Healthcare cyberattack latest: NextGen EHR ransomwared by AlphV/BlackCat, back to normal – 93% of healthcare orgs had 1-5 ransomware incidents

Cyberattacks on healthcare continue their drip-drip-drip. The latest is on an EHR/practice management platform used by small to enterprise-sized specialty practices, NextGen Healthcare. The hacker group associated with the AlphV/BlackCat ransomware moved into the system on 17 January. For a short time, they reportedly exhibited NextGen information on their extortion site but later took it down. NextGen reported a short-term disruption to operations. A NextGen spokesperson stated that “We immediately contained the threat, secured our network, and have returned to normal operations,” the spokesperson said. “Our forensic review is ongoing and, to date, we have not uncovered any evidence of access to or exfiltration of client data. The privacy and security of our client information is of the utmost importance to us.”  NextGen has also stated to this Editor that no patient data was affected.

NextGen is used by about 2,500 practices in the US, UK, India, and Canada, including over 20 specialties.

The group behind AlphV/BlackCat ransomware has an infamous history. Reputedly, the gang has been kicking around since 2012 and was the same group of charmers that attacked the Colonial Pipeline in 2021, using the Darkside ransomware in May 2021 that dried out gas stations across the US East Coast. Their next ransomware edition, BlackMatter, targeted agriculture during fall 2021. Healthcare IT News, The Record/Recorded Future News

More severe attacks affecting 93% of healthcare organizations. While NextGen contained the attack quickly, both the Censinet/Ponemon Institute and Fortified Health Security’s 2023 Horizon Report tracked 2022 healthcare data breaches and concluded that while the number of incidents didn’t change much, their severity ramped up. More according to SC Media in these reports: 

  • Over a dozen of the biggest incidents in 2022 each impacted well over 1 million records
  • Nearly half of the respondents experienced a ransomware attack in the last two years
  • 93% faced between one to five ransomware-related incidents
  • Outages lasted upwards of 35 days

The common ground with NextGen is danger to patient safety, because electronic record damage can translate quickly into unavailable patient care.

Updated PharmaCare Services, a pharmacy management company based in Texas, is listed as a victim on BlackCat’s extortion site. They were exhibited with NextGen and remained when NextGen’s listing was challenged and then taken down. PharmaCare is staying mum on any ransomware disruptions, according to GovInfoSecurity.

One ray of hope is improved medical device security, included in the ‘omnibus’ budget package approved in late 2022. FDA will be required to enforce new standards for premarket device submissions. One is a software bill of materials, adequate evidence to demonstrate the product can be updated and patched, and a description of security testing and controls. This was before Congress in the Protecting and Transforming Cyber Health Care (PATCH) Act which didn’t go far, but elements of which found their way into the omnibus. A needed change for medical devices and long expected by manufacturers. SC Media

Mid-week roundup: Teladoc gets BetterHelp to boost Q4 ’22 revenue; fundings for Array, Paytient, Telesair, three others; layoffs hit at Alphabet’s Verily, Cue Health

Teladoc may finish 2022 better than expected, at least in revenue. At the JPMorgan (JPM) annual healthcare conference, CEO Jason Gorevic shared a revised but still preliminary projection that Q4 would finish up a tick higher than expected–between $633 million and $640 million in revenue, versus their projection during Q3 that the low side would be $625 million. FY2022 revenue was updated to be the $2.403 billion to $2.41 billion range. The big contributor? Their mental health app BetterHelp. Their growth, according to Mr. Gorevic, is “staggering’. Silicon Valley Bank (SVP) analyst Stephanie Davis calculated a growth rate of 43% for the business, up from previous management targets. Teladoc’s optimism is tempered by the no/slow growth economy projected for this year, both direct to consumer and corporate. To help boost the latter, it is launching a new app for health plan members and company employees access to all of Teladoc’s clinical programs. Healthcare Dive, Becker’s

Despite the uncertain economy, funding continues in various rounds, especially in still-hot areas such as remote/virtual behavioral therapy and payments, but nowhere near the bubbly level of 2021:

CVS Health’s open piggybank helped to fund NJ-based Array Behavioral Care’s $25 million Series C. Other investors included HLM Venture Partners, OSF Healthcare System, Wells Fargo, and three others. Array will use the funds to scale its virtual behavioral therapy platform.  Mobihealthnews, Crunchbase

In that interesting area called healthcare fintech, the cleverly-named Paytient now has an additional $40.5 million in Series B funding, bringing their total to $63 million. Paytient provides corporate employees, health plan members, and health system patients with a card-based Health Payment Account (HPA) that includes a line of credit. Release, Mobihealthnews 

In hospital-to-home respiratory care, still in stealth Telesair raised $22 million in Series A funding, led by Pasaca Capital with participation from existing and new investors such as Honeywell Investors, ZhenCheng Capital, Shangbay Capital plus three others. According to the release, funding will be used for the commercialization of the Bonhawa Respiratory Humidifier for use in the ICU and the development of a second-generation, revolutionary product for hospital-to-home. Mobihealthnews   

Also highlighted in Mobihealthnews‘ article is a $10 million Series B for ModifyHealth, which delivers prepared, medically tailored meals and provides advice from dieticians. ModifyHealth provides certified low FODMAP meals for those with irritable bowel syndrome or small intestinal bacterial overgrowth (SIBO), as well as Mediterranean, low-sodium, and gluten-free (celiac disease) diet meals. Censinet, a developer of healthcare cybersecurity software, also landed $9 million in a funding round led by MemorialCare Innovation Fund, Rex Health Ventures, and Ballad Ventures plus five others for a total of over $22 million.  Release  CARI Health, a San Diego startup developing a wearable sensor for medication management, gained $2.3 million in seed funding from the San Diego Angel Conference plus four other funds. Release

The pace of layoffs may have slowed, but the numbers have not.

Alphabet’s Verily health tech development unit is discharging 15% of current staff, estimated at 240 people.  This is part of a reorganization designed to move to financial independence from Alphabet/Google. It’s categorized among Google units as ‘Other Bets’ which is appropriate given that so far, their bets haven’t hit any jackpots. An example we covered back in 2015-16 was a glucose monitoring contact lens developed with Alcon, an on-the-face of it Preposterous Idea that died about that time. Current discontinued areas include remote patient monitoring for heart failure and micro needles for drug delivery. Employees were told to leave the office for the remainder of the week; further information including separation would be sent to them via email. Since 2017, it has raised over $2 billion. You wonder where it went. CNBC

Cue Health, a home diagnostics company, is cutting 388 employees, about 26% of its workforce, effective March. This is in addition to an 170-person manufacturing worker layoff during the summer. Cue bet heavily on growth of its at-home molecular Covid testing packs sold direct on a membership plan [TTA 12 Nov 2021], plus to pharmacies and to businesses. It expanded from about 100 workers in 2020 to more than 1,500. That growth has cratered along with the entire testing market for a pandemic that is no longer there. According to Mobihealthnews, they have submitted to the FDA for new test such as an EUA for a combination flu and COVID-19 diagnostic as well as de novo clearances for its flu and COVID-19 standalone tests. 

 

News roundup: cybersecurity benchmarking study, Tyto Care’s Home Smart Clinic, Long Island’s $2.6B life sciences hub, Singapore’s Speedoc raises $28M, NantHealth’s sinking feeling, Hims & Hers revenue up 95%

Censinet, the American Hospital Association (AHA), and KLAS Research announced at industry confab CHIME22 Fall Forum a benchmarking study on health system cybersecurity. The study, currently enrolling hospital and health system participants, according to the release will enable a comparison of cybersecurity investments, resources, performance, and maturity to peer organizations across key operational cyber metrics. It will also cover NIST Cybersecurity Framework (NIST CSF) and Health Industry Cybersecurity Practices (HICP). Censinet provides healthcare risk management solutions, consolidating enterprise risk management and operations capabilities. Hat tip to HISTalk 9 Nov.

TytoCare’s latest is the rollout of the Home Smart Clinic, a platform that combines TytoCare’s FDA-cleared handheld for remote physical exams; Tyto Insights, their AI-powered diagnostic support that aids diagnosis in remote physical exams; Tyto Engagement Labs, a suite of user engagement services including behavioral science-backed blueprints, consulting services, and marketing tailored to each specific program and cohort; and support for multiple provider models and different patient populations. The new platform is targeted to health plans and providers. Release (Yahoo)

Long Island NY’s proposed Midway Crossing project, creating a life sciences hub in quaintly named Ronkonkoma, would cost about $2.55 billion, but create an estimated 4,300 science, technology, engineering, and healthcare positions. They’d also be lucrative, with salaries mostly well over $100,000 a year. The proposal was authored (sic) by Michael Dowling, president of Northwell Health, and James Hayward, PhD, president and CEO of Applied DNA Sciences, and appeared in Newsday (paywalled). Its 179 acres would include a STEM educational center, research labs, biotech manufacturing facilities, health care offices, a hotel and convention center plus connect to the LIRR and Long Island-MacArthur airport. While approved by local authorities, it now needs funding. Becker’s

Traveling to the far Pacific…Speedoc, a home health company based in Singapore, raised $28 million. Speedoc offers app-based video consults and home visits, non-emergency ambulance transport, and remote monitoring for several chronic conditions. It is available in nine cities in Singapore and Malaysia. According to Mobihealthnews, it is also one of the technology partners for the two-year pilot of the Mobile Inpatient Care@Home initiative by the Ministry of Health’s Office for Healthcare Transformation. The pre-Series B funding round was led by its new investors Bertelsmann Investments, Shinhan Venture investment, and Mars Growth. Vertex Ventures Southeast Asia & India, which led its $5 million Series A funding round in 2020, also participated. 

Our Readers with very long memories will remember that transformative health darling, NantHealth. This Patrick Soon-Shiong NantWorks company, originally in genetic sequencing for cancer research, was caught en flagrante in a ‘pay to play’ scheme with the University of Utah funding NantHealth and providing data that would prove useful to other Soon-Shiong companies [TTA 18 April 2017]. It’s long since pivoted to payer/provider data solutions (NaviNet). What’s not improved is their bottom line. It lost $13.7 million, or $0.12 cents per share, increasing loss by 26% from 3Q 2021. Shares on NasdaqGS are trading at $0.31. Yahoo!Finance/SimplyWallSt. Another tip of the cap to HISTalk 9 Nov.

And who said all of telehealth is suffering? Online direct-to-consumer marketer Hims & Hers posted a third consecutive $100 million+ quarter in revenue. Their Q3 revenue was up 95% versus Q3 last year, reaching $144.8 million. They also gained 70,000 new online subscribers for a total of 991,000, up 80% year over year. Q4 guidance is up to $159 million to $162 million, with a full-year revenue forecast of $519 million to $522 million. And yes–they’re profitable. Their embarrassing TV spots notwithstanding, they seem to have found The Magic Formula. FierceHealthcare