Class action legal action by pharmacists, providers ramps up against Change Healthcare/UnitedHealth Group

More litigants in a legal pile-on in Minnesota. The National Community Pharmacists Association (NCPA), with 19,000 pharmacy members, and around 40 providers have filed suit against UnitedHealth Group, Optum, and Change Healthcare in the US District Court for the District of Minnesota. The 140-page document charges that UHG/Optum/Change had substandard network security in their clearinghouse operations, leading to the Blackcat/ALPHV breach, and that the plaintiffs might have chosen another clearinghouse and revenue cycle management platform had they known this. The pharmacists and providers all suffered monetary damages from the outage that are still unresolved.

From the press statement, NCPA CEO B. Douglas Hoey: “NCPA was against UnitedHealth’s acquisition of Change from the start. This breach proves that bigger is not better and that consolidation often leads to inefficiencies. Companies are so big they cannot protect every entry point and cannot respond quickly due to internal bureaucracy. The fact issues remain unresolved is a testament to this point. This breach has cost our members a significant amount of money and time and it is still not resolved months later.” He also pointed to the pharmacies’ losses remaining unpaid, financial losses, and taking losses for vulnerable patients with high-cost prescriptions.

According to Healthcare Dive, the multiple lawsuits against UHG must be centrally filed in Minnesota, as ordered by a Federal judicial panel, since UHG is headquartered there. Nothing will move quickly, as class action suits typically take two or more years to be heard and then appealed.

Change started its HHS-OCR mandated process of notifications around 20 June with hospitals, insurers, and other customers. Individuals and practices were not scheduled to be notified until late July but no date has been announced. The Change website also contains a very carefully worded ‘HIPAA Substitute Notice’ that reads like a consumer data breach notification. TTA 21 June

News roundup: UHG CEO’s Bad Day at Capitol Hill; Kaiser’s 13.4M data breach; Walgreens’ stock beatup; Cigna writes off VillageMD; Oracle Cerner shrinks 50%; Owlet BabySat gets Wheel; fundings for Midi, Trovo, Alaffia, Klineo

It was a Bad Day at Boot (Capitol) Hill for UnitedHealth Group’s CEO Andrew Witty. On May Day, he was the Man In The Arena facing two Congressional grillings–the first from the Senate Finance Committee in the morning, and the second in the afternoon from the House Energy and Commerce Committee’s Subcommittee on Oversight and Investigations. The precipitating event was the Optum/Change Healthcare data breach and system hacking by ALPHV/BlackCat, a disruption which is as of today not fully resolved.  Millions of patients may have had data stolen and exposed–a number that has yet to be determined, but an outcome for which UHG, while paying the ransomwaristes, has prepared. Already, the VA has notified 15 million veterans and families of that possibility.

This Editor will be linking below to multiple articles and Mr. Witty’s prepared testimony. Interested Readers can also refer to YouTube for extensive links to video testimony. Highlights:

  • Both houses criticized the slow response and amount of financial assistance given to providers after the shutdown of Change’s systems prevented (and still is preventing) timely claims processing and payment. While ‘near normal’ volumes of medical claims and 86% restoration of payment processing sounds good, that leaves a lot of wiggle room on over two months of totally disrupted processing and payment. The billion or so cited sounds impressive but much of this is in loans. Most practices and groups simply do not have the financial cushion or billing skillset to bridge this disruption, to pay back loans, or to bookkeep this.
  • Also criticized at this late date was UHG being unable to determine how many individuals had PHI exposed in the breach.
  • As to cause, the description of UHG finding that surprise, surprise, Change’s systems were way out of date, stored on physical servers versus the cloud, and used Citrix remote access without multi-factor authentication (MFA) was utterly savaged. According to Mr. Witty, ALPHV after days of knocking around got in on the one server that did not have MFA authentication.

The blunt fact is that UHG had close to two years (January 2021-Oct 2022) before the buy closed. Due diligence consisting of a full audit had to have been done on Change’s IT systems. They processed what UHG wanted to buy. In this Editor’s estimation, Job #1! for UHG should have been ensuring that Change’s systems were hardened, then upgrading to what Mr. Witty called UnitedHealth’s standards. This Editor will go further. A minimum requirement for the sale should have been security hardening. There was time before the closing.

Senator Thom Tillis, R-North Carolina, had the best riposte. He brought a copy of “Hacking for Dummies” to the hearing, highlighting MFA. I doubt he was much moved by UHG now bringing in cybersecurity company Mandiant to both investigate and harden their systems, nor by UHG having to pay ransom, without knowing whose data was compromised.

  • Beyond the breach, UHG was called ‘monopolistic’ by both Republican and Democrat Members. There were calls to break up UHG as not ‘too big to fail’. UHG has grown by acquisition and consolidation of services. As this Editor has speculated, this is likely coming to an end with the new, much more stringent Merger Guidelines. This sentiment paints a large, unmissable target on UHG’s back for aiming FTC’s and DOJ’s missiles. (DOJ also has a huge score to settle with UHG dating back to the failure to block the Change sale.)

By the end of the day, Mr. Witty looked quite the worse for wear–tie and collar askew, slightly sweaty, versus the perfect poses of the various Members. Becker’s, FierceHealthcare, Axios, HealthcareDive    Mr. Witty’s Senate testimony statement, House testimony statement

Speaking of data breaches, Kaiser Permanente reported a big one to Health and Human Services (HHS). This relates to ad tracker information shared with third-party advertisers such as Google, Microsoft, and X. Kaiser used it in secured areas of their website and mobile apps. Information disclosed could be name and IP. Kaiser reported it on 12 April but only disclosed on 25 April that 13.4 million records may have been affected. The ad trackers have since been removed. TechCrunch, FierceHealthcare 

Walgreens stock not recovering. April was WBA’s worst month in five years and May is no better, with the stock muddling around $17.50. The month slid around 18%. Their 52-week high was $33. As of now, CEO Tim Wentworth’s actions such as closing locations and writing down VillageMD haven’t convinced Mr. Market of WBA’s worth, but in fairness it’s early in his tenure. In the Insult to Injury Department, it was revealed that the IRS is seeking to claw back $2.7 billion in unpaid 2014-2017 taxes. Crain’s Chicago Business

Cigna is also writing down its interest in VillageMD. Almost forgotten is that in late 2022, Cigna invested $2.5 billion into VillageMD. They have now written down $1.8 billion of that ‘low teens’ ownership. The planned tie was connecting Village Medical into Evernorth, Cigna’s medical services area. It was also supposed to provide Cigna with an annual return on investment, but one assumes it did not. The writeoff threw Cigna’s Q1 into the red with a net loss of almost $300 million versus a prior year profit of $1.3 billion, despite a strong quarter that grew revenue 23% versus prior year to $57.3 billion. Healthcare Dive

Oracle Health has been successful–in shrinking Cerner by close to half. Records of employment at Cerner’s Kansas City-based operation have declined from 11,900 people in 2022 (Kansas City Area Development Council) to a current 6,400 (internal documents). Cerner itself reported 12,778 local full-time-equivalent employees in 2022. Oracle had multiple layoffs of Cerner affecting Kansas City workers and has consolidated multiple office buildings and campuses. Becker’s

In more cheerful news:

Baby monitor Owlet announced a strategic partnership with Wheel for Owlet’s BabySat. BabySat is Owlet’s FDA-cleared prescription vital signs monitor for infants 1-18 months. Wheel clinicians can now prescribe BabySat which enables parents to order BabySat from Owlet and other suppliers. With Wheel, BabySat also integrates with durable medical equipment (DME) suppliers who accept and can bill for the product through many insurance providers for partial or full reimbursement. Wheel is a virtual care platform and physician/nurse-practitioner online network available direct to consumer and to enterprises. Owlet release

And rounding up funding:

MidiHealth closed a $60M Series B funding. This was led by Emerson Collective with participation from Memorial Hermann, SemperVirens, Felicis, Icon Ventures, Black Angel Group, Gingerbread Capital, Able Partners, G9, and Operator Collective for a total of $99 million in funding. Midi provides virtual support for women going through peri- and full menopause. The fresh funding will help them expand national insurance coverage, hire and upskill an additional 150 clinicians by end of year, diversify service lines, and scale to care for 1 million+ women per year by 2029. Release

Trovo Health launched with $15 million in seed funding, led by Oak HC/FT. The NYC-based AI-powered provider task assistance platform will use the funding to build its technology platform, clinical operations, and leadership team. Mobihealthnews 

In the same roundup, NYC-based Alaffia Health scored a $10 million Series A round. This was led by FirstMark Capital with participation from Aperture Venture Capital. Alaffia creates generative AI solutions for payment integrity in health insurance claims operations, with the aim of eliminating insurance fraud, waste, and abuse for health plans, third-party administrators, self-insured employers, stop-loss carriers, and government agencies. Their total raise to date is $17.6 million. Paris-based Klineo also raised €2 million for its oncology clinical trials search platforms, assisted by AI, for the use of doctors and patients. BPIFrance and business angels participated in the round.

News roundup: Now Clover Health faces delisting; BlackCat/ALPHV affiliate with 4TB of data puts it up for sale; $58M for Biolinq’s ‘smallest blood glucose biosensor’

Clover Health takes another pass at Nasdaq delisting. Once again, Clover’s Class A shares (CLOV) have been trading with an average closing price of below $1.00 over a consecutive 30 trading-day period, which violates Nasdaq’s continued listing minimum price criteria for the Nasdaq Global Select Market. This was announced in their most recent 8-K filed with the SEC 2 April. Clover has until 30 September to remedy the situation. An additional 180-day period may be elected if Clover transfers to the Nasdaq Capital Market. FierceHealthcare, Becker’s

The delisting is a rerun of their situation last year at this time. Clover considered a reverse stock split to be approved by shareholders but the share price improved on its own and the action was not necessary. This year, it may be. Clover is currently trading at $0.7365. Last August, it hit a high of $1.55 before sliding to below $1.00. An example of a SPAC through Social Capital Hedosophia Holdings, it hit a high of over $15 on 8 January 2021 before cracking that year based on revelations that Clover did not reveal a Department of Justice investigation starting the prior year, which prompted an SEC investigation [TTA 9 Feb 2021], triggering seven shareholder lawsuits that were not settled until December 2023. Clover Health exited the advanced value-based primary care program, ACO REACH, at the end of the 2023 performance year after two years to focus on their Medicare Advantage and Clover Assistant businesses [TTA 6 Dec 2023]. Financially, Clover closed 2023 with revenue of $2.033 billion (down from 2022’s $3.5 billion), net loss of $213.4 million, and an adjusted EBITDA loss of $44.7 million, with the losses improved over 2022. Clover release 

As predicted, 4TB of Change Healthcare data is up for sale. In a typical ransomwareiste move, the affiliate making nasty comments about BlackCat/ALPHV and claiming it had 4TB of data now has put the specs out on a dark web site called Ransomhub. The post first accuses ALPHV of stealing the $22 million ransom paid by UnitedHealth Group and not sharing it with the affiliate. It then claims it has highly sensitive data from multiple Change customers including active military PII (from Tricare), patient PII, payment and claims data, and much more. If Change/UHG isn’t interested, it will be up for sale to the highest bidder. Readers will recall the claims of ‘notchy’ early in the Change Healthcare attack [TTA 7 Mar] though UHG has not confirmed any payment to ALPHV. The demand for payment for the 4TB of data that ‘notchy’ claimed to possess was hardly unexpected. DataBreaches.net

A non-invasive “smallest ever” transdermal biosensor in development may turn the CGM business upside down. Biolinq’s latest round of $58 million will fund a pivotal clinical trial and FDA submission of its intradermal glucose sensor. The funding was led by Alpha Wave Ventures, with participation from Niterra’s corporate venture capital fund jointly operated with Pegasus Tech Ventures and existing investors RiverVest Venture Partners, AXA IM Alts, Global Health Investment Corporation, and four others, for a total since 2014 of $254 million. Crunchbase Current blood glucose sensors penetrate the skin with tiny needles. The Biolinq biosensor uses electrochemical sensors to measure glucose levels from the intradermal space just beneath the surface of the skin, on top of the capillary layer avoiding scarring. To access the intradermal layer, the sensors must be “200 times smaller than a human hair filament” according to Biolinq CEO Rich Yang. It also can combine blood glucose information with relative levels of activity in one device to eventually measure other analytes. The device as currently designed displays key information directly on the sensor–yellow light for high blood glucose, blue for normal. Release, MedCityNews

Short takes: ransomware op BlackCat busted by FBI, websites shut–for now; health systems lay off IT staffers; retailers collecting way too much PII including health

FBI busts BlackCat/ALPHV ransomware. In an Eliot Ness-like move, the Federal Bureau of Investigation (FBI) got busy and delivered a nice present to healthcare organizations for Christmas. According to two 19 December articles in Bleeping Computer (article 2), the FBI seized operational darknet websites for the ALPHV ransomware operation (article 1) and created a decryptor to help approximately 500 companies recover their data for free, negating $68 million in ransom demands. The details are a little thin, but Bleeping reconstructed in article 2 what they could out of the search warrant. The FBI arranged with a confidential human source (CHS) to become a backend affiliate, meaning the CHS could log in and use ALPHV’s affiliate panel to manage extortion and ransom campaigns. It sounds like a rather nifty platform with lots of management and negotiation tools if you’re extorting a victim company. How the FBI got the decryption keys is another matter they are mum on, as not available through the affiliate panel, but “they obtained 946 private and public key pairs associated with the ransomware operation’s Tor negotiation sites, data leak sites, and management panel”. 

US law enforcement was assisted by their counterparts in Europol, plus law enforcement in Denmark, Germany, UK, Netherlands, Germany, Australia, Spain, and Austria. This is the third breach of the same gang; as Bleeping Computer put it, they’ll “rebrand under a new name as they have done in the past” in a few months.

But maybe faster than that. Some added details from Healthcare IT News sourced from KrebsonSecurity:  BlackCat briefly unseized its darknet site, wiped out the FBI screen above (courtesy Bleeping Computer), and put in a ‘we’re unseized’ notice (in the Krebs article) that they were still open for business at a different location, offering affiliates a 90% payout, and that for affiliates, you could ransomware anything, anywhere (hospitals and nuclear plants cited!) except those located in Russia and the CIS. 

Given ransomware, hacking, cybersecurity threats, and maintaining/upgrading operations, you’d think hospitals would be hiring, not firing, IT workers. But noooooo. Becker’s listed seven health systems that are either pinkslipping IT staff or transferring them to outsourced companies. They are Kaiser–115 nationwide; Novant Health–unknown due to ‘changing up their IT system’; Tower Health (Reading PA)–outsourced staff to a vendor; Mass General Brigham–staff reduction via voluntary buyouts in effect 22 November; Bon Secours Mercy Health–layoffs plus eliminating open roles; Care New England–outsourced staff to health IT provider Kyndryl; Franciscan Health–moved 61 to a vendor. Pennywise, pound foolish.

Here’s more than money you’ve left behind with your online holiday shopping–data, and lots of it. This study from Incogni Research is unnerving, as it goes far beyond what you think you’ve shared–you buy nasal spray in the winter, allergy eyedrops in the spring, etc.– to what retailers are actually collecting on you. This Editor will cite only the companies in healthcare–CVS, Walgreens, Amazon, and Walmart–according to their study:

  • All four collect PII data that includes customers’ identifiers (like their names, online identifiers, and driver’s license numbers), characteristics of protected classifications (like marital status, ancestry, and disabilities), commercial information (like purchase history and property records), and audio/electronic/visual information (like video and/or audio recordings of consumers).
  • Walmart, CVS, and Walgreens additionally collect Social Security numbers, union membership status, and sex-life data.
  • Their apps collect 15 to 20 data points, such as exact location, personal data, financial data, health and fitness, messages, photos and videos, audio files, files and docs, app activity, web browsing, app info and performance, device or other IDs

Users can opt out of some of these, but most do not. And some go to third parties. And all had been breached at one time or another, whether at the retailer or at the vendor level. Prepare to be shocked and dismayed. Release on DR Journal

Healthcare cyberattack latest: NextGen EHR ransomwared by AlphV/BlackCat, back to normal – 93% of healthcare orgs had 1-5 ransomware incidents

Cyberattacks on healthcare continue their drip-drip-drip. The latest is on an EHR/practice management platform used by small to enterprise-sized specialty practices, NextGen Healthcare. The hacker group associated with the AlphV/BlackCat ransomware moved into the system on 17 January. For a short time, they reportedly exhibited NextGen information on their extortion site but later took it down. NextGen reported a short-term disruption to operations. A NextGen spokesperson stated that “We immediately contained the threat, secured our network, and have returned to normal operations,” the spokesperson said. “Our forensic review is ongoing and, to date, we have not uncovered any evidence of access to or exfiltration of client data. The privacy and security of our client information is of the utmost importance to us.”  NextGen has also stated to this Editor that no patient data was affected.

NextGen is used by about 2,500 practices in the US, UK, India, and Canada, including over 20 specialties.

The group behind AlphV/BlackCat ransomware has an infamous history. Reputedly, the gang has been kicking around since 2012 and was the same group of charmers that attacked the Colonial Pipeline in 2021, using the Darkside ransomware in May 2021 that dried out gas stations across the US East Coast. Their next ransomware edition, BlackMatter, targeted agriculture during fall 2021. Healthcare IT News, The Record/Recorded Future News

More severe attacks affecting 93% of healthcare organizations. While NextGen contained the attack quickly, both the Censinet/Ponemon Institute and Fortified Health Security’s 2023 Horizon Report tracked 2022 healthcare data breaches and concluded that while the number of incidents didn’t change much, their severity ramped up. More according to SC Media in these reports: 

  • Over a dozen of the biggest incidents in 2022 each impacted well over 1 million records
  • Nearly half of the respondents experienced a ransomware attack in the last two years
  • 93% faced between one to five ransomware-related incidents
  • Outages lasted upwards of 35 days

The common ground with NextGen is danger to patient safety, because electronic record damage can translate quickly into unavailable patient care.

Updated PharmaCare Services, a pharmacy management company based in Texas, is listed as a victim on BlackCat’s extortion site. They were exhibited with NextGen and remained when NextGen’s listing was challenged and then taken down. PharmaCare is staying mum on any ransomware disruptions, according to GovInfoSecurity.

One ray of hope is improved medical device security, included in the ‘omnibus’ budget package approved in late 2022. FDA will be required to enforce new standards for premarket device submissions. One is a software bill of materials, adequate evidence to demonstrate the product can be updated and patched, and a description of security testing and controls. This was before Congress in the Protecting and Transforming Cyber Health Care (PATCH) Act which didn’t go far, but elements of which found their way into the omnibus. A needed change for medical devices and long expected by manufacturers. SC Media