “To terminate the Electronic Health Record Modernization Program of the Department of Veterans Affairs”. It would pull the plug on Oracle within 180 days, dissolve the VA Electronic Health Record Modernization Integration Office, and restore VistA/CPRS. In other words, back to the drawing board.

It was co-sponsored by Rep. Mike Bost of Illinois who is the chairman of the House Committee on Veterans’ Affairs, where the bill was referred on 27 January. Rep. Rosendale is now the chair of the House Veterans Affairs Subcommittee on Technology Modernization. 

This follows on last week’s two-day slowdown of both the VA and MHS Genesis systems, last summer’s Congressional hearings with the roasting that Oracle Health’s head Mike Sicilia and VA heads received over the OIG report on the ‘unknown queue’ that created 149 adverse events, and October’s delay in further Oracle Cerner rollouts in the VA from January 2023 to June.

While the likelihood that the bill would pass both House and Senate, and be signed into law, is low, H.R. 608 is one very heavy and clever cudgel for getting Oracle–and the VA staff involved with the conversion–to Pay Attention! Fix The Problems! There’s also leverage far beyond the VA EHR. Oracle has multiple Federal contracts which could be jeopardized or defunded. Stay tuned to further developments in VA’s Tower of Trouble and Oracle’s Mound of (Acquired) Misery.  Hat tip to HISTalk for the heads up, actually obtaining a screenshot of part of the bill which has not yet been posted on Congress.gov.  FCW.