News roundup 16 Oct: Walgreens shuts 1,200 stores–500 in ’25, CVS exiting core infusion biz, Masimo v. Apple update, DEA recommends 3rd telehealth extension, Change hack costing UHG $705M, Owlet back in NYSE compliance

A roundup of chickens coming home to roost? But some chickens are just happy to come home.

Walgreens’ Mound of Misery just grew a little higher. The headlines today were all about Walgreens’ closing 1,200 stores over the next three years. Their current store location roster is about 9,000, according to their website. 500 of these will be closed during their upcoming FY2025.  Their release stated this would be “immediately accretive to adjusted EPS and free cash flow”. (Were they making any money at all?) This helped to give their share price a nice bump from $9 to above $10 at market close today. Last year, Walgreens’ shares were priced above $22.

Q4 (closing 31 August) closed with a 6% boost in retail sales. However, losses were $3.0 billion versus a net loss of $180 million in the prior year’s Q4. The reasons cited in their release were a higher operating loss, a $2.3 billion non-cash charge for valuation allowance on deferred tax assets primarily related to opioid liabilities recognized in prior periods, and a non-cash impairment charge related to equity investment in China. The operating loss related to a non-cash goodwill impairment charge for CareCentrix. 

The full year was not cheery. Sales were $147.7 billion, an increase of 6.2% from a year ago (in constant currency, 5.7%). But losses in their FY2024 were $14.1 billion, a stunning increase of 104.5% compared to prior year.

VillageMD is being monetized along with other assets. “CEO Tim Wentworth said in the earnings call that the company is focused on “monetizing non-core assets to generate cash,” naming VillageMD as an example, to focus on its core retail pharmacy business.” HIStalk 16 Oct Can Walgreens shrink itself to profitability? Fierce Healthcare

Over at CVS, they’re doing their own shrinking. CVS is closing its core infusion services business, with plans to either close or sell 29 related regional pharmacies. Infusion services were bought from Coram LLC in 2013 for $2.1 billion. This Reuters exclusive was based on an 8 October memo and confirmed by a CVS press representative. Patients relying on antibiotics, drugs supporting muscular health, and intravenous nutrition services will be transferred to other providers. CVS will continue to provide certain services: specialty medications and enteral nutrition, or tube feeding, at pharmacies in Minnesota, Pennsylvania and San Diego, with nationwide nursing services. Hat tip to HIStalk 16 Oct.

Masimo wins one big patent challenge, loses one (or four), to Apple. 

The Win: Apple had sued Masimo in the US District Court of Delaware for patent infringement of Apple’s utility patent 10,942,491 B2 (“the ‘491 patent”). Masimo was charged as violating Apple’s patent on 19 features. Masimo appealed to the Patent Trial and Appeal Board (PTAB) of the US Patent and Trademark Office (USPTO) for an inter partes review (IPR) of the patent on the grounds of ‘unpatentability’, a very high proof. Masimo succeeded in this, rendering Apple’s ‘491 patent useless. Apple can appeal but the likelihood of success against the PTAB ruling that required three administrative patent judges to review, at this level of proof, is low. In this Editor’s view, this may spur other developers to come up with innovations now that these 19 features have been deemed unpatentable.

The Loss (I think): In review in the Delaware District Court are four complicated lawsuits between the two combatants, with Apple’s premise that Masimo has infringed upon other patents. Masimo alleged “inequitable conduct” by Apple in their patent filings with the PTO, essentially alleging fraudulent filings on multiple patents. Apple has been granted a summary judgment on Masimo’s claims, throwing them out.

Interestingly, Masimo–never shy to announce wins versus their foe Apple under the prior leadership of Joe Kiani–has remained strangely mum. (Perhaps everyone is waiting for the takeover dust to settle?) Will the ‘new’ Masimo be so combative against Apple? A far more detailed analysis for the patent mavens is in Strata-gee. A very large hat tip and bow to their editor, Ted Green, who writes about marketing primarily in the audio/visual business but has been 100% on top of The Masimo Saga–thank you!

To no one’s surprise, DEA kicks the telehealth waiver can down the road–for the third time. The Drug Enforcement Administration (DEA) sent to the White House’s Office of Management and Budget (OMB) a proposed rule to extend telehealth prescribing of Schedule II and higher controlled substances without changes. These waivers which removed the in-person examination requirement under the Ryan-Haight Act were instituted during the Covid pandemic and extended twice [TTA 11 Oct 2311 May 23] with a final expiration of 31 December 2024. In September, reports indicated that DEA not only wanted to restore prior restrictions but also wished to introduce additional ones. However, their timing (September!) given Federal standards of publishing draft rules and lengthy comment periods before a final rule was impossible to be achieved by year’s end. [TTA 13 Sept]

Whether OMB will approve the extension (to a date that cannot be confirmed since the text is unavailable, but reportedly one year) is not certain, as it may be disputed by the Department of Health and Human Services (HHS). Since the waiver is due to expire at the end of the year, this may help to assure the multitude of mental health and other telehealth companies dependent on legal remote diagnosis and prescribing controlled substances that their businesses can continue. FierceHealthcare

UHG didn’t have a happy quarter either due to Change. The total hit to UnitedHealth Group of the Change Healthcare hack is now estimated at $705 million, or 75 cents a share. Their 2025 guidance on profit is a lackluster $30 per share–below Wall Street estimates of $31.18. Government plans’ cuts in payments for Medicare Advantage plus and low state payment rates for Medicaid are affecting UHG as well as nearly every other payer. UHG’s share price on the news reacted negatively, falling 9% and dragging down other payers as well. UHG must rue the day they bought Change Healthcare, as it has been largely bad news ever since. CNBC

And winding up on a happy note–Owlet is back in good graces with the NYSE. Last year, they faced a NYSE notification that they were out of compliance with the $50 million minimum valuation of the company over a consecutive 30-day trading day period. They are now in compliance and their Class A shares can trade without the ‘BC’ black mark and no longer be listed as such on the NYSE website. The NYSE will be following its standard procedure of a 12-month follow-up on compliance. Release, Mobihealthnews

The baby sock and baby monitoring company has had a rough couple of years between a cracked SPAC (2021), FDA notifying them at the end of 2021 that they considered the Smart Sock a medical device, forcing the company to pull it from distribution [TTA 4 Dec 21], mounting losses, layoffs, and rebuilding with an FDA-cleared BabySat and enhanced Dream Sock [TTA 21 June 23]. Usually, this concatenation of events means the company either shuts or sells, but Owlet has done neither and bootstrapped itself. Revenue in their Q2 ending 30 June was up 58% year over year with a narrower operating loss of $2.2 million, compared with $6.7 million in prior year. It recently expanded their European distribution of the Dream Sock after CE Mark certification in May to a total of 11 countries [TTA 18 Sep]. 

Short takes: both Clover and Oscar in the black; Aetna prez booted after 11 months; Ava-VSee bedside robot; updates on Change, OneBlood ransomware, Masimo proxy fight

Clover Health’s milestone–a first-ever profitable operating quarter. Not only that, but it was an impressive turnaround from the prior year. With results in their Q2 operating net income of $7.2 million, versus a $28.9 million loss in 2023, these results were far more favorable directionally than the adjusted EBITDA which was $36.2 million versus $9.9 million for the prior year. Insurance revenue was also up 11% to $349.9 million, attributed to member retention and an improved medical cost ratio (MCR) of 71.3%, down from 77.9% in the prior year. Additional revenue from other operations, such as the recently introduced Assistant AI, is minimal. The 2024 forecast stays ‘in the clover’ with raised forecast revenue of $1.35 to $1.375 billion and adjusted EBITDA of $50 million to $65 million. Also helpful is their lifted Star rating from 3 to 3.5 for 2025. FierceHealthcare, Clover earnings release

Rival Oscar Health also stayed Back in Black for the second quarter running–CEO Bertolini wouldn’t have it any other way (or else–see below right). Q2 net income rose to $56.2 million which was a a $71.7 million improvement versus prior year. Adjusted EBITDA also nicely improved to $104.1 million, a $68.6 million improvement. Revenue increased to $2.2 billion, a 46% increase over the prior year. Their MCR went down .9 points. The overall forecast for the year wasn’t provided. Membership was up over 600,000 in their main business of individual and small group insurance, with Bertolini pointing out that this was powered by plan growth in 80% of the states where they operate. Oscar exited Medicare Advantage at the end of 2023, and is shifting to marketing ICHRA, or individual coverage health reimbursement arrangements that permit small businesses to offer employees individual health plans subsidized by employer contributions. After this year, the 58,000 members left in the unprofitable Cigna co-branded small group program will exit [TTA 10 May]. Oscar release, FierceHealthcare

Back in Mr. Bertolini’s old stand, Aetna, results weren’t so cheerful–and their president walked the plank after less than one year. The reorganization announcement was made on the earnings call yesterday, effective immediately. CVS Health CEO Karen Lynch will oversee the daily operations of the health benefits segment along with Aetna’s CFO. CVS VP/chief strategy officer Katerina Guerraz will move over to become Aetna’s chief operating officer.

What initiated it: while health benefits’ revenue stayed in the black, going the wrong way were operating income decreasing 39.1%, the medical benefits ratio (MBR) soaring to 90% from 86% in prior year and the medical loss ratio (MLR) going up to 89.6% from 86.2%. These were attributed to increased utilization, the decline in Medicare Advantage Star ratings, Medicaid acuity, and a revised risk adjustment in the individual exchange business. Something in this immediately doomed now former president Brian Kane, who joined only last September. His last post was at Humana as chief financial officer and leader of their primary care business. CVS Health release, FierceHealthcare, Healthcare Finance

Marrying robots with telemedicine, VSee is partnering with Ava Robotics to create an autonomous robot for telepresence use in hospital intensive care units. This would enable remote emergency physicians to be present at the point of patient care, interact with patients, consult with onsite staff and make treatment decisions. The projected market is smaller regional hospitals and ICUs.  VSee already markets telemedicine carts and portable diagnostic and home care kits. Availability is not disclosed. VSee release, Mobihealthnews

VSee also announced a partnership with Wichita, Kansas community health provider Stand Together for its Aimee telehealth services. Telehealth at their centers will be available to participants for a monthly charge of $4.99 or a single virtual urgent care appointment for $9.99. VSee release

Ransomware strikes again. Non-profit blood donation organization OneBlood was hit on 29 July by a despicable ransomware attack that disabled much of its blood collection services for over 250 hospitals in the southeastern US. They continued to operate at reduced capacity and called for donors of O positive blood, O negative blood and platelet donations. The perpetrator, ransom demands, and breached information were not disclosed. On Monday 5 August, systems were partially restored in time for Tropical Storm Debby’s assault on many southeastern states. From a OneBlood spokesperson: “Our critical software systems have cleared reverification and are operating in a reduced capacity. As we begin to transition back to an automated production environment, manual labeling of blood products will continue. Additionally, we are beginning to return to using our electronic registration process for donors.” DataBreaches.net, FierceHealthcare, HealthcareITNews

Hard-hit Change Healthcare is still playing games with reporting to HHS’ Office of Civil Rights (OCR). Parent UnitedHealth Group reported the ransomware shutdown and data breach to OCR, a full five months after its occurrence. The number reported is the OCR minimum of 500, when it is well known that it affected millions of patients. UHG started direct patient notification on 31 July after weeks of delay, but stated to OCR that they are still determining the number of individuals affected. Provider notifications started in late June [TTA 21 June]. This followed after a hostile dispute earlier that month where UHG tried to push patient notifications onto providers, which HHS decided was 100% UHG’s responsibility. [TTA 5 June]. OCR FAQ update, HealthcareITNews

Masimo and activist shareholder Politan Capital continue to slug it out down to the 19 September shareholders meeting. Back in mid-July, Masimo postponed the meeting, originally scheduled for 25 July. At that time, Masimo filed a complaint in the US District Court for the Central District of California against the two Politan representatives on their board of directors plus Politan’s two nominees that proxy materials contained false statements and violations of the Exchange Act. The suit added that board member Quentin Koffey, also Politan’s chief investment officer, was secretly conspiring with a plaintiffs’ bar law firm currently in litigation with Masimo.

The latest revelation per Strata-gee 7 August: Politan’s countersuit in the Delaware Court of Chancery states that the charges filed by Masimo in the District Court are based on ‘unnamed sources received from a third-party opposition research firm…’ and Masimo’s outside counsel does not know the identity nor ever spoke to the sources. This was filed against CEO Joe Kiani, independent director Craig Reynolds, and director Bob Chapek as a breach of Delaware law.

To date, Masimo has not confirmed their sources to the Delaware court. 

As previously reported [TTA 17 July], the proxy fight was triggered by the value of the company, reduced substantially after Masimo’s snakebit 2022 acquisition of Sound United’s consumer audio brands, Politan’s move to control the company, and kick out the CEO Joe Kiani.  The fight on the Masimo board of directors for two open seats pits the Masimo slate of CEO Joe Kiani and outside candidate Christopher Chavez, against Politan’s Darlene Solomon and William Jellison. Politan already holds two seats and with a win of two additional seats will control the company. Masimo plans to sell the consumer audio and healthcare (baby monitoring) businesses to another unnamed investor, retaining their professional healthcare and pulse oximetry products.

Stay tuned to the next episode of this soap opera.

Class action legal action by pharmacists, providers ramps up against Change Healthcare/UnitedHealth Group

More litigants in a legal pile-on in Minnesota. The National Community Pharmacists Association (NCPA), with 19,000 pharmacy members, and around 40 providers have filed suit against UnitedHealth Group, Optum, and Change Healthcare in the US District Court for the District of Minnesota. The 140-page document charges that UHG/Optum/Change had substandard network security in their clearinghouse operations, leading to the Blackcat/ALPHV breach, and that the plaintiffs might have chosen another clearinghouse and revenue cycle management platform had they known this. The pharmacists and providers all suffered monetary damages from the outage that are still unresolved.

From the press statement, NCPA CEO B. Douglas Hoey: “NCPA was against UnitedHealth’s acquisition of Change from the start. This breach proves that bigger is not better and that consolidation often leads to inefficiencies. Companies are so big they cannot protect every entry point and cannot respond quickly due to internal bureaucracy. The fact issues remain unresolved is a testament to this point. This breach has cost our members a significant amount of money and time and it is still not resolved months later.” He also pointed to the pharmacies’ losses remaining unpaid, financial losses, and taking losses for vulnerable patients with high-cost prescriptions.

According to Healthcare Dive, the multiple lawsuits against UHG must be centrally filed in Minnesota, as ordered by a Federal judicial panel, since UHG is headquartered there. Nothing will move quickly, as class action suits typically take two or more years to be heard and then appealed.

Change started its HHS-OCR mandated process of notifications around 20 June with hospitals, insurers, and other customers. Individuals and practices were not scheduled to be notified until late July but no date has been announced. The Change website also contains a very carefully worded ‘HIPAA Substitute Notice’ that reads like a consumer data breach notification. TTA 21 June

News roundup: UHG’s cyberattack hit now $2.3B, Senate bill on cyberattacks intro’d, VA’s AI tech sprint awards, AliveCor’s new CPT codes

UHG reported earnings, profit reduced by $1 billion due to Change Healthcare cyberattack costs. On Tuesday 16 July UnitedHealth Group reported Q2 (ending 30 June) earnings of $98.9 billion, up $6 billion or 7% versus Q2 last year. Profit though didn’t move the same way, instead taking a hit at $7.9 billion, down from last year’s $8.1 billion. Despite strong performances in the UnitedHealthcare and Optum units, the drag from the Change Healthcare cyberattack is now estimated at an additional $1 billion from last quarter’s guesstimate, now at $2.3 billion. Also affecting the profit bottom line is inflating healthcare costs that are reflected in rising medical loss ratios (MLRs). Change is also obliged to do the patient notification which will start by the end of this month [TTA 21 June], having already started notifications of hospitals, providers, insurers, and other customers. Release, Healthcare Dive

But hey, now the Senate has a bill to coordinate agencies with the purpose of reducing those darn cyberattacks. The Healthcare Cybersecurity Act, sponsored by Senators Jacky Rosen (D-Nev.), Todd Young (R-Ind.), and Angus King (I-Me.), would direct the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) to collaborate on improving cybersecurity. One important change would be creating an HHS liaison within CISA to coordinate incident response specifically for healthcare entities. An earlier version introduced by Sen. Rosen in 2022, S. 3904 (117th Congress), never made it into committee.  Sen. Jacky Rosen release, Healthcare Finance   But aren’t there other agencies involved in cyberattacks and ransomware like the FBI and the Department of Justice? And international agencies like the NCA and Europol since so many come from the darker parts of Europe and Asia? (The devil’s in the details…)

The Department of Veterans Affairs (VA) is taking a modest dip into the AI ocean. The award late last week of pilots for an AI-assisted healthcare dictation tool went to Abridge AI and Nuance Communications. The non-competitive, fixed-price contracts are as a result of the two companies winning the first track of the VA’s AI Tech Sprint which launched last October. The tools are designed to generate transcriptions from ambient recordings of patient encounters within specialty care, mental health care, and primary care settings, as well as integrating into the Oracle Cerner EHR. The notice does not specify start or end date. There is also a second sprint around developing an AI system to process documents generated in patient-provider encounters and other complex medical documents for continuity of care and sharing information with VA providers. FedScoop

AliveCor received CPT codes applicable to the company’s Kardia 12L ECG System. The Category III Current Procedural Terminology (CPT) codes are assigned by the American Medical Association (AMA).  The 12-lead system a few weeks ago gained FDA clearance for the combination of the Kardia 12L ECG System (left), a single cable with five electrodes that acquires 8 high-quality diagnostic bandwidth leads, with their KAI 12L AI-assisted diagnostic technology for clinician use only. The three new codes will be effective 1 January 2025 and will be published in the 2025 CPT Code book. Release

Week-end short takes: Change Healthcare/UHG breach notification starting (updated); fundings for Pomelo Care, Marigold Health, Humata Health

Change Healthcare finally starting notifications, but not yet to consumers. A press statement today from Change/UnitedHealth Group confirmed that the long process of notifications has started with hospitals, insurers, and other customers. Individuals and practices will not be notified until late July. Change confirmed that the Blackcat/ALPHV cyberattack exposed names, addresses, health insurance information, and personal information like Social Security numbers, but at the individual level investigation isn’t finalized. At this point, they have reviewed over 90% of impacted files and have not seen signs that doctors’ charts or full medical histories were taken. Technically, UHG has made the 21 June deadline stated in the Hassan/Blackburn Senate letter [TTA 19 June] but not within the 60-day HHS-OCR window, which opens them up to an HHS fine. After paying a cyberransom of $22 million in bitcoin and uncounted (to us) millions in rebuilding systems, HHS’ fine may look like the lesser cost of doing business. The Change website also contains a very carefully worded ‘HIPAA Substitute Notice’ that reads like a consumer data breach notification. AP via Yahoo! News UK   One wonders if there’s a fair amount of ‘buyer’s regret’ going on at UHG in fighting so hard to buy Change. Due diligence would have helped over that year-plus.

Update: The Centers for Medicare & Medicaid Services (CMS) announced earlier this week that the provider financial assistance program will be ending 12 July as billing activities have largely resumed. It has advanced over $2.55 billion in payments to Medicare Part A providers and $717.2 million to Part B providers. FierceHealthcare

Fundings this week:

Virtual maternity support platform Pomelo Care scored $46 million in Series B funding. Lead investors are Andreessen Horowitz (a16z) and First Round Capital with participation from Stripes, BoxGroup, Operator Partners, and SV Angel. Pomelo’s markets for virtual fertility, pregnancy and newborn care from preconception through a baby’s first year services are employers, health plans and providers. The company claims 3 million covered lives across 46 states through their commercial and Medicaid health plan partners. Release, Mobihealthnews

Telemental health provider Marigold Health now has an $11 million Series A. Marigold is structured as an anonymous social network where people with mental health and substance use conditions provide peer-based support. Lead investors for the Series A are Rock Health and Innospark Ventures. Additional participants are the Commonwealth Care Alliance (CCA), Wavemaker360, Stand Together Ventures Lab, Epsilon Health Investors, Koa Labs, VNS Health Plan and KdT Ventures. Their substance use disorder (SUD) programs are currently available to 25,000 members in Delaware, Rhode Island, and Massachusetts. The new funding will be used for expansion to at least four additional states by the end of 2025. Release (Marketwatch), Mobihealthnews

Humata Health, which has developed AI-based technology to automate prior authorizations for payers and providers, closed an unlettered $25 million funding round. Lead investors are Blue Venture Fund (representing the majority of BCBS plans) and LRVHealth (representing nearly 30 health systems and payers), with participation from Optum Ventures, .406 Ventures, Highmark Ventures, and VentureforGood. The funding will be used to broaden its generative AI technologies, expand their provider base, and begin to partner with payers and delegated entities. Humata bought the base prior authorization technology from Olive AI out of its bankruptcy [TTA 31 Oct 2023]. Its founding chairman and CEO is Jeremy Friese, MD, who had been Olive AI’s president for their payer business after selling Verata Health, also in the prior authorization automation area, to Olive.  Release, FierceHealthcare

News roundup: VA extends Oracle Cerner for 11 months; Amwell founders swap jobs; Alphabet’s Verily pivots to Lightpath with GLP-1, retiring Onduo; UnitedHealth hasn’t notified on Change breach

To no one’s surprise, the Department of Veterans Affairs (VA) extended its contract with Oracle Cerner for another 11 months. This is per the new contract relationship that started last year, resetting from the original five-year contract that started in 2018 to five one-year terms, with mandatory annual reviews and renewals [TTA 18 May 2023]. Technically, the contract expired in May but VA extended it for one month as discussions continued over the next one-year term. This second option period expiring May 2025, according to the VA release, is focused on the following for the EHR modernization (EHRM):

  • Supporting the existing six facilities with the Oracle Cerner EHR
  • Achieving the goals of the reset and driving towards future deployments
  • Increased accountability across a variety of key areas, including minimizing outages and incidents, resolving clinician requests, improving interoperability with other health care systems, and increasing interoperability with other applications to ensure an integrated health care experience
  • Supporting value-added services, such as system improvements and optimizations
  • Achieving better predictability in hosting, deployment, and sustainment
  • Fiscal responsibility 

The plan is to resume site deployments in FY 2025, likely in year 2025, after reset goals are met. Seema Verma, Oracle Health’s new executive vice president and general manager, said that “VA’s intent to resume deployments in the next fiscal year is a significant milestone that reflects the hard work our collective teams have done to improve the system today, as well as confidence in our shared ability to continually evolve the EHR over time to meet the needs of both practitioners and patients.” NextGov/FCW, FierceHealthcare, Healthcare Dive, Oracle release

Is there much choice for the VA in the matter? Not really. VistA can be updated but remains non-interoperable with the Military Health System’s (MHS) Cerner-Leidos EHR. But can Oracle Cerner be fixed up and debugged to work for VA’s vastly different needs and smoothly deployed within the contract duration? That jury is still out in the view of the VA and Congress.

The Brothers Schoenberg swap positions at Amwell. Roy Schoenberg, MD, MPH, will transition immediately from his role as president and co-CEO to move to executive vice chairman of Amwell’s board of directors. Ido Schoenberg, MD, will become the sole CEO. The brothers co-founded the company in 2006. Ido’s quote closing the release is interesting in demonstrating the shift from investment without profits to getting on the path to profitability:  “This transition represents a natural evolution for our company as we shift from a period of intense R&D investment to an operational focus aimed at achieving greater efficiencies, optimizing cash flow and delivering profitable growth while maintaining our dedication to enabling our clients’ aspirations.” Roy is credited with developing Converge which is their next-generation integrated platform. If Teladoc is finding it difficult to transition from the stand-alone, transactional, urgent care service they and Amwell pioneered, into an evolved market that has incorporated virtual capabilities into multiple types of care models, whither Amwell’s future? More thoughts in TTA 2 May, 9 April

Alphabet (Google)’s once-visionary Verily now jumps on the GLP-1 bandwagon with Lightpath. Verily’s latest pivot to the highly trendy weight loss area is termed as a metabolic solution as part of a “personalized chronic care solution for health plans and members”.  Lightpath will start as Lightpath Metabolic, a four-part program that includes Metabolic Intensive (diabetes management), Weight Loss Intensive, Metabolic Improvement, and Metabolic Achievement. The Verily platform integrates data from health records, connected devices, and other care points to deliver “personalized pathways, suggestions, and nudges to health plan members” virtually along with health coaches and an advanced licensed clinical team. The current virtual chronic care management platform, Onduo, will be retired by 2025.

Once upon a time (2021, sigh), Verily was Google’s skunk works for advanced health tech with Google Health being the marketing and merchandising arm for clinical and consumer products. Google Health was broken up in August 2021 and Verily faded into the Alphabet background with the occasional joint venture and clinical pilots, with Onduo being their most marketable product. Google seems to have little direction for Verily other than to keep it alive. And given the competition plus a greater understanding of the long term effects of the GLP-1 drugs in the weight loss area, the GLP bandwagon is up for a shaky ride in the next year. Release, FierceHealthcare

And very strangely, UnitedHealth Group hasn’t notified Health and Human Services’ Office of Civil Rights (HHS-OCR) about the ransomware data breach at Change Healthcare, nor the individuals affected. The notification to OCR is required under HIPAA to be within 60 days of the date of the incident. UHG is over the deadline by two months, calculating from 21 February. CEO Andrew Witty wilted before double-barreled Senate and House hearings in May and UHG lost a fight to put the notifications for the breach onto providers [TTA 5 June]. Senators Margaret Wood Hassan (D-NH) and Marsha Blackburn (R-TN) sent a joint letter on 7 June to Andrew Witty, CEO of UnitedHealth Group, urging him to send a breach notification letter that notifies OCR, state regulators, Congress, the media, and health care providers that it intends to complete all breach notifications on behalf of all HIPAA-covered entities, individuals and businesses affected, by 21 June. That’s Friday. UHG continues to maintain that they still do not know the extent of the breach. The Medical Group Management Association (MGMA) also sent a letter to Mr. Witty on 12 JuneDon’t hold your breath for UHG sending millions of letters. Becker’s, HealthExec

News roundup: Change responsible for data breach notices; 37% of healthcare orgs have no cybersec contingency plan; health execs scared by Ascension breach; CVS continues betting on health services; Plenful’s $17M Series A

HHS agrees with providers that the data breach notification is on Change Healthcare, not them. Health and Human Services’ Office for Civil Rights (OCR) moved quickly to formally change the FAQs that kicked off the 100+ provider letter [TTA 23 May]. Now “Covered entities affected by the Change Healthcare breach may delegate to Change Healthcare the tasks of providing the required HIPAA breach notifications on their behalf.” “Covered entities” in this case refers to the providers. Only one entity–Change or the provider–“needs to complete breach notifications to affected individuals, HHS, and where applicable the media.” Providers must contact Change Healthcare for the delegation. 

Chad Golder, general counsel and secretary at the American Hospital Association (AHA) said in their statement, “As we explained then, not only is there legal authority for UnitedHealth Group to make these notifications, but requiring hospitals to make their own notifications would confuse patients and impose unnecessary costs on providers, particularly when they have already suffered so greatly from this attack.” HHS notice, Healthcare Dive

Meanwhile, UHG still does not know the extent of the breach which started in late February. Knowing the extent of the breach is needed to start notifications. It has not formally notified HHS of the breach long past the 60-day mandated window (see #3 in the HHS FAQs). This may create an ‘unreasonable delay’ (see #6). Not all Change systems are back up either–see the Optum Solutions page that has plenty of red Xs.

Only 63% of healthcare organizations have a cybersecurity response plan in place, leaving 37% without a plan. This is based on a survey of 296 IT/data security/management executive respondents working at healthcare organizations in the US performed by Software Advice, an advisory and consulting firm. Other findings:

  • Nearly 1 in 3 have had a data breach in the last three years
  • 42% of practices have experienced a ransomware attack, and of those, 48% say the attack impacted customer data
  • 34% failed to recover data after the ransomware attack
  • 55% of medical practices allow access to more data than employees need to do their job which makes them more vulnerable to attacks
  • While 41% of data breaches are attributable to malicious hacking, another 39% are due to malware, 37% are due to social engineering and phishing scams, 36% are due to software vulnerabilities, and 30% are due to employee error.

It would have been helpful if Software Advice in its report had broken down the type of practices surveyed. Healthcare Dive

Meanwhile, healthcare executives were ‘scared’ by the Ascension Health breach, as they should have been. Katie Adams’ piece in MedCityNews explores reactions from five different C-suite hospital executives about the recent attack on Ascension. The IT and data officers are from MD Anderson, Yale New Haven Health, CommonSpirit Health, Allegheny Health Network, and UPMC. The overall take was that threats are more common than ever, bad actors are abundant and getting better (using tools that can make amateurs into pretty good “bad actors” via “LLM products and have them help you build ransomware code.”), managing weaknesses in third-party vendors that live in the cloud is a Herculean task, phishing, and the need for ‘government’ to be involved. 

This Editor notes that the rush for providers into generative AI, given this environment, is perhaps premature. Yet here they go; researchers from Mount Sinai’s Icahn School of Medicine used structured data, such as vital signs, and unstructured data, such as nurse triage notes, to develop models predicting hospital admissions using ChatGPT-4. It supposedly can learn from fewer examples than other machine-learning models currently used and use data from traditional models. Becker’s

Ascension is slowly coming back, now projecting that all their locations will have their EHRs restored by the week of 14 June. Currently, only Florida, Alabama and Austin are up and running. Ascension Rx retail, home delivery and specialty pharmacy sites are now open as well. They will have some ‘splainin’ to do to HHS OCR. Ascension update site

CVS is confident in the future of its retail health despite their struggles with Minute Clinics and Oak Street.  Despite the struggle of retail health clinics at other providers such as Walgreens/VillageMD and the shutdown of Walmart Health, Sree Chaguturu, MD, CVS Health’s executive vice president and chief medical officer, expressed complete confidence at a recent industry conclave, thINc360 – The Healthcare Innovation Congress. This is despite the closures of dozens of Minute Clinics in Southern California and New England [TTA 31 May] out of their 1,100 total plus that CVS seeking an investment partner for Oak Street [TTA 29 May]. Dr. Chaguturu returned time and again to the 10,000-odd CVS Pharmacy locations and their leverage within communities, leaning very hard on the 5 million people coming in daily and the ‘opportunity for their pharmacists to engage’. As a CVS customer at a small location, those busy pharmacists aren’t engaging with me unless I have a script to fill or need an OTC decongestant that’s on the state signoff list due to an ingredient. In fact, CVS locations have rather few people nowadays, including behind checkout counters. Then again, it was a meeting speech. FierceHealthcare

Concluding on a brighter note, Plenful’s Series A came in at a tidy $17 million. Plenful developed and markets an AI-assisted workflow-automation platform for pharmacy and healthcare operations, claiming that it automates over 95% of the work for disparate administrative workflows. Features include 340B audit, document processing, contracted rates optimization and inventory planning, and pharmacy cycle revenue and reporting. Founded in 2021, the company has already lined up some impressive clients. Lead investor TQ Ventures was joined by Mitchell Rales (cofounder and chairman of Danaher), Susa Ventures, Waterline Ventures, and Bessemer Partners, the lead for last September’s $9 million seed funding for a total of $26 million. Crunchbase, Mobihealthnews

News roundup: 100+ medical orgs pile on Change/UHG; Teladoc hit with second class-action suit; Congress demands Oracle EHR improvement–or else; Transcarent intros WayFinding; Centivo buys Eden Health

The fallout from the Change cyberhack hangs like smog over UHG. On Monday, the American Medical Association (AMA), along with about 100 other signatories from nationwide medical associations including CHIME and AHIMA, sent a strongly worded letter to Health and Human Services Secretary Xavier Becerra. It requested a clear delineation of responsibilities for breach reporting requirements created by the 21 February Change Healthcare ALPHV/Blackcat ransomware attack. Reporting is required by HHS’ Office of Civil Rights (OCR) under HIPAA.

Specifically, the AMA letter requested 1) more public clarity around reporting responsibilities to patients for the data breach and 2) that all reporting and notification responsibilities will be handled by Change Healthcare, not the providers. “OCR should publicly state that its breach investigation and immediate efforts at remediation will be focused on Change Healthcare, and not the providers affected by Change Healthcare’s breach”. To date, this doesn’t seem to be OCR’s position.

  • The AMA and signatory organizations maintain that it “is the responsibility of the covered entity which experienced the breach—UHG—to fulfill its obligations in regard to reporting the breach to OCR, notifying each affected individual, as well as any further HIPAA breach reporting requirements that may be applicable, such as notifying state Attorneys General and media outlets.”
  • OCR, on the other hand, has gone on the record in April as stating in their FAQs that “while the covered entity is ultimately responsible for ensuring individuals are notified, the covered entity may delegate the responsibility of providing individual notices to the business associate. Covered entities and business associates should consider which entity is in the best position to provide notice to the individual, which may vary, depending on the circumstances, such as the functions the business associate performs on behalf of the covered entity and which entity has the relationship with the individual.” (Providers can be considered business associates)

In other words, the providers want the full responsibility of contacting patients, state attorneys general, media, and others (e.g. class action lawyers) to be Change Healthcare’s. They do not want to be forced to contact their patients and, in all fairness, at this point do not know which patients were affected because they are not privy to Change Healthcare’s information. UHG has not yet produced a breach report to OCR. AMA letter to Becerra, Healthcare Finance News

When the stock falls, blame the marketing spend! The latest class-action lawsuit filed against Teladoc blames the company for spending money in digital and other media advertising promoting BetterHelp, their telementalhealth unit. The suit cites Teladoc’s public statements such as a “long runway” for BetterHelp’s membership growth and that spending would be inefficient due to the saturated category. Yet spending increased in 2023. The lawsuit charges that this directly deteriorated the company’s revenue, leading to a substantial fall in its stock price. Charged are Teladoc, and at the time CEO Jason Gorevic and CFO Mala Murthy. Stary v. Teladoc Health, Inc. et al., was filed on May 17 in the US District Court for the Southern District of New York. No response yet from Teladoc. Docket on Justia, Mobihealthnews

The House and Senate Veterans’ Affairs Committees jointly introduce legislation on VA’s EHR modernization. The Senator Elizabeth Dole 21st Century Veterans Healthcare and Benefits Improvement Act would require the Department of Veterans Affairs to exercise even greater oversight of the Oracle Cerner implementation in these areas:

  • The quarterly reports to Congress would include additional quality metrics on user adoption, employee satisfaction, and employee retention/turnover where the Oracle Cerner EHR is introduced. This adds to existing required reporting on spending and performance.
  • Regarding additional rollouts, the VA secretary must certify that the sites are ready. He also must furnish corroborating data to Congress “demonstrating that all facilities currently using the Oracle Cerner EHR system have recovered to normal operational levels.”
  • If there is no improvement (presumably to this standard) at Oracle Cerner locations within two years of the bill’s enactment, the program will be terminated.
  • VA must also report on the status of VistA with details about “the operation and maintenance costs and development and enhancement costs” of the software and “a list of modules, applications or systems” within VistA that VA plans to retire or continue to use. 

HIStalk 17 May, NextGov/FCW

‘Not for sale’ Transcarent introduces an AI-assisted platform, WayFinding. The platform designed for end users of Transcarent’s enterprise health navigator combines generative AI with instant access to care providers to integrate benefits navigation, clinical guidance, and care delivery on a single platform. The personalized guidance enables the member to find a provider, find out costs, and guides to the best clinical action to take next. It then connects them to medical professionals or provides direct access into digital point solutions. It integrates information on details of the employer plan, ancillary benefits, the member’s medical history, and connection to clinical specialists. There is no information in the overly padded release on when the new platform will be available or how it will be offered to existing and new customers. This follows on Transcarent’s $124 million Series D funding two weeks ago.  FierceHealthcare, Mobihealthnews, TTA 8 May

Centivo acquires Eden Health virtual care. The purchase price was not disclosed. Centivo, headquartered in Buffalo NY, is  a health plan for self-funded employers. Eden, also providing services to employers, is a concierge provider that offers through a mobile app primary care, mental health, and care navigation services, plus workplace pop-up clinics. Eden also has technology that connects providers’ EMRs to their app. Eden’s services will be fully integrated into Centivo, which will enable it to expand to 50 states and increase from its current 120 employer base to 160. The combined organizations cover about 2 million eligible patients in companies ranging from Fortune 100 size to small businesses. Eden’s CEO will serve as a senior advisor to Centivo, but there is no other indication of employee transition.  Release, FierceHealthcare

News roundup: UHG CEO’s Bad Day at Capitol Hill; Kaiser’s 13.4M data breach; Walgreens’ stock beatup; Cigna writes off VillageMD; Oracle Cerner shrinks 50%; Owlet BabySat gets Wheel; fundings for Midi, Trovo, Alaffia, Klineo

It was a Bad Day at Boot (Capitol) Hill for UnitedHealth Group’s CEO Andrew Witty. On May Day, he was the Man In The Arena facing two Congressional grillings–the first from the Senate Finance Committee in the morning, and the second in the afternoon from the House Energy and Commerce Committee’s Subcommittee on Oversight and Investigations. The precipitating event was the Optum/Change Healthcare data breach and system hacking by ALPHV/BlackCat, a disruption which is as of today not fully resolved.  Millions of patients may have had data stolen and exposed–a number that has yet to be determined, but an outcome for which UHG, while paying the ransomwaristes, has prepared. Already, the VA has notified 15 million veterans and families of that possibility.

This Editor will be linking below to multiple articles and Mr. Witty’s prepared testimony. Interested Readers can also refer to YouTube for extensive links to video testimony. Highlights:

  • Both houses criticized the slow response and amount of financial assistance given to providers after the shutdown of Change’s systems prevented (and still is preventing) timely claims processing and payment. While ‘near normal’ volumes of medical claims and 86% restoration of payment processing sounds good, that leaves a lot of wiggle room on over two months of totally disrupted processing and payment. The billion or so cited sounds impressive but much of this is in loans. Most practices and groups simply do not have the financial cushion or billing skillset to bridge this disruption, to pay back loans, or to bookkeep this.
  • Also criticized at this late date was UHG being unable to determine how many individuals had PHI exposed in the breach.
  • As to cause, the description of UHG finding that surprise, surprise, Change’s systems were way out of date, stored on physical servers versus the cloud, and used Citrix remote access without multi-factor authentication (MFA) was utterly savaged. According to Mr. Witty, ALPHV after days of knocking around got in on the one server that did not have MFA authentication.

The blunt fact is that UHG had close to two years (January 2021-Oct 2022) before the buy closed. Due diligence consisting of a full audit had to have been done on Change’s IT systems. They processed what UHG wanted to buy. In this Editor’s estimation, Job #1! for UHG should have been ensuring that Change’s systems were hardened, then upgrading to what Mr. Witty called UnitedHealth’s standards. This Editor will go further. A minimum requirement for the sale should have been security hardening. There was time before the closing.

Senator Thom Tillis, R-North Carolina, had the best riposte. He brought a copy of “Hacking for Dummies” to the hearing, highlighting MFA. I doubt he was much moved by UHG now bringing in cybersecurity company Mandiant to both investigate and harden their systems, nor by UHG having to pay ransom, without knowing whose data was compromised.

  • Beyond the breach, UHG was called ‘monopolistic’ by both Republican and Democrat Members. There were calls to break up UHG as not ‘too big to fail’. UHG has grown by acquisition and consolidation of services. As this Editor has speculated, this is likely coming to an end with the new, much more stringent Merger Guidelines. This sentiment paints a large, unmissable target on UHG’s back for aiming FTC’s and DOJ’s missiles. (DOJ also has a huge score to settle with UHG dating back to the failure to block the Change sale.)

By the end of the day, Mr. Witty looked quite the worse for wear–tie and collar askew, slightly sweaty, versus the perfect poses of the various Members. Becker’s, FierceHealthcare, Axios, HealthcareDive    Mr. Witty’s Senate testimony statement, House testimony statement

Speaking of data breaches, Kaiser Permanente reported a big one to Health and Human Services (HHS). This relates to ad tracker information shared with third-party advertisers such as Google, Microsoft, and X. Kaiser used it in secured areas of their website and mobile apps. Information disclosed could be name and IP. Kaiser reported it on 12 April but only disclosed on 25 April that 13.4 million records may have been affected. The ad trackers have since been removed. TechCrunch, FierceHealthcare 

Walgreens stock not recovering. April was WBA’s worst month in five years and May is no better, with the stock muddling around $17.50. The month slid around 18%. Their 52-week high was $33. As of now, CEO Tim Wentworth’s actions such as closing locations and writing down VillageMD haven’t convinced Mr. Market of WBA’s worth, but in fairness it’s early in his tenure. In the Insult to Injury Department, it was revealed that the IRS is seeking to claw back $2.7 billion in unpaid 2014-2017 taxes. Crain’s Chicago Business

Cigna is also writing down its interest in VillageMD. Almost forgotten is that in late 2022, Cigna invested $2.5 billion into VillageMD. They have now written down $1.8 billion of that ‘low teens’ ownership. The planned tie was connecting Village Medical into Evernorth, Cigna’s medical services area. It was also supposed to provide Cigna with an annual return on investment, but one assumes it did not. The writeoff threw Cigna’s Q1 into the red with a net loss of almost $300 million versus a prior year profit of $1.3 billion, despite a strong quarter that grew revenue 23% versus prior year to $57.3 billion. Healthcare Dive

Oracle Health has been successful–in shrinking Cerner by close to half. Records of employment at Cerner’s Kansas City-based operation have declined from 11,900 people in 2022 (Kansas City Area Development Council) to a current 6,400 (internal documents). Cerner itself reported 12,778 local full-time-equivalent employees in 2022. Oracle had multiple layoffs of Cerner affecting Kansas City workers and has consolidated multiple office buildings and campuses. Becker’s

In more cheerful news:

Baby monitor Owlet announced a strategic partnership with Wheel for Owlet’s BabySat. BabySat is Owlet’s FDA-cleared prescription vital signs monitor for infants 1-18 months. Wheel clinicians can now prescribe BabySat which enables parents to order BabySat from Owlet and other suppliers. With Wheel, BabySat also integrates with durable medical equipment (DME) suppliers who accept and can bill for the product through many insurance providers for partial or full reimbursement. Wheel is a virtual care platform and physician/nurse-practitioner online network available direct to consumer and to enterprises. Owlet release

And rounding up funding:

MidiHealth closed a $60M Series B funding. This was led by Emerson Collective with participation from Memorial Hermann, SemperVirens, Felicis, Icon Ventures, Black Angel Group, Gingerbread Capital, Able Partners, G9, and Operator Collective for a total of $99 million in funding. Midi provides virtual support for women going through peri- and full menopause. The fresh funding will help them expand national insurance coverage, hire and upskill an additional 150 clinicians by end of year, diversify service lines, and scale to care for 1 million+ women per year by 2029. Release

Trovo Health launched with $15 million in seed funding, led by Oak HC/FT. The NYC-based AI-powered provider task assistance platform will use the funding to build its technology platform, clinical operations, and leadership team. Mobihealthnews 

In the same roundup, NYC-based Alaffia Health scored a $10 million Series A round. This was led by FirstMark Capital with participation from Aperture Venture Capital. Alaffia creates generative AI solutions for payment integrity in health insurance claims operations, with the aim of eliminating insurance fraud, waste, and abuse for health plans, third-party administrators, self-insured employers, stop-loss carriers, and government agencies. Their total raise to date is $17.6 million. Paris-based Klineo also raised €2 million for its oncology clinical trials search platforms, assisted by AI, for the use of doctors and patients. BPIFrance and business angels participated in the round.

Midweek news roundup: Optum exiting telehealth, laying off; Advocate Health selling MobileHelp; VA notifying 15M veterans re Change PHI breach, Oracle moving to Nashville–maybe? (updated)

Optum Virtual Care closing, staff layoffs in progress. Optum Everycare CEO Jennifer Phalen on an 18 April internal conference call announced that the unit would close. According to sources, some employees would have layoff dates in July. No further details were available on other layoffs or plans for integrating Virtual Care’s capabilities into other Optum units, except for generalities. “We are com­mit­ted to pro­vid­ing pa­tients with a ro­bust net­work of providers for vir­tu­al ur­gent, pri­ma­ry and spe­cial­ty care op­tions,” and “We con­tin­u­al­ly re­view the ca­pa­bil­i­ties and ser­vices we of­fer to meet the grow­ing and evolv­ing needs of our busi­ness­es and the peo­ple we serve.” a spokesper­son for Unit­ed­Health said to End­points, a biopharma publication from the University of Kansas which broke the story.

For Optum, this is the second shoe drop about layoffs and closures in less than two weeks. Reports from social media and layoff-specific boards indicated that thousands were being laid off, from their plans to urgent care and providers [TTA 23 Apr]. These were not confirmed by Optum nor by UnitedHealth Group. It’s not known if this unit’s closure was included in the total. 

The larger picture is that it is symptomatic of the sudden growth, then equally sudden consolidation, of general telehealth. Optum opened the unit in April 2021 as the pandemic entered year 2. Utilizing existing capabilities, UHG claimed it facilitated more than 33 million telehealth visits in 2020, up from 1.2 million in 2019. The number looks sky high but in that time of practices closing it was a free-for-all in telehealth–and ‘facilitating’ is a nebulous catchword that could mean a practice using Facetime, telephones, or an EHR/population health platform module. Commercial claims for telehealth have remained at 4 to 5% since (FAIR Health, Jan 2024). Even during the pandemic’s first year, telehealth claims hit a peak of 13 percent in April 2020 that dropped fast to 6% by August 2020. Well over 60% are for behavioral telehealth claims.

A leading indicator: Last June, Optum Everycare’s CEO from their 2021 start, Kristi Henderson, a former Optum SVP for digital transformation, departed to become CEO of Confluent Health, a national network of occupational and physical therapy clinics. It was about as far away as one could get from telehealth, digital transformation, and Amazon Care, her former employer that expired in 2022.

Apparently, UHG and Optum see no further need for a virtual care specialty unit, instead integrating it into plans and other Optum services. According to MedCityNews, industry analysts aren’t surprised. Both Amwell and Teladoc have had well-known struggles. The latest: Walmart, after investing millions into their unit that included full clinics and a virtual care service, also made news on 30 April that it is closing both. Also greatly on UHG’s mind: cleanup after the Change debacle, making Mr. Market happy, and the looming antitrust action by DOJBecker’s, Healthcare IT News, 

In another sign that healthcare investors are selling off ancillary businesses, Advocate Health is selling PERS provider MobileHelp. It “no longer fit the strategic priorities of Advocate Health” according to their 22 April audit report (see document pages 10 and 13) and was authorized last December.

Advocate, through its investment arm Advocate Aurora Enterprises, acquired both MobileHelp, one of the earliest mobile PERS, and sister company Clear Arch Health, a remote patient monitoring provider, in April 2022. Cost was not disclosed at that time but later was reported to be $290.7 million. The plan at the time was to combine both MobileHelp and Clear Arch with a senior care/home health provider earlier acquired by Advocate for $187 million, Senior Helpers. That company was sold in March to Chicago-based private equity firm Waud Capital Partners for an undisclosed amount. The MobileHelp sale is expected to close later this year. Buyer and price are not disclosed. The expected loss on the MobileHelp sale was figured into FY 2023 as part of an asset impairment write-down of $150 million, which Advocate said was “related to the expected loss on the sale of MobileHelp.” The PERS and RPM business is a largely consolidated ‘cash cow’ type of business that (Editor’s prediction) will be snapped up by another player like Connect America, Alert One, or a smaller player like ModivCare. Milwaukee Business Journal, Becker’s, Crain’s Chicago Business (requires subscription)

VA admits that some veterans may be affected by Change Healthcare data breach, PII/PHI disclosure. While Department of Veterans Affairs Secretary Denis McDonough at this time believes that “there’s no confirmation yet” that veteran data was exposed, the scope of the Change Healthcare breach has led VA to formally alert via email 15 million veterans and their families of the possibility. The email also included information “about the two years of free credit monitoring and identity theft protection” that Change Healthcare is offering to those affected by the attack. The VA maintains that the attack resulted in only a temporary delay in filling 40,000 prescriptions but did not cause “any adverse impact on patient care or outcomes,” according to a department spokesman. NextGov/FCW 26 April, 23 April 

In related news, HHS as of 19 April had not received any notification from Change Healthcare nor UHG. They are required to file a breach report as providers and also as covered entities. They have 60 days from the breach occurrence on 21 February to report, which is coming right up. Becker’s

If Larry said it, it must be true…assemble the moving boxes. At an Oracle conference in Nashville last week, Oracle chairman Larry Ellison said to Bill Frist of investment firm Frist Cressey Ventures that he planned to move the company to that city as “It’s the center of the industry we’re most concerned about, which is the healthcare industry.” It’s their second public Larry and Billy meetup in the last few months, the last in November at the Frist Cressey Ventures Forum where Ellison had previously touted Nashville. Ellison is investing in and building a 70-acre, $1.35 billion campus on Nashville’s riverfront. Oracle is currently HQ’d in Austin, Texas having moved in 2020 from Redwood City, California but with extensive facilities remaining in the state. Texas and Tennessee have one thing in common–a superior business climate. Both are long on lifestyle, though Austin is not as temperate (read, hot) as Nashville. What Nashville has that Austin doesn’t is being a healthcare hub. At least in Ellison’s view, healthcare is where it’s at and so is Nashville. So as long as he’s running Oracle from his manse on Lanai, Oracle does what Larry says. Healthcare Dive, Healthcare IT News, The Tennessean

More fun facts about Larry Ellison and Nashville: David Ellison, his son, is founder of Skydance Media, a major Hollywood production company (Mission: Impossible and others) and negotiating a zillion-dollar merger with Paramount Pictures. David’s wife is a singer trying to make it in Music City and they have a home there. Kind of like the age-old trend of moving the HQ near where the CEO’s living. On moving the HQ to Nashville from Austin, this would affect perhaps 2,500 workers based there currently. Most of Oracle’s workers are dispersed and work remotely. 6,400 of former Cerner-ites are still in Missouri and 7,000 remain in California. Big hat tip to HIStalk—scroll down and see more about Larry and Billy’s talk, which also covered cybersecurity, the NHS (which uses Cerner), and automating hospitals and the hospital-payer interface.

Breaking: UnitedHealth admits to paying ransomwareistes on Change stolen patient data (updated)

Admitted, finally, to CNBC on Monday. UnitedHealth told CNBC in a statement. “A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure.” UHG’s release alludes to this but without specifics as to what entity was paid (ALPHV? RansomHub?) nor the amount. It vaguely states that it reviewed 22 screenshots “some containing PHI and PII, posted for about a week on the dark web by a malicious threat actor” and that “it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals”. This seems to point to the most recent RansomHub offer of 4TB of Change Healthcare PHI/PII for sale, not the original breach, but UHG’s information is inconclusive for the reader. Also Becker’s.

However, the admission that Change files were breached and a ransom was paid is substantial and points to multiple leaks of the PHI and PII on multiple sites. Despite no identification and notification of customers yet, UHG is offering a support hotline to individuals concerned about the cyberattack, offering free credit monitoring and identity theft protections for two years plus “emotional support.”

Another fun fact that DataBreaches.net points to in its short article is that the Wall Street Journal (also cited by TechCrunch) said that its research indicated that the original breach came from stolen remote access credentials. It took only a week for ALPHV’s hackers to explore the system before deploying the cyberransom and hacking software through Change’s systems. Updated: the WSJ pins the original breach to 12 February but the hackers didn’t ‘detonate’ the ransomware till 21 February. Also multi-factor authentication is standard operating procedure for remote access, but MFA wasn’t enabled on this.  Developing and will be updated. Our article posted on Monday here with links to our prior articles.

Who really has the 4TB of Change Healthcare data 4 sale? And in great timing, Optum lays off a rumored 20K–say wot?

The data is for sale! And the top does not go down, but the price definitely goes up! That old antique auto auction cry is paraphrased here because the 4TB of patient data hacked from Change’s systems is up for sale, since Change/Optum didn’t buy it. Interested parties should stroll over to the dark web and see RansomHub’s listing for details.

Unlike some news sources that got confused, this apparently is the same 4TB that BlackCat/ALPHV affiliate ‘notchy’ stole (technically, exfiltrated) posted about on a dark web site shortly after the attack [TTA 7 Mar]. According to those early reports, ‘notchy’ was dissatisfied that he didn’t get a cut of the $22 million ransom that Optum supposedly paid the BlackCat/ALPHV group.

For their $22 million ransom, which Change has not, repeat NOT, confirmed, ALPHV gave Change a decryptor key. But, they didn’t have the good manners to 1) return the stolen data to Change or delete it, which included highly sensitive data from multiple Change customers including active military PII (from Tricare), patient PII, payment and claims data, and much more, and 2) pay a cut to the affiliate. And then ALPHV shut down and ran out of town.

Here’s the latest updates from DataBreaches. net

Over a month later, an outfit called RansomHub posted, again on the dark web, that it has the 4TB of data. 

As reported here on 10 April, there was an announcement on the RansomHub website, not signed by ‘notchy’, that if Change wasn’t interested in paying for the data, it would be up for sale. There was some confusion, based on a WIRED report, that this was a second breach. The RansomHub information seemed to point to only ‘notchy’s’ data.

DataBreaches followed up with RansomHub to 1) verify they had the data, asking if 2) was it ‘notchy’s data’, and 3) how did RansomHub obtain it if not ‘notchy’? RansomHub also leaked some screenshots of  2011-2013 Medicare claims data. This old data raises even more questions on why this data was even available online and not stored offline…unless…. RansomHub’s 15 April posting included this statement, “The more we go through the data the more we are shocked of the amount of financial, medical, and personal information we find and it will be more devastating than the first attack itself.” 

By 16 April, DataBreaches reported that the listing read:

Change HealthCare – OPTUM Group – United HealthCare Group – FOR SALE

The data in now for sale. Anyone interested in the purchase should contact RansomHub. 

But does RansomHub actually have it? Are they ‘notchy’, in it with ‘notchy’, brokering ‘notchy’, or is it a second 4TB breach? Stay tuned.

Thousands at Optum won’t care one way or another. Reports since last Thursday have been that first hundreds, then thousands, then up to 20,000, have been laid off. These are based on social media postings on LinkedIn and boards like The Layoff where anyone can post. Optum has not confirmed any layoffs to industry media such as FierceHealthcare and Becker’s Hospital Review / Becker’s ASC Review which published reports starting last Friday. Federal and state WARN notices, which usually confirm mass layoffs by state, have been oddly empty. 

Across the reports, Optum has laid off staff from their California care division (400), home health provider Landmark Health (500), urgent care MedExpress (all as of 18 July), Genoa (OptumRx-unknown). Notices range from immediate, to two weeks into May, and forward. Types of jobs eliminated have been at all levels of regional and corporate, affecting engineers, care management, clinical, case directors, data operations, and integration managers. This LinkedIn post claims up to 20,000. Optum’s silence has let the rumor mill run overtime.

CMS has lowered Medicare Advantage reimbursement, but other insurers factored this in earlier this year. The major whack was the Change Healthcare cyberattack. Though the public posture of UnitedHealth Group is that most of the systems are back or being worked around, the financial truth is that the Change disaster will cost them $1.6 billion in 2024 as announced last week. It does lead one to wonder about how mighty UHG, on an acquisition tear for years through today, always doing well and pleasing Mr. Market, got quite so overstaffed. How would it be overstaffed by thousands or the rumored 20,000 who are suddenly, dramatically unnecessary? That may boost the stock, but it gives the Feds yet another ax to grind, what with the House savaging an absent UHG on the cyberattack handling and their payments to providers [TTA 18 April], DOJ taking a hard cold look into UHG’s business practices, specifically around antitrust between the payer group and Optum [TTA 6 Mar], and approvals for the Amedisys buy stalling.

Here’s a view at variance, not about the layoffs but about how UHG is really doing. STAT’s analysis of UHG’s financial report is that the Change losses barely dent the overall picture and won’t affect 2024 earnings. Q1’s loss was mostly the Brazil writedown. It also confirmed that CEO Andrew Witty had a certain gall to say in prepared remarks that the Change situation would have been so much worse had they not been owned by UHG. Mr. Witty will have some ‘splainin’ to do before the House and the Senate, 30 April and 1 May, respectively.

News roundup: Congress hammers absent UHG on Change cyberattack–and more; 10% unhinged at Hinge Health; Steward Health nears insolvency; Two Chairs $72M Series C

UnitedHealth Group facing direct Congressional criticism–and didn’t show up to answer it. The House Energy and Commerce Committee held a hearing yesterday on the BlackCat/ALPHV cyberattack on UHG/Optum’s Change Healthcare systems. Representatives of the American Hospital Association, which we noted led the earliest efforts to assess the situation, help health systems, and then lobby Health and Human Services to assist providers, the College of Healthcare Information Management Executives, and the Healthcare Sector Coordinating Council testified to a restive group of House representatives. Though reports have said that UHG had previously briefed the committee and CEO Andrew Witty will appear before the Senate Finance Committee on 30 April, both Republicans and Democrats didn’t spare the criticism. Other issues, such as healthcare provider consolidation, cybersecurity coordination, and vertical integration through acquisitions as represented by UHG and Change, entered into the hearing. And it went pretty far. Rep. Buddy Carter (R-GA): “The FTC has failed the American people by allowing vertical integration to happen, and it needs to be busted up.” Rep. Anna Eshoo (D-CA): “The attack shows how UnitedHealth’s anti-competitive practices present a national security risk because its operations now extend through every point of our healthcare system,” and called it “outrageous”. 

The current administration’s proposed $800 million investment in hospital cybersecurity protections was typed as “woefully insufficient.” 

Returning to the main issues, Larry Bucshon, MD (R-IN) stated that both the government and private companies were slow in assisting providers. John Riggi, AHA’s national adviser for cybersecurity and risk testified that “The federal government did not step in for weeks. Needed flexibilities under Medicare were not immediately available. It took 18 days for CMS to begin allowing providers to apply for advancing accelerated payments.” On how it affected providers, 94% of respondents in an AHA provider survey felt a financial impact from the attack, over half reported a “significant or serious” impact, and 74% of hospitals reported a direct effect on patient care. Payers are resisting advanced payments. UHG was even accused of exploiting the cyberattack to purchase additional practices by Rep. John Joyce, MD (R-PA). Becker’s, Chief Healthcare Executive, STAT

This Editor has previously noted that UHG is taking a $1.6 billion charge for the cyberattack and is separately facing a DOJ investigation on multiple antitrust issues between the payer group and Optum, including their Amedisys buy [TTA 6 Mar]. UHG is also facing multiple class-action lawsuits from practices currently and expected from patients affected by the theft of PHI and PII [TTA 28 Mar]. It’ll be a busy spring and summer for UHG’s legal department.

Hinge Health cuts 10% of staff. Reasons given were the standard tropes of ‘long-term sustainable business’, ‘accelerate our path to profitability, speed up decision making, and better focus our investments’ plus ‘realign our organization’. Their employee group is estimated at 1,700 on LinkedIn, making this about 170 staff released in various functions including engineers. The company is preparing for an IPO, which may not be this year, since they claim to have $400 million in cash on the books. Hinge’s last raise was an October 2021 $400 million Series E led by Tiger Global and Coatue Management for a total funding of $826.1 million over 10 raises (Crunchbase). At that time, their valuation was a bubbly $6.2 billion. Their virtual musculoskeletal rehabilitative therapy for back and joint pain care has since then expanded to rehab for pelvic pain, bowel, and bladder control. TechCrunch  As predicted in our Rock Health Q1 review, Hinge is a perfect example of companies “pursuing IPO and M&A exit pathways concurrently to keep options open” by presenting their financials as if they were already public companies. 

Steward Health Care nears bankruptcy court. And the Optum buy of Stewardship Health practices won’t save it in time. Steward’s lenders are giving the health network until the end of April–two weeks away–to prove it can repay its considerable debts. Its recovery plan which included the Stewardship sale has been criticized as unworkable given the volume of debt and the regulatory implications of selling their hospital assets. The Optum acquisition is required to undergo a 30-day review by Massachusetts’ Health Policy Commission (HPC)–and while it was announced at the end of March, it had not started by mid-April. Given UHG’s other problems and scrutiny of practice purchases by the DOJ and FTC, Optum may walk away or wait. No purchase price had been announced but it would be a drop in a bottomless well anyway. The mounting problems of Steward Health Care are detailed in Healthcare Dive’s analysis.

And to end on a more optimistic note, Two Chairs, a telemental health provider out of San Francisco, scored a $72 million Series C. Lead investors are Amplo and Fifth Down Capital with debt financing from Bridge Bank. The new raise, majority equity, brings Two Chairs’ total funding to $103 million. Their hybrid virtual and in-person therapy model is available at present in California, Florida, and Washington and markets to consumers, payers (Aetna nationally, Kaiser Permanente in Washington and Northern California), providers, and employers. The company states it will use the fresh funding to expand its markets and improve its technology platform. Currently, they have more than 500 clinicians on staff, most of whom are full-time. Their differentiator in the crowded telemental health category is their emphasis on measurement-based care, aided by a “matching consult,” facilitated by a proprietary 300-variable algorithm that creates the right therapist-client match (the ‘two chairs’ of the company’s name), which studies indicate is the most important factor in determining a good outcome.  Release, FierceHealthcare, MedCityNews

Mid-week short takes: UnitedHealth’s $1.2B Q1 loss from Change attack, another Walgreens layoff, Dexcom-MD Revolution partner, Kontakt.io $47.5 raise, GeBBS Healthcare may sell for $1B

UnitedHealth Group rang up Q1 revenue of $99.8 billion, with adjusted earnings from operations $8.5 billion, but had a net loss of $1.22 billion (WSJ). (Ed. note–Becker’s has $1.4 million) The loss was created not only from the cyberattack on Change Healthcare’s systems ($0.74/share) but also a $7 billion charge due to the sale of UHG’s Brazil operations.

  • Q1 revenue was up $7.9 billion versus same quarter 2023.
  • Their year 2024 forecast of the damage done by the ALPHV cyberattack on Change is $1.6 billion ($1.15 to $1.35 per share).
  • Optum’s Q1 revenues of $61 billion grew by $7 billion over prior year, led by Optum Health and Optum Rx due to continued strong expansion in the number of people served

Someone at HIStalk did some counting and noted that the Optum Solution Status dashboard for Change Healthcare shows 109 of 137 applications remain down, not much different than when we eyeballed it on 3 April. CNBC, UHG release, HIStalk, Becker’s, MSN/WSJ

Walgreens continues to cut staff–this go-around, it’s corporate support center employees both in Chicago and working remotely. No total was provided by the Walgreens spokesperson contacted by Crain’s Chicago Business. This adds to 900 corporate staff laid off in several waves earlier this year and last fall, VillageMD staff due to 140 closures, and 646 distribution center staff laid off last month. Walgreens stock is down 33% this year. 

In cheerier news, Dexcom is partnering with remote patient monitoring (RPM) provider MD Revolution to add its continuous glucose monitoring (CGM) system to MD Revolution’s RPM platform. MDR is a startup company marketing its RPM platform to large practices, health systems, and healthcare organizations. Current raises date back to 2015 totaling under $60 million mostly from venture round funding (Crunchbase). Release

Inpatient data analytics company Kontakt.io raised a Series C investment of $47.5 million, led by Growth Equity at Goldman Sachs Asset Management (Goldman Sachs). This adds to a modest $21.5 million from various investors from 2013 to 2022 (Crunchbase). Kontakt provides patient flow analytics to health systems to optimize patient, staff, and resource flows, improving safety, coordination, and service delivery. It uses a combination of RTLS property tracking, cloud, and AI to provide real-time location data and orchestrate staff, equipment, and clinical spaces around a patient’s care journey. The additional funds will be used for sales expansion and AI development. HIStalk, Release 

GeBBS Healthcare Solutions on the block, may fetch $1 billion. The LA-based business process outsourcing (BPO)/revenue cycle management (RCM) company, currently owned by ChrysCapital of New Delhi, is on the market for a reported $800 million to $1 billion. This would be a tidy payday for ChrysCapital which back in 2018 acquired an 80% stake in GeBBS for $140 million with a valuation then of $175 million. ChrysCapital is India’s largest home-grown PE investor. Economic Times-India Times, HIStalk

News roundup: Now Clover Health faces delisting; BlackCat/ALPHV affiliate with 4TB of data puts it up for sale; $58M for Biolinq’s ‘smallest blood glucose biosensor’

Clover Health takes another pass at Nasdaq delisting. Once again, Clover’s Class A shares (CLOV) have been trading with an average closing price of below $1.00 over a consecutive 30 trading-day period, which violates Nasdaq’s continued listing minimum price criteria for the Nasdaq Global Select Market. This was announced in their most recent 8-K filed with the SEC 2 April. Clover has until 30 September to remedy the situation. An additional 180-day period may be elected if Clover transfers to the Nasdaq Capital Market. FierceHealthcare, Becker’s

The delisting is a rerun of their situation last year at this time. Clover considered a reverse stock split to be approved by shareholders but the share price improved on its own and the action was not necessary. This year, it may be. Clover is currently trading at $0.7365. Last August, it hit a high of $1.55 before sliding to below $1.00. An example of a SPAC through Social Capital Hedosophia Holdings, it hit a high of over $15 on 8 January 2021 before cracking that year based on revelations that Clover did not reveal a Department of Justice investigation starting the prior year, which prompted an SEC investigation [TTA 9 Feb 2021], triggering seven shareholder lawsuits that were not settled until December 2023. Clover Health exited the advanced value-based primary care program, ACO REACH, at the end of the 2023 performance year after two years to focus on their Medicare Advantage and Clover Assistant businesses [TTA 6 Dec 2023]. Financially, Clover closed 2023 with revenue of $2.033 billion (down from 2022’s $3.5 billion), net loss of $213.4 million, and an adjusted EBITDA loss of $44.7 million, with the losses improved over 2022. Clover release 

As predicted, 4TB of Change Healthcare data is up for sale. In a typical ransomwareiste move, the affiliate making nasty comments about BlackCat/ALPHV and claiming it had 4TB of data now has put the specs out on a dark web site called Ransomhub. The post first accuses ALPHV of stealing the $22 million ransom paid by UnitedHealth Group and not sharing it with the affiliate. It then claims it has highly sensitive data from multiple Change customers including active military PII (from Tricare), patient PII, payment and claims data, and much more. If Change/UHG isn’t interested, it will be up for sale to the highest bidder. Readers will recall the claims of ‘notchy’ early in the Change Healthcare attack [TTA 7 Mar] though UHG has not confirmed any payment to ALPHV. The demand for payment for the 4TB of data that ‘notchy’ claimed to possess was hardly unexpected. DataBreaches.net

A non-invasive “smallest ever” transdermal biosensor in development may turn the CGM business upside down. Biolinq’s latest round of $58 million will fund a pivotal clinical trial and FDA submission of its intradermal glucose sensor. The funding was led by Alpha Wave Ventures, with participation from Niterra’s corporate venture capital fund jointly operated with Pegasus Tech Ventures and existing investors RiverVest Venture Partners, AXA IM Alts, Global Health Investment Corporation, and four others, for a total since 2014 of $254 million. Crunchbase Current blood glucose sensors penetrate the skin with tiny needles. The Biolinq biosensor uses electrochemical sensors to measure glucose levels from the intradermal space just beneath the surface of the skin, on top of the capillary layer avoiding scarring. To access the intradermal layer, the sensors must be “200 times smaller than a human hair filament” according to Biolinq CEO Rich Yang. It also can combine blood glucose information with relative levels of activity in one device to eventually measure other analytes. The device as currently designed displays key information directly on the sensor–yellow light for high blood glucose, blue for normal. Release, MedCityNews

Mid-week news roundup: US offers $10M for BlackCat/ALPHV info; most Change systems still down; Risant closes Geisinger buy; SureScripts exploring sale; DarioHealth 2023 revenue -23%; Amazon Pharmacy same-day delivery NYC and LA

US State Department pays well for Big Breach information. Interestingly, this US agency through the Diplomatic Security Service has a special program, Rewards for Justice (RFJ), for cyberattacks that are deemed “malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA)”. The activities of the now-disappeared (ha ha!) BlackCat/ALPHV  ransomware-as-a-service (RaaS) group, identified on 29 February as the culprits in the massive Change Healthcare/Optum system takedown, are now listed as qualifying for a reward, presumably as disruptive to US healthcare and not just UnitedHealth Group. Contact Rewards for Justice via the Tor-based tips-reporting channel at: he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion (Tor browser required). That is, if you dare! Rewards for Justice release, Becker’s

Six weeks later, most Change services are still X-d on the Optum Solution Status page. A quick rundown of the hundred or so programs that Change provides to enterprises has a long line of Xs with some triangles containing ! (partial outage) or yellow boxes (degraded performance). The green checkmarks are clustered in high-priority areas such as pharmacy solutions and clinical decision support. Otherwise, they are scattered across categories. The summary on the top of page (dropdown) lists workarounds for specific programs such as batch processing and transitioning over to Optum systems unaffected by the attack. This Editor bets that most of these Change legacy systems will come back only partially if at all–many will be abandoned and replaced by Optum systems. Hat tip to HIStalk 29 March

Risant Health, the non-profit community hospital system founded by but separate from Kaiser Permanente, has closed its acquisition of Pennsylvania-based Geisinger Health as of 2 April.  Jaewon Ryu, MD, JD, currently Geisinger’s president and CEO, will move to CEO of Risant Health, with Terry Gilliland, MD, replacing him at Geisinger. The Risant plan announced last April is that Kaiser will fund $5 billion to Risant, which will acquire now four or five health systems over the next four to five years. The health systems will retain their names and operational areas. The purpose of Risant is to bring community systems it acquires greater access to capital, technology, and resources for facility improvements, innovation, and investment in patient care. Keeping an eye on 109-year-old Geisinger. Risant release

Mega e-prescription system Surescripts is exploring a sale. Silicon Valley investment bank TripleTree is handling the search for buyers. Currently, Surescripts is owned 50% by CVS Caremark and Cigna-owned Express Scripts, with two trade groups, the National Association of Community Pharmacies and the National Association of Chain Drug Stores, owning the other 50%. It isn’t disclosed in the Business Insider ‘reveal’ what group(s) is interested in selling all or part of its ownership. Since Surescripts holds 95% of the e-prescribing market, any buyer or investor would need be mega flush to buy into it. 

DarioHealth didn’t have a great 2023. Net revenue was down 23% versus 2022: $20.4 million to the prior year’s $27.7 million. The chronic condition management company managed to narrow its 2023 net loss of $59.4 million from $62.2 million in 2022. A lot of the problems seemed to center on their Q4, with net revenue that declined to $3.6 million from $6.8 million in Q4 2022 and a net loss that increased to $14.3 million from $12.6 million in Q4 2022.  Dario’s gross profits for 2023 were down 38% to $6 million, a decrease of 38% versus 2022’s $9.7 million. The changing financial picture was attributed to a new private label platform with Aetna launching in 2024, changing from a B2C to a B2B2C model, and February’s “transformational acquisition” of Twill (Happify) in telemental health. As this Editor noted then, it was a feat of funding legerdemain that rivaled a Frank Lorenzo deregulation-era airline acquisition. Their information around 2023 earnings isn’t much different. Dario provides a combined app and in-person approach to musculoskeletal (MSK) therapy, diabetes (including GLP-1 drugs), hypertension, weight management, and behavioral health. Mobihealthnews, Dario release

And speaking of pharmacy, Amazon Pharmacy expanded same-day medication-delivery offerings to NYC residents and the greater Los Angeles area. This adds to same-day prescription delivery available in Phoenix, Austin, Seattle, Indianapolis, Miami, and Texas, including free drone delivery in College Station. How it works: Amazon has small facilities and pharmacists near the areas, ready to fill and deliver medications in minutes using genAI and machine learning tools. Delivery in NYC/Manhattan will be by bike and in LA, electric vans or other commercial vehicles. (Editor’s note: bike delivery in the outer boroughs is like LA–impractical.) Amazon Prime members have additional benefits. Competition here are online companies like Mark Cuban Cost Plus and GoodRx’s prescription service. But perhaps it’s a good time to sell Surescripts? Mobihealthnews