23andMe hacking may have affected 6.9 million+ users–not 14,000–in massive PII breach

What was 14,000 may affect up to 6.9 million users. Genetic testing and information company 23andMe is now admitting that the October data breach that affected 0.1% of their 14 million customer base, or 14,000 users per their SEC filing last Friday, may have exposed the records and personally identifiable information (PII) of 6.9 million users, about half their customer database. In later replies to industry publications TechCrunch and WIRED, a 23andMe spokesperson admitted that hackers accessed the PII of about 5.5 million people who opted-in to 23andMe’s DNA Relatives feature. Add into that an additional 1.4 million “had their Family Tree profile information accessed”. an enhancement to DNA Relatives. The DNA Relatives breach stole individual and family names, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports, and self-reported location. Family Tree information exposed display names, relationship labels, birth year, self-reported location, and whether the user decided to share their information.

(Editor’s note: The size of the breach is enough to revive this vintage picture of WWF/WWE wrestler Hulk Hogan in his ‘Hulkamania Running Wild’ persona.)

23andMe has attributed the massive breach to credential stuffing–the reuse of leaked login credentials from other websites and services. But many users have gone public with the information that their logins were unique to 23andMe. 23andMe’s credibility on this issue took a beating from none other than the US National Security Agency (NSA) cybersecurity director Rob Joyce. He wrote on his personal X account that “They disclose the credential stuffing attacks, but they don’t say how the accounts were targeted for stuffing. This was unique and not an account that could be scraped from the web or other sites.” In fact, Mr. Joyce creates a unique email for each account. The cause for the wider breach may lie in data sharing with a partner, MyHeritage, in adding functionality to Family Tree. It seems clear that credential stuffing wasn’t the only technique used to break into the 23andMe user data.

23andMe, as well as Ancestry.com and MyHeritage, now require or strongly recommend two-factor authentication for access to personal accounts. About time. They have also changed terms of service to “encourage a prompt resolution of any disputes”.

What is distressing is that the hacks on the retail side of 23andMe are only the tip of the iceberg–that the really valuable part of their genetic data goes to pharmaceutical companies. Cyberthieves know that motherlode is incredibly valuable to bad actors like the Chinese and the Chinese Communist Party, both key markets for stolen health data. (Developing)

News roundup: ONC recommends ‘nutrition labeling’ for healthcare AI apps but Google moves forward; CVS’ health services rebranding as Healthspire (updated); Clover Health repots out of ACO REACH

Straining toward a model for AI app information? The latest grope by Federal regulators towards the “trustworthy use of artificial intelligence”, as the American Telemedicine Association terms it, is a labeling system that has been likened to ‘nutrition labeling’. This near-incomprehensible analogy to food labeling was proposed back in April by the Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC), now headed by Micky Tripathi, Ph.D. This disclosure would consist of how the app was trained, how it performs, how it should be used, and how it shouldn’t, which does not sound onerous at all. The disclosures are designed to forestall issues around performance and bias that have previously appeared, such as Epic’s AI system designed to predict sepsis risk and an algorithm designed to flag patients needing assistance with complex treatment regimens. 

An optional proposed disclosure around how the app was trained and tested would be important to healthcare organizations but potentially problematic to developers. There are quite a few caveats expressed by Silicon Valley investors around hurting startups and even giants like Epic through over-disclosure of proprietary information, enabling reverse engineering and poaching of intellectual property. Everyone likes transparency, trust, safety, and efficacy, but the conundrum is to disclose what is needed for proper and cautious use without providing an entreé to IP. Wall Street Journal, Becker’s, ATA release and AI principles 

Google, predictably, damns the torpedoes, full speed ahead with healthcare AI. And intends to write the rules. They’ve deployed AI tools already with Mayo Clinic and HCA Healthcare–Mayo for medical records and research papers, HCA for clinical notes. EHR Meditech is using Google’s AI for clinical documentation and to summarize patient histories. Bayer is also working with Google. Their products include a licensed algorithm for breast and lung cancer detection, a tool for diagnosing diabetic retinopathy, and a question-answering bot. Google makes no secret that they plan to influence Federal efforts at setting standards by hiring lobbyists, most of whom are out of the Food and Drug Administration (FDA), and playing a large role in industry groups such as the Coalition for Health AI (CHAI).  If you believe that Google, Microsoft, Amazon (playing catchup), or other healthcare service companies like UnitedHealth Group’s Optum will twiddle their thumbs and wait for the Feds to set standards and (good grief) enforce disclosure on AI tools, this Editor has several lovely bridges for sale. POLITICO, Becker’s

CVS Health grouping health services and multi-payer assets under CVS Healthspire. Monday’s announcement at the Forbes Healthcare Summit will roll up new $20 billion acquisitions Oak Street Health and Signify Health along with 1,100 MinuteClinics, the CVS Caremark pharmacy benefit manager (PBM), CVS Specialty, and its new Cordavis operation that works with pharmaceutical companies to bring to market  biosimilars. The rebranding, a clever melding of ‘health’ and ‘inspire’, will start this month into 2024. It’s not revealed whether the current names will be sunsetted for CVS Healthspire, or whether they will keep their established brand names. The parallels are with Evernorth (Cigna), Optum (UnitedHealth Group), and Carelon (Elevance, the former Anthem) in creating a vertically integrated healthcare company. At Investor Day, CVS Pharmacy announced a cost-plus arrangement for retail prescriptions built on the cost of the drug, a set markup, and a fee that reflects the care and value of pharmacy services–clearly in competition with Mark Cuban CostPlus.  Forbes, FierceHealthcare, CVS release, Investor Day release  

Clover Health exits the advanced value-based primary care program, ACO REACH. Clover’s exit at the end of the 2023 performance year after two years disbands their practice arrangements for CMS’ advanced original Medicare shared savings program, formerly Direct Contracting, and provision of beneficiary services after completing their required wrapups and reporting. It is part of their recent moves to become profitable, focusing on their Medicare Advantage business and Clover Assistant management. They outsourced their Medicare Advantage plan administration to UST HealthProof for a savings of $30 million and laid off 10% of staff as part of restructuring. A 2021 SPAC on Nasdaq debuting above $16 that survived investigations by the SEC and DOJ now has shares trading currently under the $1.00 minimum for listing. Clover also finally settled seven shareholder lawsuits over its non-disclosure of the DOJ investigation at the time of the SPAC. Cleaning house is all part of living to fight another day, like other ‘insurtechs’ such as Oscar Health. Clover release, FierceHealthcare  Also: Looking back at insurtechs and their ‘disruption’,  Insurtechs in the widening gyre

Stayin’ alive–or trying. Bright Health Texas plan seized for liquidation; Cano Health reverse splits, up for sale

Bright Health’s future continues to dim. Last week, the Texas Department of Insurance (DOI) filed notice in Travis County district court that Bright Health’s subsidiary, Bright Health Insurance Company of Texas as defendant, was financially insolvent and would be liquidated. The insolvency and receivership was declared on 29 November. Bright Health’s Texas assets could not cover liabilities plus a required surplus under law. The Commissioner of the DOI is responsible for the liquidation that was done with the consent of Bright Health as an agreed with the defendant order (PDF link here).

Bright Health had exited the Texas market, ending its ACA plans in July and an agreement with Molina Healthcare to serve Medicaid and ACA Marketplace populations in Florida and Texas starting in 2024, according to July reports [TTA 6 July]. Reading the order, Bright Health and all of its entities including NeueHealth are enjoined from any actions regarding Bright Health Texas.

Is there a bottom short of Chapter 7? Bright Health is not only in major debt, reportedly $500 million, to JP Morgan to pay off its credit facility, but also to the Center for Medicare and Medicaid Services (CMS) to cover risk liabilities from its discontinued ACA (Affordable Care Act-individual plan) insurance businesses. That liability is, according to reports, $380 million in risk-adjustment payments, including $89.6 million in Texas. In the puzzle palace scheme of ACA plans, this is designed to ‘even out’ the differential between higher and lower-risk members in an ACA market. This risk adjustment of nearly $90 million also affects the bottom line of other plans in Texas run by Centene, Molina, and BCBS Texas, as well as smaller local plans, as this payment is distributed to them. But from the liquidation order, no one can collect on this risk adjustment as an asset (see page 7 of the order).

The sale of California plans to Molina in July was estimated at $600 million, and that was contingent on Bright Health surviving into 2024. The value of the plans, with continued losses, is likely reduced as it’s six months later. It is not expected to close until Q1 2024. For the $380 million payment owed to CMS, Bright has entered an interest-only repayment agreement with them, a favorable but ‘skin of the teeth’ arrangement. The credit facility from New Enterprise Associates in August was only $60 million. But their adjusted EBITDA reported at that time for Q2 and H1 were actually in the black: $6.4 million for Q2 and $670,000 for H1. 

The big question to this Editor, as it was to analyst Ari Gottlieb, is how the $89.6 million, now enjoined in Texas, is not considered a default on the risk-adjustment payment agreement and is turned over to the Department of the Treasury for collection. Read Mr. Gottlieb’s POV here on LinkedIn. But this Editor has to hand it to Bright Health. They have done a masterful job of tying states, CMS, and even Molina into Gordian knots that buy time against what seems to be the inevitable.  Becker’s

Cano Health is also trying to stay alive until it gets sold. The board and shareholders on 2 November (release) accepted a 1 for 100 reverse share split, exchanging 100 old shares of Class A and B stock for one Class A share. This is to regain compliance with the New York Stock Exchange’s (NYSE) listing rules. Cano is currently trading at $8.95 (5 Dec @ 13.33pm).

As previously reported, Cano lost $497 million in Q3. Some results showed improvement, with capitated revenue of $770.3 million increasing 23% and 7% PMPM (per member per month) versus Q3 2022. Not good was the adjusted EBITDA of $(66.1) million in Q3 2023 coming in at $(84.3) million lower than Q3 2022 ($18.2 million) due to a higher medical cost ratio (MCR). Reading further into the release, liquidity appears to be low–$53 million, consisting of cash and cash equivalents (excluding restricted cash of approximately $34 million). They also have a revolving line of credit with Credit Suisse, but it is fully drawn. Cano projects operating performance improvement for Q4. It continues to sell assets, lay off staff, and is for sale as a company on what is left, which is their Florida-based clinic network. 9 Nov release

Short takes: a rumor of merger/buy with Cigna and Humana–what are the odds? (updated) And what’s up with the low number of HIMSS 24 exhibitors?

crystal-ballCigna and Humana, perfect together? Only if they can get the deal through the Feds and the states. Late this week, the Wall Street Journal revealed that Cigna and Humana were exploring either a merger or, as some theorize, a buy of Humana ($93 billion in revenue, $60 billion valuation) by much-larger Cigna ($181 billion in revenue, $78 billion valuation). Between them, it is estimated that they would have 35 million members. No transaction cost has been estimated, but the WSJ sources indicate it will be a stock-and-cash deal that could be finalized by the end of the year if all goes well.

On paper, industry observers like it but point out the overlap in one significant area.

  • Cigna earlier announced that it wants to sell its relatively small Medicare Advantage business, concentrating on its leadership in the commercial business and with its service businesses under the Evernorth umbrella.
  • Humana is exiting its commercial health plans to focus on MA and Medicaid, as well as its large footprint in the home health business with CenterWell.
  • Humana’s CEO Bruce Broussard is retiring next year, with newcomer to Humana Jim Rechtin joining as COO in January 2024 as his replacement. Cigna’s CEO David Cordani is a sprightly 57 and likely not to go anywhere.
  • The overlap area that could be problematic is pharmacy benefit management (PBM) with each having about 17-18 million in Express Scripts (Cigna), the second largest in the US, and Humana Pharmacy Solutions. 

Liking it on paper is one thing–FTC, DOJ, and 50 states may not feel so enthusiastic. It’s established through their actions that both Federal agencies are reining in M&A with new and restrictive merger guidelines scheduled to go into effect next year [TTA 20 July]. Healthcare is a major political hot button for this administration for cost–especially drug costs. That is where the reportedly equally sized in revenue PBM operations present the most major conflict to a merger or a buy, both in service and valuation. Both serve their own plan members as well as others, notably Express Scripts with 24% of claims, whereas Humana’s serves primarily its own plan members with 8% of claims. Neither are easy to divest without creating antitrust questions for acquirers and a major dent in Humana’s services. The final factor: Lina Khan, chair of the FTC, has never seen a merger that she’s liked based on her own statements [TTA 24 Aug].

Doomed to repeat history? In 2015, two payer mega-mergers involving these same companies were concocted: Cigna with Anthem and Humana with Aetna. They hit the buzzsaws of DOJ and before that, state approvals. The DOJ pursued them on antitrust in the Federal courts which derailed both by January 2017. Running up to that, every state got an approval vote through review by each state’s Department of Banking and Insurance or equivalent. Many did not approve or with conditions. The other factor is corporate. In the runup to the merger, Anthem-Cigna was marked by escalating animosity from the management suites to the worker cubes. After the deals were scuppered in the Federal District Court, Anthem and Cigna bitterly fought over damages and cancellation fees in Delaware Chancery Court. Aetna and Humana took their lumps and breakup fees, and went on. Aetna went on to merge with CVS, a deal that avoided most of the antitrust flak. Humana went on to acquisitions in other areas.

Our betting line. Both insurers will look at the financials in this hard-to-get-arrested year. Both will feel out the Feds before going forward. Both will calculate whether it’s best to start now or wait till next year and a possible change in administration. Neither company wants to be a political target in an election year. Defensively, Cigna may make noises about other combinations–Centene and Molina have been mentioned–which present their own difficulties and troubles, to strategically try to force the issue. Stay tuned! MedCityNews, Axios

Update: Other analysts suddenly are on board with this Editor’s gimlety view of the matchup, citing antitrust and how Federal regulators are primed to challenge major deals. The FTC is specifically probing the PBM business. The fact that the deal, according to JP Morgan, could take 12 to 24 months is no surprise as par for the course, but Mr. Market didn’t like it, dragging down both companies’ share prices every day since the rumor broke. (Hmmmm….do they read TTA?)  But a small lamp was lit by one analyst: a Cigna-Humana combo could present real competition to the 9,000 lb. elephant of healthcare, UnitedHealth Group, and that might help to put it over. FierceHealthcare

Another concern that occurred to your Editor: Cigna’s international footprint could mean additional approvals by UK and EU regulators.

According to Healthcare Dive’s analysis, the combined entity would have a PBM market share of 32%, right up against CVS Health-Caremark at 33% and UHG’s OptumRx way behind at 22%. It’s a small group with big barriers to entry which makes it a slam-dunk to antitrust regulators.  A whistle in the dark might be UHG’s long-drawn-out buy of Change Healthcare, but there were divestitures of business before closing and both parties managed to prove to the satisfaction of a US District Court that the separation to Optum Insight would not affect business relationships with other health plans. But here, both are health plans, and both have PBMs.

HIMSS 24 exhibitors, where are you? An item in today’s HIStalk on the ‘interesting’ choice as closing keynoter of football coach Nick Saban (U of Alabama Crimson Tide) at a healthcare IT conference went on to compare the number of booked HIMSS exhibitors to date with HIMSS 23’s floor total. This Editor, who for a few years booked the least expensive HIMSS space for the company she worked for back then well in advance, could not believe the low number of exhibitors three months from show time in March. Checking the HIMSS show website, there are 501 exhibitors listed. In 2023, according to HIStalk, there were 1,216. Many of these exhibitors have multiple booths in the Orange County (Orlando) Convention Center, but it still indicates the uncertain state of healthcare, pullbacks in marketing budgets, the rise of real competition in HLTH and ViVE, and perhaps some concerns about the show management transition from HIMSS itself to Informa. Are industry and IT influentials skipping HIMSS next year? Stay tuned or comment below!

Has Amazon lost its ‘edge’ in healthcare? Or finally seeing reality?

Amazon’s long and winding road to Healthcare Reality is no surprise to those tracking Amazon’s moves over the past few years. And Bloomberg agrees. In the eyes of many of the industry, Amazon was one of the top companies revolutionizing healthcare in a consumer-focused, tech-driven model. They were making The Big Moves along with giants CVS and Walgreens with an open wallet, with Walmart lagging and tagging behind. But when you turn a Gimlet Eye to the track record, The Big Moves were marked by hubris, uncertainty, lack of focus, lack of healthcare expertise, and just plain bad judgment.

  • First, there was the sinkhole known eventually as Haven, 2018-2021. This partnership with JP Morgan and Berkshire Hathaway (RIP to the legendary Charlie Munger) generated truckloads of 50,000-foot quotes by JPM’s Jamie Dimon and B-H’s Warren Buffett about the ‘hungry tapeworm’ of healthcare costs and the need to simplify it for their million-odd employees. It was clear that Amazon was relegated to the ‘junior partner’. Their reaction was to go their own way well before the shutdown and make its own acquisitions, acquiring PillPack in mid-2019 as the first move towards a PBM, Amazon Pharmacy, then pushing Amazon Care for large employers. TTA 6 Jan 2021
  • Then there was the brief and mysterious life of Amazon Care, 2019-2022. Their mix of virtual care, in-home, and telehealth services signed up large employers such as Hilton and (of course) Amazon with the eventual vision of delivering in-home care of visits and medications via mobile providers. Despite plenty of pivoting behind the scrim but eventually going nationwide with some, not all, of their services, their vision wasn’t attractive to most large employers. Even before One Medical was acquired in July 2022, Amazon decided to ditch Care by end of 2022. TTA 25 Aug 2022
  • And $3.9 billion later, there is One Medical, acquired earlier this year. It has never made money and won’t for at least two fiscal years. It doesn’t resemble an Amazon-style delivery model either. It’s a membership model practice group with individual paying members plus 9,000 corporate service contracts and telehealth. Of course, memberships including telehealth are being offered to the millions of Amazon Prime members at a drastically discounted rate starting earlier this month.
  • Bubbling under this is Amazon Clinic, an asynchronous virtual consult service leaked in November 2022, formally announced in June 2023 but delayed until August on data privacy issues that attracted Senatorial scrutiny on whether information would be passed to other Amazon services for merchandising [TTA 27 June]. Visits cost an average of $50. Amazon is surprisingly mum on Clinic’s status.

From the collection of articles linked above, plus TTA’s ongoing chronicle of FTC’s (and DOJ’s) consistent scrutiny (some call it vendetta) re Amazon [TTA 24 Aug, 27 Oct], one cannot conclude that Amazon has lived up to its publicity, dominating coverage earlier this year, that it would be a leading Healthcare Transformer. In that last article, this Editor’s obvious doubts were summarized as “What we view as a juggernaut is facing more than their share of distractions and changing circumstance.”

It is awfully nice to know that Bloomberg has taken our small ball of misgivings and run with it. Their article describes, through interviews with current and former employees, patients, competitors, and industry analysts, a “culture of hubris”, believing that “Silicon Valley-style invention could outsmart industry incumbents” and management not listening to the industry people they did hire. The hubris goes back to the very beginning. Even transitioning a young but deep in the red company like PillPack, bought for a truly ridiculous amount of money but that fit easily into the Amazon model, took an inordinate amount of time–about two years. Amazon Pharmacy, built on the PillPack bones, doesn’t seem to be meeting expectations, running headlong into local retailers such as CVS, Walmart, and Walgreens, discounters such as GoodRx, and deliverers such as Mark Cuban Cost Plus. No surprises there when you waste two years. Wall Street doesn’t like it much either, despite the promises from CEO Andy Jassy that healthcare is their long-term growth area, carrying through the vision of former CEO and now chairman Jeff Bezos.

It also doesn’t help to be the corporate target of the FTC, not mentioned in the Bloomberg article.

This Editor will quote herself from a recent article. While it was in the context of learnings from Olive AI, it applies equally to those with lots of success in other businesses or even other parts of healthcare. Know that healthcare, no matter what the conferences say, is an entrenched, over-regulated, risk-averse, and thus extremely slow-moving business. The risk level is high, the reward may be incremental, at best. And the big guys–the payers, big health systems, and their vendors, will always have it all over you.

NODE.Health’s 7th Annual Digital Medicine Conference 6-8 December

7th Annual Digital Medicine Conference 
“Collaboration for Transformation”
Wednesday 6 December – Friday 8 December
Microsoft NYC, 11 Times Square, NYC   Agenda here

This three-day conference dedicated to bringing the promise of digital innovation to the real world of healthcare delivery has 30 sessions with speakers from providers, academia, government, and leading health systems on topics such as public health, digital psychiatry, AI, automation, and UX. Friday is focused on Federal Health Innovation. Included are after-conference receptions on both Wednesday and Thursday. More information and registration.

Another turkey: potential 9M patients affected by medical transcription vendor data breach

Vendors are hot, hot, hot…with hackers. In another notable vendor data incident, Perry Johnson & Associates (PJ&A), a Henderson Nevada-based provider of transcription services for hospitals and physician practices, reported a data security incident to the US Health & Human Services (HHS) Office of Civil Rights (OCR) on 3 November. The breach occurred in the network and files were copied 27 March-2 May, when it was detected. 8.95 million individuals were affected, with over 4 million individuals in NYC and Syracuse at Northwell Health, the largest health provider in New York State, and Crouse Health. Northwell hasn’t had much luck with transcription providers, having been affected by Nuance Communications’ hack earlier this year by one of their vendors–the Progress Software MOVEit file transfer protocol (FTP) theft traced back to ransomwareistes CLOP [TTA 3 Aug].

Personal health information stolen for all included name, date of birth, address, medical record number, hospital account number, admission diagnosis, and date(s) and time(s) of service. While the records didn’t contain financial information, some patients may have had breaches of their Social Security numbers, insurance information and clinical information from medical transcription files, such as laboratory and diagnostic testing results, medications, the name of the treatment facility, and the name of healthcare providers.

PJ&A notified affected providers on 29 September and affected patients on 31 October. In addition to the 4 million+ in New York, 1.2 million individuals were served by Cook County Health in Illinois. The rest have not been identified. TechCrunch, News4NY, PJ&A notice 

Ireland’s TASK Community Care launches TASK Connect in Northern Ireland for the UK market

TASK Community Care, which was the first personal alarm and telecare company serving Ireland starting (an unbelievable) 45 years ago, has opened a fully-owned UK subsidiary, TASK Connect. It will be located in Lurgan, Northern Ireland. TASK Connect will provide 24/7 alarm services along with GPS location tracking with fall detection devices and monitoring. These can be ordered online, streamlining customer service and user implementation.

TASK Connect recently won a competitive tender with one of Northern Ireland’s eleven councils. The new Lurgan operation will also serve as a base for TASK’s expansion in the rest of the UK. 

Toni Bunting, TASK Connect’s managing director, stated “Our online product range will steadily expand as we solidify our presence in the UK market. Concurrently, our core focus is on refining operations, honed through years of dedicated service to TASK Community Care customers, ensuring an even more streamlined and customer-centric service for all our customers in the UK.” TASK Connect release

Editor’s note: Long-time Readers remember Toni as our Ireland Contributing Editor. She rejoined TASK earlier this year after time out of the industry. Welcome back, Toni! 

A Thanksgiving turkey for hospitals: multiple cyber and ransomware attacks

IT incidents were on the Thanksgiving menu at many US hospitals. It was no holiday for the hospitals experiencing attacks and outages, forcing ERs to divert to other hospitals and resort to downtime procedures. The hospitals reporting them are part of Ardent Health Services, a 30-hospital operator. Ransomware has been reported for some as the cause. Not all Ardent hospitals have been reported as affected.

A rundown of what was attacked, and where:

  • The 10-hospital UT Health East Texas (Tyler, Texas) network reverted to downtime procedures after a security incident, outage, and locked down its systems. Ambulances heading to its ERs were diverted to other hospitals.
  • Lovelace Health System in Albuquerque, New Mexico, affecting six hospitals, 33 health care clinics and seven outpatient therapy clinics. 
  • BSA Health System in Amarillo, Texas 
  • The University of Kansas Health System St. Francis Campus in Topeka 
  • Hillcrest HealthCare System (Tulsa, Oklahoma) 
  • Closer to this Editor’s home, two Hackensack Meridian hospitals in New Jersey served by Ardent were ransomwared starting on Thanksgiving: Pascack Valley in Westwood and Mountainside Medical Center in Montclair. Local reports indicated a ransomware attack. The outage continued through the weekend. Other Hackensack Meridian hospitals are not served by Ardent and were not affected.

Ardent has reported this to law enforcement and in their release, stated they are still determining the full impact of the event, though working with partners to restore access to electronic medical records and operations. 

In addition to the Ardent hospitals, on Thursday the six-hospital Vanderbilt University Medical Center (Nashville, Tennessee) reported a cyberattack that compromised a database and was contained. Ransomwareistas Meow claimed that their information was leaked on the dark web. VUMC is not confirming a ransomware attack and stated that the “compromised database did not contain personal or protected information about patients or employees.”

Becker’s 27 Nov, 27 Nov (Hackensack), Asbury Park Press, News12NJ, Ardent Health release, The Record

‘The Simpsons’ takes on Theranos (by another name, glub glub)

Everyone into the ‘LifeBoat’! Episode #754 of the long-running (35 seasons!) series ‘The Simpsons’ is a complete send-up of The Theranos Story in 22 minutes. This episode, which aired in the US on 29 October, transmutes Elizabeth Holmes into Persephone Odair, the young college dropout creator of a can-sized device that converts salt water to drinkable fresh water. The retrospective documentary and ‘news stories’ framing the tale trace Persephone’s and LifeBoat’s rise to fame and riches, then their fall. Set in SimpsonsWorld, the chief financier is the owner of the local nuclear plant, the zillionaire Montgomery Burns, whom she marries. There is an endless supply of in-jokes and jabs, such as Persephone at a TEDtalk saying “The doubters call this goal impossible, but I prefer to say, ‘I’m possible.’” (=”First, they think you’re crazy…”) and the blatant coverup of the technology (=Edison Lab, but here, if anyone drank the water, a competitor could steal the aqua-tech from the urine). The ‘can of oats’ converter, Persephone’s backstory, and the water, of course, are complete fails. Lots of celebrities make guest appearances, but not Judge Edward Davila or John Carreyrou, the author of ‘Bad Blood’. The plotline of “Thirst Trap: A Corporate Love Story” is featured on the WikiSimpsons here and here. It can be viewed on various streamers and can be purchased on YouTube. SFGATE, Entertainment Weekly, Photo from SFGATE screenshotted via Fox. 

New York State drafting proposed cybersecurity regulations for hospitals, allocates $500M for upgrades

New York State is imposing new regulations that would establish cybersecurity policies and procedures for hospitals in the state. According to the NYS release, “hospitals will be required to establish a cybersecurity program and take proven steps to assess internal and external cybersecurity risks, use defensive techniques and infrastructure, implement measures to protect their information systems from unauthorized access or other malicious acts, and take actions to prevent cybersecurity events before they happen.” The draft regulations, announced last week, will be published by the Department of Health on 6 December, and will complement existing Federal standards under HIPAA. 

The proposed regulations will mandate:

  • Response plans to a cybersecurity incident
  • Notification to appropriate partners
  • Testing of response plans to ensure continuity of patient care while systems are restored to normal operations
  • Written procedures, guidelines, and standards to develop secure practices for in-house applications
  • Policies and procedures for evaluating, assessing, and testing the security of externally developed applications used by the hospital
  • Multi-factor authentication (MFA) implemented to access internal networks from outside networks
  • Establishment of a Chief Information Security Officer (CISO) if one doesn’t exist presently in order to enforce the new policies, plus annual reviews and updates 

The draft regulations are scheduled to be published on 6 December with a 60-day public comment period ending on 5 February 2024. After the finalization and adoption of the new regulations, hospitals have exactly one year to comply.

Included in the state’s FY24 budget is $500 million in funding for modernization of clinical tech, cybersecurity tools, EMRs and other technological upgrades. They will be part of an upcoming statewide capital program call for applications to improve quality of care, patient experience, accessibility, and efficiency. Given the size of NY state and number of hospitals, plus the time frame, this fund may be spread thin indeed. NYS release, MedCityNews

This Editor attended the Official Cybersecurity Summit New York 2023 last Friday, with a security briefing by NY State’s deputy chief cyber officer for operations, Jesse Sloman. He described the overall strategy of the state agency, the first ever, as building a unified, resilient, and prepared cybersecurity strategy across all agencies in the state, with a single point for operations including law enforcement, military, transportation, and of course healthcare. Certainly, internally instigated breaches, ransomware attacks, DDOS, and nation-state/transnational cyberattacks by Russian ransomwareistes like CLOP are expensive. He quoted a five-year loss of $27.6 billion with 3.2 million complaints–with 2022 alone costing $10.3 billion.

What’s his biggest concern? A multi-state, multi-sector geopolitical event that threatens multiple operations.

News roundup: AstraZeneca’s Evinova to market clinical trial health tech; BehaVR-Fern merge; UpHealth sells Cloudbreak telehealth translation; MedwebX launches; Tunstall-UEdinburgh research partnership; NextGen loses 84 after going private

AstraZeneca makes a bet on selling health tech for drug development. Evinova, a separate health tech business within AstraZeneca, will market and develop proprietary technology and sell it to other pharma, biotech, and clinical research organizations (CROs) to optimize clinical trials. According to their release, these technologies have already been used in successful clinical trials in over 40 countries. CROs Parexel and Fortrea have already formally agreed to offer the three-part Evinova ‘drug development suite’ to their customers. Other partnerships include Accenture and Amazon Web Services.

On the buy and funding side:

RealizedCare formed from BehaVR and Fern Health. This interesting combination of virtual reality behavioral health (BehaVR) and chronic pain manager Fern Health promises digital therapeutics for value-based chronic pain care management. RealizedCare’s market is health plans, employers and value-based providers, working with them to identify, assess, and engage their members, employees, and patients with chronic pain. Their advanced care management platform is powered by DTx technology to scale pain management. Fern Health is backed by Aachen, Germany pharmaceutical company Grünenthal which will be a strategic investor in RealizedCare.  The combined company will be US-based in Nashville. Financials and workforce transitions are not disclosed, but two CEOs are listed on their website–Brad Lawson, CEO, Fern Health, and Aaron Gani, founder and CEO. Release, Mobihealthnews

UpHealth sells off telehealth translation services holding Cloudbreak Health to private equity firm GTCR, as part of a complex reorganization. Cloudbreak provides video remote interpreting (VRI) through its Martti (My Accessible Real-Time Trusted Interpreter) tool to aid in simultaneous translation in over 250 languages. Purchase price is $180 million and subject to regulatory and shareholder approvals, with closing anticipated by Q1 2024. Cloudbreak is currently headquartered in Columbus, Ohio. UpHealth has been selling off and putting into Chapter 11 various holdings such as UpHealth Holdings [TTA 29 Sep], Behavioral Health Services (BHS), and Thrasys, Inc., but not the publicly traded UpHealth Inc., which closed today on the NYSE at $0.79 having just resumed trading (Yahoo Finance, UpHealth release). Reportedly UpHealth will be refocusing on addiction treatment services provided in South Florida. More on their complex financials in their Q3 reportRelease

Short takes:

Digital medical imaging and storage company Medweb announced MedwebX, a HIPAA-compliant solution designed for sharing imaging, studies, data, and reports across networks. Release

Oracle’s moves into Music City Nashville [TTA 2 Nov] continue with the announcement of the Oracle Health Summit on 13 February 2024. According to the Nashville Business Journal, it’s a brief one emailed out to save the date and confirm their information when further details are available. The invitation reads in part, “At this daylong event, you’ll network with peers, hear from experts on the latest trends, and learn how leading organizations are using data-driven technology to deliver human-centered experiences.” Wonder if Bill Frist will be invited.

Tunstall Healthcare and the University of Edinburgh signed a Memorandum of Understanding (MOU) on telecare research. Edinburgh’s Advanced Care Research Centre will provide the academic ecosystem for the partnership, including medicine, engineering, informatics, data, and social sciences. Research will center on the development and deployment of digital tools and techniques for telecare, including multi-partner collaborations.  AT Today

And just in time for Thanksgiving…post-going private NextGen Healthcare will be releasing 84 employees at its St. Louis, Missouri location, according to their WARN notice filed with the state. The layoffs are “as a result of staffing optimization efforts” in connection with the company’s purchase by private equity firm Thoma Bravo. Layoffs of management, supervisors, account receivables staff, representatives, and analysts who work onsite, hybrid, and remote will be staggered with some released 16 January with others 1 February and 1 March. Some employees will be remaining in St. Louis, though NextGen is headquartered in Atlanta. Becker’s, St. Louis Post-Dispatch, St. Louis Business Journal

Some final words on Olive AI–what can we learn from its failure? (updated)

“To the extent Olive might have sold something, they didn’t deliver – otherwise they’d still be in business.”–Emily Evans, managing director, Hedgeye Risk Management (quoted in Columbus Business Review)

Seeing this article on how Olive AI ‘ran out of time and money’ in Becker’s Hospital Review, this Editor hoped that it would be a final word, a summing up of what was likened to the seismic equivalent of Theranos’ failure in the health IT and ‘changing healthcare’ space. It wasn’t, but a terse summary of a very long article in Columbus Business Journal–Columbus, Ohio being their headquarters city. 

It’s a decade-long story (2012 as CrossChx to 2023). Up to March 2020, it seemed to be a reasonable narrative of a company and entrepreneur, Sean Lane, who built on his USAF background and founding an earlier successful software business (BTS Software) to transform healthcare through automating routine tasks through what they termed ‘AI’ but was more like software programming coupled with machine learning. With General Catalyst’s $52 million in hand and the encouragement of industry experts, he evangelized, hard, at multiple conferences. Some savvy investors and advisers (Ms. Evans above) saw that Mr. Lane didn’t know much about healthcare even during the ‘throw money at anything health tech’ days of 2020-21. But Olive AI easily gained two more 2020 raises totaling over $330 million, plus the capper in July 2021 of $400 million, for a total of over $850 million.

With the funds, Mr. Lane acquired or developed multiple businesses for Olive including prior authorizations, revenue cycle management, population health, business intelligence, and analytics for surgery. He even put $50 million into designing a Medicaid managed care insurer, Circulo Health, which was sold off in 17 months. The pivots came thick and fast, but the sales didn’t follow and the negative client reviews (KLAS) plus non-renewals started to pile up. Come 2022 with healthcare paying the Pandemic Piper and interest rates inflating, the VC funding spigots turned suddenly to ‘OFF’. The grow-at-any-cost early-stage companies found that when it came to VC funding, as they say in New Jersey, they couldn’t get arrested. So the end, as with Pear, Olive, and Babylon, came quickly. (Cue the tinny piano playing ‘Melancholy Baby’ in a dive bar.)

So for your startup or early stage company… A Guide to Avoiding A Train Wreck.

  • Don’t believe your own press releases, no matter how well written. And make sure your marketing people are seasoned pros who say what you do accurately and have been there, done that. (And when the most seasoned gives the raised eyebrow…ask why.)
  • Don’t constantly bang the gong that your solution/s will transform healthcare (memo to Larry Ellison). Stick to solving client problems and do that well, though you may have to evangelize a little. In the end, create ‘raving fans’. 
  • Don’t go it alone. Create strong supplier alliances where you need them. Then treat your partners and their corresponding account managers well and give them the resources they need.
  • Take the absolute minimum of Other People’s Money, even when it’s being thrown at you and everyone else, including your competitors which you will keep a cynical eye on. Stow cash away in the old fashioned way, in a reputable and not overextended bank, for the rainy days that will come.
  • There are certain investors and ‘thought leaders’ to smile at and run away from. (Two of them are mentioned in the article.) Their track records are dubious or they have their own agendas.
  • Get to positive cash flow as quickly as you can. 
  • Hire well, but not too many. And beware of execs with non-competes. They tie up your legal counsel who may also be keeping an eye on your IP, compliance, and finances.
  • Overdeliver and create happy clients who renew and expand your business–but don’t give away the store doing it
  • If you have to buy another company, don’t buy when the streets look paved with gold. Buy when there is some Type A on the pavement. And when you buy, ensure it makes sense in your business model, the acquisition actually does what they claim, their IP is free and clear, and the company owners aren’t overeager to sell (a clue to hidden problems).
  • Don’t, whatever you do, step on Superman’s cape. Avoid getting into conflicts with big guys like Epic, Oracle, or UnitedHealthcare. Especially don’t say that you will put them out of business. (You won’t.)
  • Know that healthcare, no matter what the conferences say, is an entrenched, over-regulated, risk-averse, and thus extremely slow-moving business. The risk level is high, the reward may be incremental, at best. And the big guys–the payers, big health systems, and their vendors, will always have it all over you.

Updated–Some more advice from different points of view:

“Hope is not a business model”–advice from two VCs, with a bit more advice on basic banking

ViVE post-script: VC panel opines in midst of digital health’s new reality (depression?), and extra ViVE from an attendee

Your thoughts on the above and your real-world examples invited as comments!

Primary care provider Forward introduces CarePod kiosks, raises $100 million for deployment–but will it work this time?

Forward, a primary care provider that works on a membership model and has practices in 14 markets, announced a line extension to their existing practices. CarePods are self-serve closed kiosks designed for placement in malls, offices, and gyms that deploy a variety of AI-powered health apps for disease detection, biometric body scans, blood testing in disease areas, including diabetes, hypertension, weight management, and mental health (depression and anxiety). The CarePods will be deployed in the San Francisco Bay Area, New York, Chicago, and Philadelphia. Access to CarePods and the app starts at $99/month and $1,639/year–the release is not clear on whether that can include in-office visits. It is not covered by insurance, including Medicare or Medicaid.

The technology is an extension of what’s seen in their offices (this NY-based Editor is bombarded with YouTube ads for membership) that uses body scanning, vital signs monitoring, blood testing, heart monitoring, and corresponding apps for preventative care and condition management. While the ads feature human doctors and clinicians, the impression from the ads and website is that the health exams are technology-driven and while there are clinicians, they may not necessarily be there. It is not for getting updated on your vaccinations or diagnosing a rash or fever. Forward claims 100+ primary clinicians at 19 locations. 

Forward raised a $100 million Series E to deploy the CarePods from Khosla Ventures, Founders Fund, Samsung Next, Abu Dhabi Investment Authority, and Softbank. It consists of equity financing of more than $50 million as well as debt financing. Forward’s total financing is $657 million with its Series D round (Crunchbase). Forward also boasts a blue chip roster of advisers from Eric Schmidt of Google to Robert Wachter, MD.

In viewing this first from their communications representatives, this Editor was immediately reminded of the last time she saw a closed type of health kiosk. I demo’d HealthSpot Station at the CES preview in NYC in late 2012. It officially debuted at CES 2013. Despite decent takeup, HealthSpot was defunct by mid-2016 having placed only 50 or so stations and burned through a substantial $43 million through its entire short but showy life. Its remains went to now-bankrupt Rite Aid which did nothing reportable with it. HealthSpot had key differences with Forward’s CarePods in that HealthSpot was a place to sit down and have a synchronous virtual visit with a doctor (supplied by Teladoc initially), with vital signs monitoring through self-serve tools in the kiosk. Payment was per use and for the doctor visit. Their problems were placement of rather large units, maintenance, and the general reluctance of people to use monitoring tools at that time within a closed area. Based on the available media, the CarePod technology is much more advanced towards a virtual visit with touch screens, AI assists, sophisticated monitors, and an integrated app that generates care plans. It also builds on an established app and in-office technology. Concerns remain in this Editor’s view about maintenance, especially with the CarePod using much more sophisticated technology, cleanliness, and claustrophobia. FierceHealthcare, PYMNTS

This Editor has also taken a dim view of open kiosks placed in retailers such as CVS Health, Walmart, and supermarkets, such as Higi (bought by Babylon Health but evidently not part of the bankruptcy) and Pursuant Health (the former SoloHealth), having seen all too many of them in dusty corners, neglected, and often with Out Of Order signs. The Forward plan to restrict them to malls, offices, and gyms seems to avoid the retail crunch but one wonders what the breakeven is–or if this is a substitute for office expansion.

A commenter with a far dimmer view than this Editor’s is quoted at length in today’s HISTalk. “The target audience seems to be young, worried well people who prefer faceless machines and tons of prevention-focused data or congratulatory test results to interacting with a clinician. That actually is a pretty good business model. Reviews for the company’s in-person clinics are almost all from customers in their 20s and early 30s.” But the commenter–a customer–is dissatisfied with being completely unable to get someone on the phone, everything done through chat, and wait times to see a real doctor upwards of two weeks.

Short takes: Oracle Cerner still has major hurdles, says VA, Congress; One Medical adds Hackensack Meridian to specialist network, HTA to employer benefits; NHS trialing AI tracking of home behavioral patterns for at-risk patients

VA’s All Quiet on the EHR Front doesn’t mean nothing is happening. With the House hard at work with a new speaker, negotiating budget extensions, and generally trying to get work done before the Christmas-New Year recess, the work of subcommittees goes on. Rep. Matt Rosendale (R-Montana), chairman of the House Committee on Veterans’ Affairs’ Subcommittee on Technology Modernization, yesterday (15 Nov) in what was titled “Electronic Health Record Modernization Deep Dive: System Uptime” got an update on the status of Oracle Cerner from Kurt DelBene, the VA’s chief information officer. His testimony wasn’t exactly reassuring. “Overall we still think there’s a ways to go. I don’t want to present the system as all set and ready to go.” In a rare show of bipartisanship, ranking member Rep. Sheila Cherfilus-McCormick, D-Florida, said that “[Oracle] training and change management are still woefully inadequate and user satisfaction is still critically low.” And despite being invited by Chairman Rosendale, Oracle’s Mike Sicilia didn’t show up or send regrets, which made Rep. Cherfilus-McCormick a little livid. FedScoop  HISTalk in its recap also pointed out that Rep.Rosendale “cited a report saying that it will take Oracle Health 15 more years to match VistA’s functionality. [VA deputy CIO Laura Prietula] responded that she doesn’t think it will take that long.” Oracle Cerner, in the few VA locations where it is operative, has not had a complete system outage in six months. Hearing and 1 hour 46 min. video (YouTube), hearing documents

Amazon continues to build out One Medical to, perhaps, ubiquity. On the East Coast, Amazon’s One Medical adds a major New Jersey health system relationship, Hackensack Meridian Health. Like its newly inked relationship with CommonSpirit Health, it will add integrated specialty providers to One Medical’s primary care focus. Specific locations based on patient needs are not specified yet nor financials. Implementation timing is unusually long–by the end of 2024. On a faster track may be One Medical’s deal with Health Transformation Alliance (HTA), a consortium of large US employers comprising 67 employers including Coca-Cola, Intel, Boeing, and many others totaling nearly 5 million employees. Timing and financials were not disclosed. This adds to One Medical’s current contracts with 8,500 companies that offer its primary care services as an employee health benefit. Becker’s, FierceHealthcare

NHS experiments with predictive health indicators and AI modeling for at-risk patients to prevent unnecessary admissions. Four GP practices in Somerset will be using an AI system that will flag registered patients who have complex health needs first, and are most at risk of hospital admission or who rarely contact their GP. Monitored in Buckinghamshire, the most interesting part of this is that the AI is linked to electronic sensors on kettles and fridges that spot changes in Somerset patients’ eating and drinking habits, obviously as an indicator of changes in health. (Does this remind anyone of 3rings or QuietCare?) Changes are reported to an Onward Care team of health coaches, nurses, and GPs who speak to patients and ask about any health or living issues. They can provide, based on patient input, deliveries of food parcels, arranging for cleaning or shopping services, home alterations to help to avoid falls, or to link them up with local voluntary groups to reconnect them with community resources or simply to help avoid loneliness. Clinical care can also be scheduled including specialist care. The NHS reports that GP practices can use this system to solve 95% of their issues or escalate anything clinical. Why this is important: hard winter and isolation, even with the holidays, loom after an autumn of wild weather and the persistent shortage of hospital beds and GP capacity/timeliness of appointments.  DigitalHealth.net

Virtual nursing comes to the forefront: Avera Health (SD) launches at two hospitals, Doccla launches ‘virtual wards’ at home with Up Care Derbyshire (UK)

The Perspectives article posted today (below) discusses how telehealth for virtual nursing is being used at hospitals. Coincidentally, this Editor had in the ‘virtual file’ for posting today two articles on how virtual nursing is being used in two settings–and in two countries.

In-hospital virtual nursing has been introduced at two Avera Health hospitals in South Dakota, Avera McKennan Hospital & University Center in Sioux Falls and Avera St. Mary’s Hospital in Pierre. This is very much along the lines of adjuncts to bedside nursing in supporting additional care and time-consuming administrative tasks, such as admission assessment, medication reconciliation, pain reassessments, and second RN availability for independent double checks. For Avera, this answers some of their workforce and workflow problems, such as relieving workload and providing second checks. 

An example is intake assessment which in some cases can take up to 30 minutes. The virtual nurses at their stations (left above) work with bedside nurses not only to ask patient questions but also to relieve their anxiety and answer questions. The bedside nurse introduces the virtual nurse, explains the camera/microphone, and then the virtual nurse picks up the assessment from the bedside nurse, who can move on. The camera can also zoom in on equipment such as IVs or vital signs monitors. Virtual nurses can also call bedside nurses when they are needed. No information is recorded.

Avera is a rural health system of 37 hospitals in South Dakota. They introduced virtual nursing in May in the same two hospitals on one metric–reducing in-hospital falls that happen when a patient at increased risk of falling gets out of bed. The virtual nurse uses the camera and speaker to direct the patient to wait for care team assistance or alert staff to help. This 24/7 monitoring program decreased falls with more than 6,800 redirects between May and October. Avera plans to roll out the virtual nursing program eventually to all of their hospitals. Becker’s, Sioux Falls Business (photo credit)

In the UK, Doccla is partnering with Up Care Derbyshire to set up ‘virtual wards’ for at-home care in Derby and Derbyshire. The NHS has a well-known problem with available hospital beds. Much like the US, a nascent hospital-at-home program is attempting to relieve the situation by moving the patient back home faster without skimping on care in five care areas: palliative, respiratory, frailty, cardiology and hematology (haematology). The patient in the program receives a Doccla box with the tools needed for monitoring and coordinating care: a pre-configured smartphone with an easy-to-read large font for the app, plus wearable medical devices to monitor vital signs such as heart rate, respiration rate, body temperature, blood oxygen levels, and blood pressure that are connected to the smartphone. Clinicians monitor the patients at dedicated hubs and call in home health nurses when needed. The program will be at five locations initially within Up Care Derbyshire’s integrated health system (ICS) to enable local NHS hospitals to discharge eligible patients and has a peak capacity at present of 200. One objective is faster patient discharge, but the second is to reduce the need for hospitalization for patients with long-term or chronic health conditions. One area that isn’t apparent is if the camera is used as part of evaluations or contact.

Doccla is now in one-third of integrated care boards (ICBs) and more than 25 NHS Trusts, with a patient compliance rate of over 95% and an independently verified saving for the NHS of £3 for every £1 spent on Doccla. DigitalHealth.net