News roundup: Change responsible for data breach notices; 37% of healthcare orgs have no cybersec contingency plan; health execs scared by Ascension breach; CVS continues betting on health services; Plenful’s $17M Series A

HHS agrees with providers that the data breach notification is on Change Healthcare, not them. Health and Human Services’ Office for Civil Rights (OCR) moved quickly to formally change the FAQs that kicked off the 100+ provider letter [TTA 23 May]. Now “Covered entities affected by the Change Healthcare breach may delegate to Change Healthcare the tasks of providing the required HIPAA breach notifications on their behalf.” “Covered entities” in this case refers to the providers. Only one entity–Change or the provider–“needs to complete breach notifications to affected individuals, HHS, and where applicable the media.” Providers must contact Change Healthcare for the delegation. 

Chad Golder, general counsel and secretary at the American Hospital Association (AHA) said in their statement, “As we explained then, not only is there legal authority for UnitedHealth Group to make these notifications, but requiring hospitals to make their own notifications would confuse patients and impose unnecessary costs on providers, particularly when they have already suffered so greatly from this attack.” HHS notice, Healthcare Dive

Meanwhile, UHG still does not know the extent of the breach which started in late February. Knowing the extent of the breach is needed to start notifications. It has not formally notified HHS of the breach long past the 60-day mandated window (see #3 in the HHS FAQs). This may create an ‘unreasonable delay’ (see #6). Not all Change systems are back up either–see the Optum Solutions page that has plenty of red Xs.

Only 63% of healthcare organizations have a cybersecurity response plan in place, leaving 37% without a plan. This is based on a survey of 296 IT/data security/management executive respondents working at healthcare organizations in the US performed by Software Advice, an advisory and consulting firm. Other findings:

  • Nearly 1 in 3 have had a data breach in the last three years
  • 42% of practices have experienced a ransomware attack, and of those, 48% say the attack impacted customer data
  • 34% failed to recover data after the ransomware attack
  • 55% of medical practices allow access to more data than employees need to do their job which makes them more vulnerable to attacks
  • While 41% of data breaches are attributable to malicious hacking, another 39% are due to malware, 37% are due to social engineering and phishing scams, 36% are due to software vulnerabilities, and 30% are due to employee error.

It would have been helpful if Software Advice in its report had broken down the type of practices surveyed. Healthcare Dive

Meanwhile, healthcare executives were ‘scared’ by the Ascension Health breach, as they should have been. Katie Adams’ piece in MedCityNews explores reactions from five different C-suite hospital executives about the recent attack on Ascension. The IT and data officers are from MD Anderson, Yale New Haven Health, CommonSpirit Health, Allegheny Health Network, and UPMC. The overall take was that threats are more common than ever, bad actors are abundant and getting better (using tools that can make amateurs into pretty good “bad actors” via “LLM products and have them help you build ransomware code.”), managing weaknesses in third-party vendors that live in the cloud is a Herculean task, phishing, and the need for ‘government’ to be involved. 

This Editor notes that the rush for providers into generative AI, given this environment, is perhaps premature. Yet here they go; researchers from Mount Sinai’s Icahn School of Medicine used structured data, such as vital signs, and unstructured data, such as nurse triage notes, to develop models predicting hospital admissions using ChatGPT-4. It supposedly can learn from fewer examples than other machine-learning models currently used and use data from traditional models. Becker’s

Ascension is slowly coming back, now projecting that all their locations will have their EHRs restored by the week of 14 June. Currently, only Florida, Alabama and Austin are up and running. Ascension Rx retail, home delivery and specialty pharmacy sites are now open as well. They will have some ‘splainin’ to do to HHS OCR. Ascension update site

CVS is confident in the future of its retail health despite their struggles with Minute Clinics and Oak Street.  Despite the struggle of retail health clinics at other providers such as Walgreens/VillageMD and the shutdown of Walmart Health, Sree Chaguturu, MD, CVS Health’s executive vice president and chief medical officer, expressed complete confidence at a recent industry conclave, thINc360 – The Healthcare Innovation Congress. This is despite the closures of dozens of Minute Clinics in Southern California and New England [TTA 31 May] out of their 1,100 total plus that CVS seeking an investment partner for Oak Street [TTA 29 May]. Dr. Chaguturu returned time and again to the 10,000-odd CVS Pharmacy locations and their leverage within communities, leaning very hard on the 5 million people coming in daily and the ‘opportunity for their pharmacists to engage’. As a CVS customer at a small location, those busy pharmacists aren’t engaging with me unless I have a script to fill or need an OTC decongestant that’s on the state signoff list due to an ingredient. In fact, CVS locations have rather few people nowadays, including behind checkout counters. Then again, it was a meeting speech. FierceHealthcare

Concluding on a brighter note, Plenful’s Series A came in at a tidy $17 million. Plenful developed and markets an AI-assisted workflow-automation platform for pharmacy and healthcare operations, claiming that it automates over 95% of the work for disparate administrative workflows. Features include 340B audit, document processing, contracted rates optimization and inventory planning, and pharmacy cycle revenue and reporting. Founded in 2021, the company has already lined up some impressive clients. Lead investor TQ Ventures was joined by Mitchell Rales (cofounder and chairman of Danaher), Susa Ventures, Waterline Ventures, and Bessemer Partners, the lead for last September’s $9 million seed funding for a total of $26 million. Crunchbase, Mobihealthnews

Short takes: Legrand acquires Enovation, FDA nixes Cue Health’s Covid tests, Ascension confirms ransomware attack–who did it? (updated), beware of ‘vishing’ courtesy of ChatGPT

Legrand Care acquires Enovation. Enovation is a Netherlands-based digital health company with a connected care platform for care monitoring across prevention, early detection, medication checks, and remote healthcare. Its customer base includes ambulances, pharmacies, clinics, hospitals, and home care. With distribution in healthcare organizations across 18 countries, including Scottish Digital Telecare [TTA 11 Aug 2021], it will join the equally international Legrand’s Assisted Living and Healthcare (AL&HC) business unit with Intervox, Neat, Tynetec, Jontek, and Aid Call. Acquisition cost was not disclosed. Release   Legrand and Tynetec are long-time supporters of TTA.

The hammer drops on embattled Cue Health. The US Food and Drug Administration (FDA) has invalidated Cue Health’s Covid-19 Tests for Home and OTC Use and for the authorized lab test version. Home users were advised to discard unused kits in household trash. Both consumers and providers were advised to retest if symptoms persisted after a negative test result. This followed an FDA inspection of their operations that determined that unauthorized changes to the test kit design were made along with failures in performance testing. A Warning Letter was issued to Cue on 9 May. The company has not yet responded. FDA Safety Communication

Cue was one of many biotech manufacturers that marketed Covid-19 point of care/lab, and home testing kits after obtaining Emergency Use Authorizations (EUA) in 2020 and 2021. It exploded in size and went public in September 2021 at $200 million and $16/share with a valuation of $3 billion. Today HLTH shares trade on NasdaqCM at a little bit over $0.13. Their headquarters facilities in San Diego that once had 1,500 employees must be a lonely place, as the company reported another layoff of 230 employees, about half of remaining staff, after earlier layoff rounds of 245 in February and 880 in 2023. Their remaining test is one for Mpox on a EUA. Two other tests developed for flu and RSV are still under FDA review.  Cue Health’s financial reports for 2023 were dismal with revenue down to $71 million, an 85% reduction versus 2022, and a net loss of $373.5 million. Recent reports indicate that the company will refocus on marketing its Cue Health Monitoring System. Management and board changes have also been drastic, with a CEO change in March (Yahoo Finance) and the CFO departing this past Monday. MedTech Dive

Ascension Health finally acknowledged that its cyberattack was ransomware-based. On Saturday 11 May, their website event update confirmed that the cyberattack was ransomware. The Saturday and Monday 13 May updates also confirm that system operations will continue to be disrupted with no timetable set for restoration to normal status. Impacted systems include their EHR, MyChart, and some hospitals are diverting emergency care. The update page now has 12 regional updates and a general + patient FAQ. Update: in these states, Ascension’s retail pharmacies cannot fill prescriptions: Florida, Wisconsin and the District of Columbia. Their website recommends that patients bring paperwork and prescription containers. Lab and imaging results are delayed. Since the hospitals are on manual systems, overall there are delays in admissions–bring documentation. And the class-action suits have started, with reports that three have been filed already. Healthcare IT News

Who dunnit? DataBreaches.net reported over the weekend that Ascension’s hack has been attributed to interestingly named ransomwareistes Black Basta. Late last week, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on Black Basta. It’s another charming ransomware-as-a-service (RaaS) with bad news affiliates like BlackCat/ALPHV wreaking havoc on over 500 organizations globally. No word on whether Ascension has paid ransom. 

Speaking of cybersecurity, now something else to worry about–‘vishing’. This is ‘voice phishing’, another generative AI-facilitated hack that uses snippets of a human voice to pose as people or representing organizations via phone call or voicemail. Not enough? There’s ‘smishing’–SMS or text phishing which can invade your phone with all sorts of nasty messages. These attacks, according to cybersec firm Enea, are up twelve-fold since the launch of ChatGPT. Vishing, smishing, and phishing (email) attacks have increased by a staggering 1,265%. 76% of enterprises lack sufficient voice and messaging fraud protection. Can we go back to the 1990s? 2000s? When we worried about “Nigerian princes” email scams? Becker’s, Enea survey report

Short takes: Medicare telehealth flexibilities may extend; ‘no interest’ in Transcarent sale; NeueHealth ekes out positive net income; Cigna and Oscar break up; DocGo, Ascension cyberattacked (updated)

Two-year extension of telehealth flexibilities advances in Congress. A small telehealth victory was notched in the House, where the powerful Ways and Means Committee passed the Preserving Telehealth, Hospital, and Ambulance Access Act by a vote of 41-0. The bill would extend many of the Medicare and Federal program telehealth waivers and flexibilities established during the pandemic to the end of 2026. It is now expected that the House will bring the bill to the floor for a full House vote in the fall session. Ways and Means’ jurisdiction is over most financial and revenue-raising Federal measures, such as taxation, Social Security, and Medicare. Highlights of the bill:

  • Geographic and originating-site waivers
  • Ability for Federally Qualified Health Centers (FQHCs) and Rural Health Clinics (RHCs) to continue to furnish telehealth services
  • Expanded list of eligible Medicare providers, allowing physical therapists, occupational therapists, speech language pathologists, and audiologists to render telehealth services
  • Ability to offer audio-only services
  • Repeal of telemental health in-person requirement
  • Preservation of the Acute Hospital Care at Home Program through CY2029

Parts are controversial, such as the telemental in-person requirement, hospice recertification, and guardrails around durable medical equipment (DME) and clinical diagnostics requiring reports to prevent fraud, waste and abuse. The bill did not include remote prescribing of controlled substances. Expect further markups to be made before passage in the House, later in the Senate, and the joint bill. The American Telemedicine Association (ATA) applauded the bill with the main caveat being around telehealth controlled substance prescribing. Full text, FierceHealthcare, ATA release

Glen Tullman rules out a sale of Transcarent–but not an IPO. On the heels of a substantial $126 million in Series D funding and a  jumbo $2.2 billion valuation [TTA 8 May], Transcarent’s CEO Tullman, in an interview with MedCityNews, stated that he had “no interest” in selling the company. Transcarent is already run “like a public company”, has a strong leadership team already in place, and “we’ll make any exit decisions for the right reasons.” Mr. Tullman has already run four public companies and IPO’d three: CCC Information Systems (in auto insurance), Livongo, Allscripts (now Veradigm), and Enterprise Systems. Livongo was sold to Teladoc in 2020, with consequences. Veradigm, the former Allscripts, went public in 1999–25 years ago in a vastly different world. Their big bet in enterprise health navigation is now on AI for both physicians and members.

Back to the New Reality, Bizarro World edition. NeueHealth, which is achieving a world record in Dodging Disaster while paying out leadership bonuses, eked out a decent Q1. The former Bright Health Group managed to squeak out revenue of $245.1 million, operational net income of $5.7 million, and an adjusted EBITDA of $2.5 million compared to a Q1 2023 loss of $5.7 million. This doesn’t mean it was profitable because its net income for Q1 was a negative $28.5 million. Revenue dropped by 18%–$55 million–compared to Q1 2023. New Enterprise Associates (NEA) must be pleased, as they are now 60% owner of the operation with another loan of $30 million secured by penny warrants [TTA 16 Apr]. The full year guidance was reaffirmed at $1 billion in revenue with 70% coming from its NeueSolutions business (their management services for ACOs and IPAs), and adjusted EBITDA between $15 million and $25 million. What remains, of course, are the UXBs–the problems with their financial reporting as noted in their 2023 results and that ever-so-nasty $400 million in payments due to CMS in March 2025, as well as to Texas on their exited ACA plans. But NeueHealth has played both ends against the middle and tied up creditors in Gordian knots for a couple of years, so why not keep on keepin’ on for now? Release, earnings call transcript, FierceHealthcare   TTA 5 April

The much-touted partnership of big Cigna and insurtech Oscar Health is breaking up. The Cigna + Oscar joint program covers the small group business. As of the end of Q1, it had 61,428 members enrolled. The program, which had no forecast of profitability, will end in 2025. CEO Mark Bertolini’s statement was rather forceful in this regard. Oscar is shifting to marketing ICHRA, or individual coverage health reimbursement arrangements that permit small businesses to offer employees individual health plans subsidized by employer contributions. Cigna will continue to offer plans for the small and midsize group market. Becker’s

Cyberattacks strike DocGo, Ascension Health. DocGo reported a data breach in its 7 May Form 8-K filed with the SEC. It involved a limited but unspecified amount of protected health information (PHI) of patients using its ambulance services, but was confined only to that. No other report of the breach has been made. This followed a positive Q1 report of revenue up to $192.1 million, from $113 million in the same quarter 2023. Net income was $10.6 million versus last year’s net loss of $3.9 million. Adjusted EBITDA went up to $24.1 million versus $5.6 million. DocGo provides telehealth/RPM, mobile urgent care, disease management, and medical transportation services. It recently lost its lucrative but controversial NYC migrant service contract but retains city Health + Hospitals contracts and some smaller housing service contracts. Mobihealthnews Ascension Health, on the other hand, has had a serious disruption in some clinical operations affecting an undisclosed number of hospitals and systems, but was reported in Michigan. On Wednesday, Ascension detected unusual activity in select technology-network systems. They advised business partners to sever connections to their systems and have brought in Mandiant to assist in investigation and remediation efforts. Ascension is one of the largest health systems in the US, with 140 hospitals in 19 states plus the District of Columbia. Healthcare Finance, Detroit Free Press, Ascension website

Ascension Update: Reports since yesterday are now far more exact. Its EHR, MyChart, several systems for ordering tests and medications, plus some phone systems are unavailable across the system. Some appointments and surgeries have been postponed. There are emergency diversions of care in some locations. Ascension’s statements to media has been that ‘downtime procedures’ will be in place ‘for some time’. There is no timeline given for restoration. Becker’s, Healthcare Dive

 

News roundup: Transcarent buys 98point6’s virtual care; Best Buy-Atrium hospital-at-home; Walgreens/VillageMD buys another practice group; WW-Sequence digital weight management; UKTelehealthcare events; 300 out at Color

Enterprise health navigator Transcarent is buying 98point6’s virtual care platform and related assets. 98point6’s tech is a text-based virtual care platform that uses an AI chatbot to collect and relay health information to a provider. According to CEO Glen Tullman’s interview with Forbes, the assets picked up in addition to the tech include 98point6’s physician group, self-insured employer business, and an irrevocable software license in a deal worth potentially $100 million. This fits in Transcarent’s platform that works with large employers to steer their employees to higher quality, lower cost care settings based on actual users only in risk-based agreements, versus the more common per member per month care management model. 98point6 will continue in a leaner form, licensing its software to third parties, but out of the treatment business. Its major relationship is with MultiCare Health System in Washington state. 98point6 had raised over $260 million from 2015 through a 2020 Series E.  Mobihealthnews

Best Buy Health is providing telehealth equipment and installation to North Carolina-based Atrium Health’s hospital-at-home program. In the three-year deal, Best Buy’s Geek Squad will install peripherals based on the patient’s needs, transmitted through a Current Health telehealth mobile connectivity hub and using their software. Terms were naturally not specified, but Atrium is purchasing the devices from Best Buy. The Geek Squad services serve for both installation and retrieval after care. Atrium is paid via insurance including Medicare and Medicaid. Atrium, part of Ascension Health, has 10 hospitals in the program already and is aiming for 100 patients in the program each day. CNBC

VillageMD expands again, adds Starling Physicians in Connecticut. Starling has 30 primary care and multi-specialty practices, including cardiology, ophthalmology, endocrinology, and geriatric care. VillageMD’s total is now over 700 locations. Transaction costs were not disclosed. VillageMD has been on an acquisition tear, powered by Walgreens’ and Evernorth-Cigna funding for Summit Health, Family and Internal Medicine Associates in central Kentucky, and Dallas (Texas) Internal Medicine and Geriatric Specialists. HealthcareFinance, Healthcare Dive.

WW (the former Weight Watchers) has an agreement to acquire Sequence, a subscription telehealth platform for clinical weight management. Sequence is targeted to healthcare providers specializing in clinical care, lifestyle modification, and medication management for patients being treated for overweight and obesity. It also manages the navigation of insurance approvals. Terms were not disclosed, but Sequence since going live in 2021 serves 24,000 members and has a $25 million annual revenue run-rate business. WW is building out a clinical weight management pathway and intends to tailor a nutrition program for this segment. Release

UKTelehealthcare has an upcoming digital event, TECS Innovation Showcase 2 on Wednesday 15th March 2023 (10:30-12:30 GMT). Also, there are links to the webinars given during today’s event, TECS Innovation Showcase 1, January’s Analogue to Digital Transformation Update, and several more. Register for the 15 March event and links/passwords for previous events here or click on the UKTelehealthcare advert at the right and go to the Events page. These events concentrate on the analogue-digital switchover and TECS in the UK.

Color, a population health technology company that expanded into Covid-19 testing and later telemental health during the pandemic, is now laying off 300. Their CEO Othman Laraki confirmed in a post on LinkedIn (which seems to be a corporate communications trend) that this reflects decreased demand for Covid testing and the end of the public health emergency. Their future direction will be in distributed testing and telehealth for government programs and prevention tools for employers and large healthcare companies. The CEO’s post included a spreadsheet of the laid-off individuals including links to their LinkedIn profiles and desired positions, another corporate trend in addition to those laid off posting about it almost immediately. It seemed to be heavy on software engineers, data scientists, support leads, and product managers.

The company pivoted from genomics to public health with major Series D and E raises of $167 and $100 million respectively in 2021, totaling $482 million since start in 2014, and was valued at $4.6 billion by November 2021. It bought into behavioral health services with the acquisition of Mood Lifters, an online guided group support system, in 2022. The (happy) decline of Covid is affecting testing-dependent businesses across the board. Lucira Health, which had received a EUA for its combination Covid/flu testing, filed for Chapter 11 bankruptcy reorganization in February.  Beckers, Mobihealthnews 3 Mar, 27 Feb

Short takes: Google’s Care Studio app debuts, Modern Age’s healthy (aging) $27M Series A, OnSky Health launches pad-based RPM

Care Studio, Google’s EHR search tool and patient record organizer, will be available to clinicians as a mobile app. The desktop version is in the process of acceptance testing with Ascension Health and Beth Israel Deaconess Medical Center (BIDMC). The company is looking to pilot the tool in Q4 or Q1 2022. Care Studio is capable of cross-checking information from multiple EHRs, accessing a patient summary, patient location, a “one-liner” provided from a previous note and a link back to the source, vitals and labs. The Google spokesman’s comments emphasize privacy, which is understandable given Care Studio’s earlier incarnation as Project Nightingale at Ascension in 2019. That made headlines since Google accessed 10 million identified patient records without patient or physician consent or knowledge, including patient name, lab results, diagnoses, hospital records, patient names, and dates of birth [TTA 9 April]. Mobihealthnews

Modern Age, which promotes better aging through boosting wellness, raised $27 million from Oak HC/FT, GV, and Juxtapose. The company’s attractive proposition is to use technology to ‘connect the dots’ around health as you age, and to bring together all the tools to ‘feel younger and live longer’. This starts with a personal assessment across variables to determine how old one feels, plus the areas of health and wellness that are most important, concentrating on skin, hair, bones, and hormones. The fresh funding will be used to build out their clinic in New York’s Flatiron district to open in early 2022, and build out their company from the present 17 to about 50. The founder Melissa Eamer is a former vice president at Amazon and COO at Glossier so has a handle in both the tech and appearance worlds. Aging and longevity are attracting investment, according to TechCrunch, with companies like Longevica, Gero AI, and Rosita Longevity gaining funding. Mobihealthnews

San Jose-based startup OnSky Health enters the remote patient monitoring fray with SkyPad, which claims to be the first virtual care solution that provides continuous contact-free vital sign sensing with an optional emergency alert and calling service. The SkyPad is a sensor pad placed under the patient’s or resident’s pillow, then uses machine learning software using sensor data generated through the pad.  The pad and system monitors multiple vital signs: heart rate, respiration rate, sleep-habit / sleep-quality tracking, breathing quality, snoring, and body temperature variation. It also checks for patient safety monitoring and assistance alerts. System monitoring is done through a tablet. The alert system is optional. The parent, OnSky Inc., is an alarm system company based in Ho Chi Minh City, Vietnam (Crunchbase). Release, Mobihealthnews

Google’s Care Studio patient record search tool to pilot at Beth Israel Deaconess Medical Center

A cleaned-up Project Nightingale? Beth Israel Deaconess Medical Center (BIDMC) in Boston announced their participation in a pilot with Google of Care Studio, described in the BIDMC press release as “a technology designed to offer clinicians a longitudinal view of patient records and the ability to quickly search through those records through a single secure tool.” In other words, it’s like Google Search going across multiple systems: the BIDMC proprietary EHR (WebOMR), core medical record system, and several clinical systems designed for specific clinical specialties. All the clinician need do is type a term and the system will provide relevant information within their patient’s medical record from these systems, saving time and promoting accuracy. (See left)

The BIDMC pilot will use a limited group of 50 inpatient physicians and nurses, to assess the tool’s quality, efficacy, and safety of its use. Technical work starts this month.

At the end of the BIDMC release, it’s carefully explained that the tool is “designed to adhere to state and federal patient privacy regulations, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and industry-wide standards related to protected health information. BIDMC and Google Health have entered into a Business Associate Agreement (BAA) to ensure that both parties meet patient privacy obligations required under HIPAA. BIDMC patient data will be stored and maintained in a protected environment, isolated from other Google customers.” (Editor’s emphasis) The BAA was inked in 2018.

Without referring to it, it addresses the controversy surrounding Google’s Project Nightingale and Ascension Health, a major privacy kerfuffle pre-COVID that broke in early November 2019. From the TTA article, edited: “Google’s BAA allowed them apparently to access in the initial phase at least 10 million identified health records which were transmitted to Google without patient or physician consent or knowledge, including patient name, lab results, diagnoses, hospital records, patient names and dates of birth.” Ascension maintained that everything was secure and Google could not use data for marketing or other purposes not connected to the project, but handling was under wraps and Google employees had access to the data. Ascension’s core agreement was about migration of data to Google Cloud and providing G Suite tools to clinicians and employees. But apparently there was also a search tool component, which evolved into Care Studio.

Health and Human Services (HHS) Office of Civil Rights, which governs privacy, announced at the time an investigation. The only later reference this Editor was able to locate was in HIPAA Journal of 5 March 2020 regarding the request of three Senators from both sides of the aisle demanding an explanation on the agreements and what information Google employees accessed. The timing was bad as then COVID hit and all else went out the window. In short, the investigations went nowhere, at least to the public.

It would surprise this Editor if any questions were raised about Care Studio, though BIDMC’s goal is understandable and admirable. Also Becker’s Hospital Review, FierceHealthcare

Weekend ‘Must Read’: Are Big Tech/Big Pharma’s health tech promises nothing but a dangerous fraud?

If it sounds too good to be true, it isn’t. And watch your wallet. In 14 words, this summarizes Leeza Osipenko’s theme for this article. It may seem to our Readers that Editor Donna is out there for clicks in the headline, but not really. Dr. Osipenko’s term is ‘snake oil’. It’s a quaint, vintage term for deceptive marketing of completely ineffective remedies, redolent of 19th Century hucksters and ‘The Music Man’. Its real meaning is fraud.

The promise is that Big Data, using Big Analytics, Big Machine Learning, and Big AI, will be a panacea for All That Ails Healthcare. It will save the entire system and the patient money, revolutionize medical decision making, save doctors time, increase accuracy, and in general save us from ourselves. Oh yes, and we do need saving, because our Big Tech and Big Health betters tell us so!

Major points in Dr. Osipenko’s Project Syndicate article, which is not long but provocative. Bonus content is available with a link to a London School of Economics panel discussion podcast (39 min.):

  • Source data is flawed. It’s subject to error, subjective clinical decision-making, lack of structure, standardization, and general GIGO.
  • However, Big Data is sold to health care systems and the general public like none of these potentially dangerous limitations even exist
  • Where are the long-range studies which can objectively compare and test the quality and outcomes of using this data? Nowhere to be found yet. It’s like we are in 1900 with no Pure Food Act, no FDA, or FTC to oversee.
  • It is sold into health systems as beneficial and completely harmless. Have we already forgotten the scandal of Ascension Health, the largest non-profit health system in the US, and Google Health simply proceeding off their BAA as if they had consent to identified data from practices and patients, and HIPAA didn’t exist? 10 million healthcare records were breached and HHS brought it to a screeching halt.
    • Our TTA article of 14 Nov 19 goes into why Google was so overeager to move this project forward, fast, and break a few things like rules.
  • We as individuals have no transparency into these systems. We don’t know what they know about us, or if it is correct. And if it isn’t, how can we correct it?
  • “Algorithmic diagnostic and decision models sometimes return results that doctors themselves do not understand”–great if you are being diagnosed.
  • Big Data demands a high level of math literacy.  Most decision makers are not data geeks. And those of us who work with numbers are often baffled by results and later find the calcs are el wrongo–this Editor speaks from personal experience on simple CMS data sets.
  • In order to be valuable, AI and machine learning demand access to potentially sensitive data. What’s the tradeoff? Where’s the consent?

Implicit in the article is cui bono?

  • Google and its social media rivals want data on us to monetize–in other words, sell stuff to us. Better health and outcomes are just a nice side benefit for them.
  • China. Our Readers may also recall from our April 2019 article that China is building the world’s largest medical database, free of those pesky Western democracy privacy restrictions, and using AI/machine learning to create a massive set of diagnostic tools. They aren’t going to stop at China, and in recent developments around intellectual property theft and programming back doors, will go to great lengths to secure Western data. Tencent and Fosun are playing by Chinese rules.

In conclusion:

At the end of the day, improving health care through big data and AI will likely take much more trial and error than techno-optimists realize. If conducted transparently and publicly, big-data projects can teach us how to create high-quality data sets prospectively, thereby increasing algorithmic solutions’ chances of success. By the same token, the algorithms themselves should be made available at least to regulators and the organizations subscribing to the service, if not to the public.

and

Having been massively overhyped, big-data health-care solutions are being rushed to market in without meaningful regulation, transparency, standardization, accountability, or robust validation practices. Patients deserve health systems and providers that will protect them, rather than using them as mere sources of data for profit-driven experiments.

Hat tip to Steve Hards.

Google’s ‘Project Nightingale’–a de facto breach of 10 million health records, off a bridge too far?

Breaking News. Has this finally blown the lid off Google’s quest for data on everyone? This week’s uncovering, whistleblowing, and general backlash on Google’s agreement with Ascension Health, the largest non-profit health system in the US and the largest Catholic health system on the Planet Earth, revealed by the Wall Street Journal (paywalled) has put a bright light exactly where Google (and Apple, Facebook, and Amazon), do not want it.

Why do these giants want your health data? It’s all about where it can be used and sold. For instance, it can be used in research studies. It can be sold for use in EHR integration. But their services and predictive data is ‘where it’s at’. With enough accumulated data on both your health records and personal life (e.g. not enough exercise, food consumption), their AI and machine learning modeling can predict your health progression (or deterioration), along with probable diagnosis, outcomes, treatment options, and your cost curve. Advertising clicks and merchandising products (baby monitors, PERS, exercise equipment) are only the beginning–health systems and insurers are the main chance. In a worst-case and misuse scenario, the data modeling can make you look like a liability to an employer or an insurer, making you both unemployable and expensively/uninsurable in a private insurance system.

In Google’s latest, their Project Nightingale business associate agreement (BAA) with Ascension Health, permissible under HIPAA, allowed them apparently to access in the initial phase at least 10 million identified health records which were transmitted to Google without patient or physician consent or knowledge, including patient name, lab results, diagnoses, hospital records, patient names and dates of birth. This transfer and the Google agreement were announced by Ascension on 11 November. Ultimately, 50 million records are planned to be transferred from Ascension in 21 states. According to a whistleblower on the project quoted in The Guardian, there are real concerns about individuals handling identified data, the depth of the records, how it’s being handled, and how Google will be using the data. Ascension doesn’t seem to share that concern, stating that their goal is to “optimize the health and wellness of individuals and communities, and deliver a comprehensive portfolio of digital capabilities that enhance the experience of Ascension consumers, patients and clinical providers across the continuum of care” which is a bit of word salad that leads right to Google’s Cloud and G Suite capabilities.

This was enough to kick off an inquiry by Health and Human Services (HHS). A spokesperson confirmed to Healthcare Dive that “HHS’ Office of Civil Rights is opening an investigation into “Project Nightingale.” The agency “would like to learn more information about this mass collection of individuals’ medical records with respect to the implications for patient privacy under HIPAA,” OCR Director Roger Severino said in an emailed statement.”

Project Nightingale cannot help but aggravate existing antitrust concerns by Congress and state attorneys general on these companies and their safeguards on privacy. An example is the pushback around Google’s $2.1 bn acquisition of Fitbit, which one observer dubbed ‘extraordinary’ given Fitbit’s recent business challenges, and data analytics company Looker. DOJ’s antitrust division has been looking into how Google’s personalized advertising transactions work and increasingly there are calls from both ends of the US political spectrum to ‘break them up.’ Yahoo News

Google and Ascension Health may very well be the ‘bridge too far’ that curbs the relentless and largely hidden appetite for personal information by Google, Amazon, Apple, and Facebook that is making their very consumers very, very nervous. Transparency, which seems to be a theme in many of these articles, isn’t a solution. Scrutiny, oversight with teeth, and restrictions are.

Also STAT News , The Verge on Google’s real ambitions in healthcare, and a tart take on Google’s recent lack of success with acquisitions in ZDNet, ‘Why everything Google touches turns to garbage’. Healthcare IT News tries to be reassuring, but the devil may be in Google’s tools not being compliant with HIPAA standards.  Further down in the article, Readers will see that HIPAA states that the agreement covers access to the PHI of the covered entity (Ascension) only to have it carry out its healthcare functions, not for the business associate’s (Google’s) independent use or purposes. 

What’s up with Amazon in healthcare? Follow the money. (updated)

Updated–click to see full page. Amazon is the Scary Monster of the healthcare space, a veritable Godzilla unleashed in Tokyo, if one listens to the many rumors, placed and otherwise, picked up in mainstream media which then are seized on by our healthcare compatriots.

According to CNBC’s breathless reporting, they have set up a skunk works HQ’d in Seattle. When they posted job listings, they were under keyword “a1.492” or as “The Amazon Grand Challenge a.k.a. ‘Special Projects’ team.” In late July, these ads for people like a UX Design Manager and a machine learning director with experience in healthcare IT and analytics plus a knowledge of electronic medical records were deleted. Amazon has separate initiatives on selling pharmaceuticals and building health applications to be compatible with Echo/Alexa and other smart home tech. Both have come up in the context of the CVS-Aetna merger, where buying up state pharmacy licenses cannot be kept secret (see end of our 8 Dec article) and that efforts to extend Alexa and Echo’s capabilities aren’t particularly secret.

A quick look at Bezos Expeditions, Amazon supremo’s Jeff Bezos’ personal fund, on Crunchbase reveals several healthcare investments, such as GRAIL (cancer), Unity Biotechnology (aging), Rethink Robotics, and Juno Therapeutics (cancer). Not really things easy to sell on Amazon.

Last week, Amazon reportedly hired Dr. Martin Levine, who ran integrated primary health Iora Health’s Seattle-based clinics, according to CNBC and Becker’s. They met with Iora, Kaiser, and the now-defunct Qliance about a year ago on innovative healthcare models. More breathless reporting: they are hiring a “HIPAA compliance lead.” 

What does this all mean? It may be more–or less–than what the speculation is. Here’s what this Editor believes as some options:

  • Alexa and Echo are data collectors as well as assistants–information that has monetary value to healthcare providers and pharma. To this Editor, this is the most likely and soonest option–the monetization of this data and the delivery of third-party services as well as monitoring.
  • Amazon now employs a lot of people. It is large enough to create its own self-funded health system. It’s already had major problems in the UK, Italy, and even in the US with healthcare and working conditions in its warehouses. Whole Foods’ non-union workers are prime for unionization since the acquisition (and also if, as rumored, robots and automation start replacing people).
  • A self-funded health system may also be plausible to sell  (more…)