Breaking: multiple London hospitals, borough GPs declare ‘critical incident’ from ransomware attack via third party pathology vendor

Breaking News. A group of London hospitals, plus GP services across several boroughs, have been affected by a third-party ransomware attack and have declared a critical incident. The vendor, Synnovis, is a provider of pathology services in a partnership between two London-based hospital trusts and SYNLAB UK & Ireland. The attack started on Monday 3 June. Synnovis reported in its statement yesterday that it affected all its IT systems and interrupted many Synnovis pathology systems. Synnovis “was the victim of a ransomware cyberattack”, according to chief executive Mark Dollar. Affected patient tests via Synnovis include blood, bowel and various swabs.

The hospitals affected are King’s College Hospital, Guy’s and St Thomas’, including the Royal Brompton and the Evelina London Children’s Hospital. These hospital trusts are partners in Synnovis with SYNLAB UK & Ireland, Europe’s largest provider of testing services. GP services affected are in the boroughs of Bexley, Greenwich, Lewisham, Bromley, Southwark and Lambeth. The critical incident has affected primary care and delayed operations on patients plus blood transfusions, with reported diversions of emergency patients, though reports are varying on the last.

According to the Synnovis statement, the incident has been reported to law enforcement and the Information Commissioner, and they are working with the National Cyber Security Centre and the Cyber Operations Team. There is no information yet available attributing a ransomware organization., Sky News, BBC News

This is a developing story

News roundup: 100+ medical orgs pile on Change/UHG; Teladoc hit with second class-action suit; Congress demands Oracle EHR improvement–or else; Transcarent intros WayFinding; Centivo buys Eden Health

The fallout from the Change cyberhack hangs like smog over UHG. On Monday, the American Medical Association (AMA), along with about 100 other signatories from nationwide medical associations including CHIME and AHIMA, sent a strongly worded letter to Health and Human Services Secretary Xavier Becerra. It requested a clear delineation of responsibilities for breach reporting requirements created by the 21 February Change Healthcare ALPHV/Blackcat ransomware attack. Reporting is required by HHS’ Office of Civil Rights (OCR) under HIPAA.

Specifically, the AMA letter requested 1) more public clarity around reporting responsibilities to patients for the data breach and 2) that all reporting and notification responsibilities will be handled by Change Healthcare, not the providers. “OCR should publicly state that its breach investigation and immediate efforts at remediation will be focused on Change Healthcare, and not the providers affected by Change Healthcare’s breach”. To date, this doesn’t seem to be OCR’s position.

  • The AMA and signatory organizations maintain that it “is the responsibility of the covered entity which experienced the breach—UHG—to fulfill its obligations in regard to reporting the breach to OCR, notifying each affected individual, as well as any further HIPAA breach reporting requirements that may be applicable, such as notifying state Attorneys General and media outlets.”
  • OCR, on the other hand, has gone on the record in April as stating in their FAQs that “while the covered entity is ultimately responsible for ensuring individuals are notified, the covered entity may delegate the responsibility of providing individual notices to the business associate. Covered entities and business associates should consider which entity is in the best position to provide notice to the individual, which may vary, depending on the circumstances, such as the functions the business associate performs on behalf of the covered entity and which entity has the relationship with the individual.” (Providers can be considered business associates)

In other words, the providers want the full responsibility of contacting patients, state attorneys general, media, and others (e.g. class action lawyers) to be Change Healthcare’s. They do not want to be forced to contact their patients and, in all fairness, at this point do not know which patients were affected because they are not privy to Change Healthcare’s information. UHG has not yet produced a breach report to OCR. AMA letter to Becerra, Healthcare Finance News

When the stock falls, blame the marketing spend! The latest class-action lawsuit filed against Teladoc blames the company for spending money in digital and other media advertising promoting BetterHelp, their telementalhealth unit. The suit cites Teladoc’s public statements such as a “long runway” for BetterHelp’s membership growth and that spending would be inefficient due to the saturated category. Yet spending increased in 2023. The lawsuit charges that this directly deteriorated the company’s revenue, leading to a substantial fall in its stock price. Charged are Teladoc, and at the time CEO Jason Gorevic and CFO Mala Murthy. Stary v. Teladoc Health, Inc. et al., was filed on May 17 in the US District Court for the Southern District of New York. No response yet from Teladoc. Docket on Justia, Mobihealthnews

The House and Senate Veterans’ Affairs Committees jointly introduce legislation on VA’s EHR modernization. The Senator Elizabeth Dole 21st Century Veterans Healthcare and Benefits Improvement Act would require the Department of Veterans Affairs to exercise even greater oversight of the Oracle Cerner implementation in these areas:

  • The quarterly reports to Congress would include additional quality metrics on user adoption, employee satisfaction, and employee retention/turnover where the Oracle Cerner EHR is introduced. This adds to existing required reporting on spending and performance.
  • Regarding additional rollouts, the VA secretary must certify that the sites are ready. He also must furnish corroborating data to Congress “demonstrating that all facilities currently using the Oracle Cerner EHR system have recovered to normal operational levels.”
  • If there is no improvement (presumably to this standard) at Oracle Cerner locations within two years of the bill’s enactment, the program will be terminated.
  • VA must also report on the status of VistA with details about “the operation and maintenance costs and development and enhancement costs” of the software and “a list of modules, applications or systems” within VistA that VA plans to retire or continue to use. 

HIStalk 17 May, NextGov/FCW

‘Not for sale’ Transcarent introduces an AI-assisted platform, WayFinding. The platform designed for end users of Transcarent’s enterprise health navigator combines generative AI with instant access to care providers to integrate benefits navigation, clinical guidance, and care delivery on a single platform. The personalized guidance enables the member to find a provider, find out costs, and guides to the best clinical action to take next. It then connects them to medical professionals or provides direct access into digital point solutions. It integrates information on details of the employer plan, ancillary benefits, the member’s medical history, and connection to clinical specialists. There is no information in the overly padded release on when the new platform will be available or how it will be offered to existing and new customers. This follows on Transcarent’s $124 million Series D funding two weeks ago.  FierceHealthcare, Mobihealthnews, TTA 8 May

Centivo acquires Eden Health virtual care. The purchase price was not disclosed. Centivo, headquartered in Buffalo NY, is  a health plan for self-funded employers. Eden, also providing services to employers, is a concierge provider that offers through a mobile app primary care, mental health, and care navigation services, plus workplace pop-up clinics. Eden also has technology that connects providers’ EMRs to their app. Eden’s services will be fully integrated into Centivo, which will enable it to expand to 50 states and increase from its current 120 employer base to 160. The combined organizations cover about 2 million eligible patients in companies ranging from Fortune 100 size to small businesses. Eden’s CEO will serve as a senior advisor to Centivo, but there is no other indication of employee transition.  Release, FierceHealthcare

Short takes: Legrand acquires Enovation, FDA nixes Cue Health’s Covid tests, Ascension confirms ransomware attack–who did it? (updated), beware of ‘vishing’ courtesy of ChatGPT

Legrand Care acquires Enovation. Enovation is a Netherlands-based digital health company with a connected care platform for care monitoring across prevention, early detection, medication checks, and remote healthcare. Its customer base includes ambulances, pharmacies, clinics, hospitals, and home care. With distribution in healthcare organizations across 18 countries, including Scottish Digital Telecare [TTA 11 Aug 2021], it will join the equally international Legrand’s Assisted Living and Healthcare (AL&HC) business unit with Intervox, Neat, Tynetec, Jontek, and Aid Call. Acquisition cost was not disclosed. Release   Legrand and Tynetec are long-time supporters of TTA.

The hammer drops on embattled Cue Health. The US Food and Drug Administration (FDA) has invalidated Cue Health’s Covid-19 Tests for Home and OTC Use and for the authorized lab test version. Home users were advised to discard unused kits in household trash. Both consumers and providers were advised to retest if symptoms persisted after a negative test result. This followed an FDA inspection of their operations that determined that unauthorized changes to the test kit design were made along with failures in performance testing. A Warning Letter was issued to Cue on 9 May. The company has not yet responded. FDA Safety Communication

Cue was one of many biotech manufacturers that marketed Covid-19 point of care/lab, and home testing kits after obtaining Emergency Use Authorizations (EUA) in 2020 and 2021. It exploded in size and went public in September 2021 at $200 million and $16/share with a valuation of $3 billion. Today HLTH shares trade on NasdaqCM at a little bit over $0.13. Their headquarters facilities in San Diego that once had 1,500 employees must be a lonely place, as the company reported another layoff of 230 employees, about half of remaining staff, after earlier layoff rounds of 245 in February and 880 in 2023. Their remaining test is one for Mpox on a EUA. Two other tests developed for flu and RSV are still under FDA review.  Cue Health’s financial reports for 2023 were dismal with revenue down to $71 million, an 85% reduction versus 2022, and a net loss of $373.5 million. Recent reports indicate that the company will refocus on marketing its Cue Health Monitoring System. Management and board changes have also been drastic, with a CEO change in March (Yahoo Finance) and the CFO departing this past Monday. MedTech Dive

Ascension Health finally acknowledged that its cyberattack was ransomware-based. On Saturday 11 May, their website event update confirmed that the cyberattack was ransomware. The Saturday and Monday 13 May updates also confirm that system operations will continue to be disrupted with no timetable set for restoration to normal status. Impacted systems include their EHR, MyChart, and some hospitals are diverting emergency care. The update page now has 12 regional updates and a general + patient FAQ. Update: in these states, Ascension’s retail pharmacies cannot fill prescriptions: Florida, Wisconsin and the District of Columbia. Their website recommends that patients bring paperwork and prescription containers. Lab and imaging results are delayed. Since the hospitals are on manual systems, overall there are delays in admissions–bring documentation. And the class-action suits have started, with reports that three have been filed already. Healthcare IT News

Who dunnit? reported over the weekend that Ascension’s hack has been attributed to interestingly named ransomwareistes Black Basta. Late last week, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on Black Basta. It’s another charming ransomware-as-a-service (RaaS) with bad news affiliates like BlackCat/ALPHV wreaking havoc on over 500 organizations globally. No word on whether Ascension has paid ransom. 

Speaking of cybersecurity, now something else to worry about–‘vishing’. This is ‘voice phishing’, another generative AI-facilitated hack that uses snippets of a human voice to pose as people or representing organizations via phone call or voicemail. Not enough? There’s ‘smishing’–SMS or text phishing which can invade your phone with all sorts of nasty messages. These attacks, according to cybersec firm Enea, are up twelve-fold since the launch of ChatGPT. Vishing, smishing, and phishing (email) attacks have increased by a staggering 1,265%. 76% of enterprises lack sufficient voice and messaging fraud protection. Can we go back to the 1990s? 2000s? When we worried about “Nigerian princes” email scams? Becker’s, Enea survey report

Who really has the 4TB of Change Healthcare data 4 sale? And in great timing, Optum lays off a rumored 20K–say wot?

The data is for sale! And the top does not go down, but the price definitely goes up! That old antique auto auction cry is paraphrased here because the 4TB of patient data hacked from Change’s systems is up for sale, since Change/Optum didn’t buy it. Interested parties should stroll over to the dark web and see RansomHub’s listing for details.

Unlike some news sources that got confused, this apparently is the same 4TB that BlackCat/ALPHV affiliate ‘notchy’ stole (technically, exfiltrated) posted about on a dark web site shortly after the attack [TTA 7 Mar]. According to those early reports, ‘notchy’ was dissatisfied that he didn’t get a cut of the $22 million ransom that Optum supposedly paid the BlackCat/ALPHV group.

For their $22 million ransom, which Change has not, repeat NOT, confirmed, ALPHV gave Change a decryptor key. But, they didn’t have the good manners to 1) return the stolen data to Change or delete it, which included highly sensitive data from multiple Change customers including active military PII (from Tricare), patient PII, payment and claims data, and much more, and 2) pay a cut to the affiliate. And then ALPHV shut down and ran out of town.

Here’s the latest updates from DataBreaches. net

Over a month later, an outfit called RansomHub posted, again on the dark web, that it has the 4TB of data. 

As reported here on 10 April, there was an announcement on the RansomHub website, not signed by ‘notchy’, that if Change wasn’t interested in paying for the data, it would be up for sale. There was some confusion, based on a WIRED report, that this was a second breach. The RansomHub information seemed to point to only ‘notchy’s’ data.

DataBreaches followed up with RansomHub to 1) verify they had the data, asking if 2) was it ‘notchy’s data’, and 3) how did RansomHub obtain it if not ‘notchy’? RansomHub also leaked some screenshots of  2011-2013 Medicare claims data. This old data raises even more questions on why this data was even available online and not stored offline…unless…. RansomHub’s 15 April posting included this statement, “The more we go through the data the more we are shocked of the amount of financial, medical, and personal information we find and it will be more devastating than the first attack itself.” 

By 16 April, DataBreaches reported that the listing read:

Change HealthCare – OPTUM Group – United HealthCare Group – FOR SALE

The data in now for sale. Anyone interested in the purchase should contact RansomHub. 

But does RansomHub actually have it? Are they ‘notchy’, in it with ‘notchy’, brokering ‘notchy’, or is it a second 4TB breach? Stay tuned.

Thousands at Optum won’t care one way or another. Reports since last Thursday have been that first hundreds, then thousands, then up to 20,000, have been laid off. These are based on social media postings on LinkedIn and boards like The Layoff where anyone can post. Optum has not confirmed any layoffs to industry media such as FierceHealthcare and Becker’s Hospital Review / Becker’s ASC Review which published reports starting last Friday. Federal and state WARN notices, which usually confirm mass layoffs by state, have been oddly empty. 

Across the reports, Optum has laid off staff from their California care division (400), home health provider Landmark Health (500), urgent care MedExpress (all as of 18 July), Genoa (OptumRx-unknown). Notices range from immediate, to two weeks into May, and forward. Types of jobs eliminated have been at all levels of regional and corporate, affecting engineers, care management, clinical, case directors, data operations, and integration managers. This LinkedIn post claims up to 20,000. Optum’s silence has let the rumor mill run overtime.

CMS has lowered Medicare Advantage reimbursement, but other insurers factored this in earlier this year. The major whack was the Change Healthcare cyberattack. Though the public posture of UnitedHealth Group is that most of the systems are back or being worked around, the financial truth is that the Change disaster will cost them $1.6 billion in 2024 as announced last week. It does lead one to wonder about how mighty UHG, on an acquisition tear for years through today, always doing well and pleasing Mr. Market, got quite so overstaffed. How would it be overstaffed by thousands or the rumored 20,000 who are suddenly, dramatically unnecessary? That may boost the stock, but it gives the Feds yet another ax to grind, what with the House savaging an absent UHG on the cyberattack handling and their payments to providers [TTA 18 April], DOJ taking a hard cold look into UHG’s business practices, specifically around antitrust between the payer group and Optum [TTA 6 Mar], and approvals for the Amedisys buy stalling.

Here’s a view at variance, not about the layoffs but about how UHG is really doing. STAT’s analysis of UHG’s financial report is that the Change losses barely dent the overall picture and won’t affect 2024 earnings. Q1’s loss was mostly the Brazil writedown. It also confirmed that CEO Andrew Witty had a certain gall to say in prepared remarks that the Change situation would have been so much worse had they not been owned by UHG. Mr. Witty will have some ‘splainin’ to do before the House and the Senate, 30 April and 1 May, respectively.

News roundup: Congress hammers absent UHG on Change cyberattack–and more; 10% unhinged at Hinge Health; Steward Health nears insolvency; Two Chairs $72M Series C

UnitedHealth Group facing direct Congressional criticism–and didn’t show up to answer it. The House Energy and Commerce Committee held a hearing yesterday on the BlackCat/ALPHV cyberattack on UHG/Optum’s Change Healthcare systems. Representatives of the American Hospital Association, which we noted led the earliest efforts to assess the situation, help health systems, and then lobby Health and Human Services to assist providers, the College of Healthcare Information Management Executives, and the Healthcare Sector Coordinating Council testified to a restive group of House representatives. Though reports have said that UHG had previously briefed the committee and CEO Andrew Witty will appear before the Senate Finance Committee on 30 April, both Republicans and Democrats didn’t spare the criticism. Other issues, such as healthcare provider consolidation, cybersecurity coordination, and vertical integration through acquisitions as represented by UHG and Change, entered into the hearing. And it went pretty far. Rep. Buddy Carter (R-GA): “The FTC has failed the American people by allowing vertical integration to happen, and it needs to be busted up.” Rep. Anna Eshoo (D-CA): “The attack shows how UnitedHealth’s anti-competitive practices present a national security risk because its operations now extend through every point of our healthcare system,” and called it “outrageous”. 

The current administration’s proposed $800 million investment in hospital cybersecurity protections was typed as “woefully insufficient.” 

Returning to the main issues, Larry Bucshon, MD (R-IN) stated that both the government and private companies were slow in assisting providers. John Riggi, AHA’s national adviser for cybersecurity and risk testified that “The federal government did not step in for weeks. Needed flexibilities under Medicare were not immediately available. It took 18 days for CMS to begin allowing providers to apply for advancing accelerated payments.” On how it affected providers, 94% of respondents in an AHA provider survey felt a financial impact from the attack, over half reported a “significant or serious” impact, and 74% of hospitals reported a direct effect on patient care. Payers are resisting advanced payments. UHG was even accused of exploiting the cyberattack to purchase additional practices by Rep. John Joyce, MD (R-PA). Becker’s, Chief Healthcare Executive, STAT

This Editor has previously noted that UHG is taking a $1.6 billion charge for the cyberattack and is separately facing a DOJ investigation on multiple antitrust issues between the payer group and Optum, including their Amedisys buy [TTA 6 Mar]. UHG is also facing multiple class-action lawsuits from practices currently and expected from patients affected by the theft of PHI and PII [TTA 28 Mar]. It’ll be a busy spring and summer for UHG’s legal department.

Hinge Health cuts 10% of staff. Reasons given were the standard tropes of ‘long-term sustainable business’, ‘accelerate our path to profitability, speed up decision making, and better focus our investments’ plus ‘realign our organization’. Their employee group is estimated at 1,700 on LinkedIn, making this about 170 staff released in various functions including engineers. The company is preparing for an IPO, which may not be this year, since they claim to have $400 million in cash on the books. Hinge’s last raise was an October 2021 $400 million Series E led by Tiger Global and Coatue Management for a total funding of $826.1 million over 10 raises (Crunchbase). At that time, their valuation was a bubbly $6.2 billion. Their virtual musculoskeletal rehabilitative therapy for back and joint pain care has since then expanded to rehab for pelvic pain, bowel, and bladder control. TechCrunch  As predicted in our Rock Health Q1 review, Hinge is a perfect example of companies “pursuing IPO and M&A exit pathways concurrently to keep options open” by presenting their financials as if they were already public companies. 

Steward Health Care nears bankruptcy court. And the Optum buy of Stewardship Health practices won’t save it in time. Steward’s lenders are giving the health network until the end of April–two weeks away–to prove it can repay its considerable debts. Its recovery plan which included the Stewardship sale has been criticized as unworkable given the volume of debt and the regulatory implications of selling their hospital assets. The Optum acquisition is required to undergo a 30-day review by Massachusetts’ Health Policy Commission (HPC)–and while it was announced at the end of March, it had not started by mid-April. Given UHG’s other problems and scrutiny of practice purchases by the DOJ and FTC, Optum may walk away or wait. No purchase price had been announced but it would be a drop in a bottomless well anyway. The mounting problems of Steward Health Care are detailed in Healthcare Dive’s analysis.

And to end on a more optimistic note, Two Chairs, a telemental health provider out of San Francisco, scored a $72 million Series C. Lead investors are Amplo and Fifth Down Capital with debt financing from Bridge Bank. The new raise, majority equity, brings Two Chairs’ total funding to $103 million. Their hybrid virtual and in-person therapy model is available at present in California, Florida, and Washington and markets to consumers, payers (Aetna nationally, Kaiser Permanente in Washington and Northern California), providers, and employers. The company states it will use the fresh funding to expand its markets and improve its technology platform. Currently, they have more than 500 clinicians on staff, most of whom are full-time. Their differentiator in the crowded telemental health category is their emphasis on measurement-based care, aided by a “matching consult,” facilitated by a proprietary 300-variable algorithm that creates the right therapist-client match (the ‘two chairs’ of the company’s name), which studies indicate is the most important factor in determining a good outcome.  Release, FierceHealthcare, MedCityNews

Mid-week news roundup: US offers $10M for BlackCat/ALPHV info; most Change systems still down; Risant closes Geisinger buy; SureScripts exploring sale; DarioHealth 2023 revenue -23%; Amazon Pharmacy same-day delivery NYC and LA

US State Department pays well for Big Breach information. Interestingly, this US agency through the Diplomatic Security Service has a special program, Rewards for Justice (RFJ), for cyberattacks that are deemed “malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA)”. The activities of the now-disappeared (ha ha!) BlackCat/ALPHV  ransomware-as-a-service (RaaS) group, identified on 29 February as the culprits in the massive Change Healthcare/Optum system takedown, are now listed as qualifying for a reward, presumably as disruptive to US healthcare and not just UnitedHealth Group. Contact Rewards for Justice via the Tor-based tips-reporting channel at: he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion (Tor browser required). That is, if you dare! Rewards for Justice release, Becker’s

Six weeks later, most Change services are still X-d on the Optum Solution Status page. A quick rundown of the hundred or so programs that Change provides to enterprises has a long line of Xs with some triangles containing ! (partial outage) or yellow boxes (degraded performance). The green checkmarks are clustered in high-priority areas such as pharmacy solutions and clinical decision support. Otherwise, they are scattered across categories. The summary on the top of page (dropdown) lists workarounds for specific programs such as batch processing and transitioning over to Optum systems unaffected by the attack. This Editor bets that most of these Change legacy systems will come back only partially if at all–many will be abandoned and replaced by Optum systems. Hat tip to HIStalk 29 March

Risant Health, the non-profit community hospital system founded by but separate from Kaiser Permanente, has closed its acquisition of Pennsylvania-based Geisinger Health as of 2 April.  Jaewon Ryu, MD, JD, currently Geisinger’s president and CEO, will move to CEO of Risant Health, with Terry Gilliland, MD, replacing him at Geisinger. The Risant plan announced last April is that Kaiser will fund $5 billion to Risant, which will acquire now four or five health systems over the next four to five years. The health systems will retain their names and operational areas. The purpose of Risant is to bring community systems it acquires greater access to capital, technology, and resources for facility improvements, innovation, and investment in patient care. Keeping an eye on 109-year-old Geisinger. Risant release

Mega e-prescription system Surescripts is exploring a sale. Silicon Valley investment bank TripleTree is handling the search for buyers. Currently, Surescripts is owned 50% by CVS Caremark and Cigna-owned Express Scripts, with two trade groups, the National Association of Community Pharmacies and the National Association of Chain Drug Stores, owning the other 50%. It isn’t disclosed in the Business Insider ‘reveal’ what group(s) is interested in selling all or part of its ownership. Since Surescripts holds 95% of the e-prescribing market, any buyer or investor would need be mega flush to buy into it. 

DarioHealth didn’t have a great 2023. Net revenue was down 23% versus 2022: $20.4 million to the prior year’s $27.7 million. The chronic condition management company managed to narrow its 2023 net loss of $59.4 million from $62.2 million in 2022. A lot of the problems seemed to center on their Q4, with net revenue that declined to $3.6 million from $6.8 million in Q4 2022 and a net loss that increased to $14.3 million from $12.6 million in Q4 2022.  Dario’s gross profits for 2023 were down 38% to $6 million, a decrease of 38% versus 2022’s $9.7 million. The changing financial picture was attributed to a new private label platform with Aetna launching in 2024, changing from a B2C to a B2B2C model, and February’s “transformational acquisition” of Twill (Happify) in telemental health. As this Editor noted then, it was a feat of funding legerdemain that rivaled a Frank Lorenzo deregulation-era airline acquisition. Their information around 2023 earnings isn’t much different. Dario provides a combined app and in-person approach to musculoskeletal (MSK) therapy, diabetes (including GLP-1 drugs), hypertension, weight management, and behavioral health. Mobihealthnews, Dario release

And speaking of pharmacy, Amazon Pharmacy expanded same-day medication-delivery offerings to NYC residents and the greater Los Angeles area. This adds to same-day prescription delivery available in Phoenix, Austin, Seattle, Indianapolis, Miami, and Texas, including free drone delivery in College Station. How it works: Amazon has small facilities and pharmacists near the areas, ready to fill and deliver medications in minutes using genAI and machine learning tools. Delivery in NYC/Manhattan will be by bike and in LA, electric vans or other commercial vehicles. (Editor’s note: bike delivery in the outer boroughs is like LA–impractical.) Amazon Prime members have additional benefits. Competition here are online companies like Mark Cuban Cost Plus and GoodRx’s prescription service. But perhaps it’s a good time to sell Surescripts? Mobihealthnews

Mid-week roundup: UK startup Anima gains $12M, Hippocratic AI $53M, Assort Health $3.5M; Abridge partners with NVIDIA; VillageMD sells 11 Rhode Island clinics; $60 for that medical record on the dark web

It may be a little chilly out, but it feels like Springtime For Early Round Funding and Big Partnerships.

Anima, a London-based startup fresh out of Y Combinator, now has a $12 million Series A raise. It was led by Molten Ventures, with participation from existing investors Hummingbird Ventures, Amino Collective and Y Combinator. Its platform combines online consultation with productivity tools for integrated care enablement in one dashboard for primary care. Their founders position it as a single source for patient truth across care settings, avoiding missed diagnoses. As of today, Anima is deployed in over 200 NHS clinics in England caring for a combined 2 million patients and a monthly request volume of over 400,000 requests. They also claim to halve the time the time practices spend on coding, processing, and filing documents and resolve 85% of patient inquiries within a day. Shun Pang, co-founder and CEO of Anima, who trained as a doctor at Cambridge University, told TechCrunch. “The entire clinic collaborates in a real-time multiplayer dashboard, like Figma, and can ping cases to each other, and chat with a Slack-like UX.” he said. He also added that Anima’s processing system can “autonomously ingest any document, like handwritten, diagrams, imaging, and output a summary, with structured fields.” Anima has not entered the US market yet. Anima blog/release, Tech.EU

Hippocratic AI raised a jumbo $53 million Series A for what they term the first safety-focused Large Language Model (LLM) for healthcare. AI of course is the hottest funding area in healthcare. With two previous rounds raised in mid-2023, their total funding is $118 million (Crunchbase), creating a valuation estimated at $500 million. Investors were co-led by Premji Invest and General Catalyst with participation from SV Angel and Memorial Hermann Health System as well as existing investors Andreessen Horowitz (a16z) Bio + Health, Cincinnati Children’s, WellSpan Health, and Universal Health Services (UHS). Their product is a novel staffing marketplace where health systems, payors, and others can “hire” auto-pilot generative AI-powered agents to conduct low-risk, non-diagnostic, patient-facing services to help solve the massive healthcare staffing crisis. This is now being released for phase three safety testing with 5,000 licensed nurses, 500 licensed physicians, and the company’s health system partners. Release

San Francisco-based startup Assort Health now has a seed round of $3.5 million to advance its generative AI approach to healthcare call centers. Its goal is to eliminate front desk stress and call center/service holds. Their system in development uses AI and NLP (natural language processing) to understand a caller’s intent, then to integrates with the medical providers’ EHR, including Epic, to resolve patient inquiries without human intervention. Funding was led by Quiet Capital (!) joined by Four Acres, Tau Ventures, and a number of angel investors from tech companies. Release

Another generative AI company with a substantial Series C under its belt, Abridge, is partnering with super-hot NVIDIA.  The partnership also comes with undisclosed funding from NVIDIA’s VC arm, NVentures, to add to last month’s $150 million raise. Abridge is developing conversational AI technology using LLM and speech recognition to ease the burden of taking notes during the doctor’s appointment, with fluency in 14 languages across 55 medical specialties. Abridge’s technology is designed to capture clinician-patient conversations and structure the scribing. NVIDIA’s partnership will give Abridge access to NVIDIA’s computing resources, foundation models, and expertise in efficiently deploying AI systems at scale. Release

Another episode in the continuing Walgreens Restructuring Saga has VillageMD selling 11 practices to Arches Medical Partners. The practices are located in the Providence metro area of Rhode Island and consist of three urgent cares and eight offices with a total of 50 physicians and 75,000 patients. It is unusual because it is the first time that VillageMD sold their practices instead of closing the offices, which they are doing with 85 to 90 offices. Transaction cost was not disclosed but closed on 2 March. Arches is based in Cambridge, Massachusetts. They acquired these practices but also deploy software from its wholly-owned technology subsidiary, New Era Medical Operations (NEMO), to enable IPAs to negotiate and manage global risk contracts. Arches release, Becker’s, Crain’s Chicago Business

Wondering why ransomwareistes, their affiliates, and hackers in general are attracted to healthcare? It’s the value of a medical record. Going rates on the ‘dark web’ are now topping $60, according to CNBC’s source, a cybersecurity researcher Jeremiah Fowler. By comparison, Social Security number are a bargain $15 and a credit card number but $3. It’s also easier to hack than ever due to affiliate relationships termed ransomware-as-a-service or RaaS. The ransomware is supplied, the affiliate hackers do the work, and they share in the rewards–most of the time (see ‘notchy’ being scammed by BlackCat/ALPHV on the Change Healthcare cyberattack TTA 5 Mar). But this doubles or triples the potential for company extortion, with multiple ‘actors’ attacking a company, extorting a ransom, and then keeping healthcare data and selling it through their channels.

The article concludes that healthcare execs need to get very, very serious about protecting their data. Yet this year has marked healthcare downsizing IT departments in order to save money. This is as security software has proliferated–but has to be purchased and managed. Another distressing fact: this Editor only last week attended a major NYC conference on cybersecurity. Healthcare was mentioned only in passing as a market. Worse, till this Editor questioned a speaker from the floor, was the massive Change Healthcare attack even mentioned–and unfortunately she knew more about it than the speaker!

Reality Bites Again: UHG being probed by DOJ on antitrust, One Medical layoffs “not related” to Amazon, the psychological effects of cyberattacks

When It Rains, It Really Pours for UnitedHealth Group. On the heels of their Optum/Change Healthcare ransomware disaster are recent reports that the US Department of Justice is investigating UHG over multiple antitrust concerns. According to the Wall Street Journal, DOJ is examining certain relationships between the company’s UnitedHealthcare insurance unit and its Optum services unit, specifically around Optum’s ownership of physician groups. UHG has been aggressively buying and buying interests in practice groups for several years, announcing quite publicly that their goal was to own or control 5% of US physicians. In 2022 and 2023, they bought CareMount, Kelsey-Seybold, Atrius Health, Healthcare Associates of Texas, and Crystal Run Healthcare (Becker’s). Local reporting by the Examiner News in Westchester, NY, brought much of this history to light. In that area, it started with local practice group CareMount and their 25% layoff after being folded into Optum Tri-State with ProHealth in Long Island and NYC and Riverside Health–a layoff pattern that accelerated in the practice groups in 2023.

DOJ lost out on their challenge to the Change Healthcare acquisition in November 2022, deciding not to appeal the Federal District Court decision in 2023 [TTA 23 Mar 2023]. But DOJ never sleeps; they are examining with a microscope UHG’s $3.3 billion bid for home health provider Amedisys that started in August 2023 and has not moved forward. DOJ has a long memory, a Paul Bunyan-sized ax to grind, and doesn’t like losing. One wonders if now UHG has buyer’s remorse after fighting for two years to buy Change.

In the Alternate Reality Department, One Medical CEO Trent Green insisted that their reorganization and layoffs were unrelated to their acquisition by Amazon. Those of us who are a little less credulous know that with 98% of acquisitions, staff are laid off. Overlapping areas wind up being pinkslipped, no matter their individuals’ quality or even difference in business: finance, HR, legal, marketing, IT, operations, compliance, sales, account managers…the list is almost endless. According to the Washington Post article (also Becker’s), One Medical cuts, estimated at up to 400, also included front desk staff, office managers, health coaches, behavioral health specialists and a pediatrician–people who aren’t employed by other Amazon units. One Medical’s corporate offices in New York, Minneapolis, and St. Petersburg, Florida are closing, and its San Francisco office space is reduced to one floor. TTA 14 Feb

One Medical has never been profitable, as this Editor noted when the acquisition was announced as part of the “race to transform healthcare models”. This wasn’t going to last long with Amazon, which has been aggressively been cutting and dumping in other units such as Audible, Prime, and Halo. Marketing Amazon-style with deeply discounted memberships to Prime members also has its limitations. One Medical has a scant 200 mostly urban offices, which means that members outside those areas only have access to virtual visits. It had previously cultivated a patient population of young, mostly healthy and lower-cost urbanites, who as they grow older and have families might stick with the practice–or find it not compatible with or targeted to their needs in middle age. Management has changed: Green replaced Amir Dan Rubin, MD, as CEO last September. CFO Bjorn Thaler will move to a new position focused on growth initiatives. A layer of regional general managers will report to an Amazon head of operations, and legal, finance, and technology teams will report to Amazon’s healthcare business structure. Inbound calls now go to Mission Control, a central call center, and even those humans will be in future supplemented by an AI-enabled chatbot.

Iora Health, One Medical’s specialized (acquired) unit in Medicare Advantage and Medicare Shared Savings Programs including the advanced ACO REACH model, in October was rebranded as One Medical Senior, with an intention for all One Medical offices to serve age 65+–but with current patients, many with multiple chronic conditions, now reporting cutbacks in callbacks, appointment length, physician load, and services provided such as transportation. One clinic had 20 staff cut back to five with patients pushed out to virtual visits–hardly appropriate for a high needs, older, less technologically savvy patient population in value-based care, quality-measured models. Editor’s note: having had some experience in ACO and VBC World, Amazon may as well get out of ACOs because practices in these primary care models require specialized and dedicated management, reporting, and population nurturing. They don’t mainstream well.  I have also read that ironically, Iora was profitable for OneMedical, which is 1) why they bought it and 2) ran it separately.

In this Editor’s view, human costs are a factor shown to be absent from Amazon’s business calculations for success–which doesn’t quite square with the mission of healthcare for healthier patients and better outcomes.

Speaking of the reality of human cost, let’s spare a thought for those dealing with the effects of a cyberattack or data breach. They are the IT staff, pharmacists, software specialists, front line clinicians, billing specialists, doctors, therapists, business managers, coders…the list goes on. They share their feelings of frustration, helplessness, distress, aloneness, and financial fear on Reddit, Twitter/X and other forums. Few think of them taking the brunt of patient frustration and their state of mind day after day as Change/Optum’s disaster goes on and on. Writer Molly Gamble of Becker’s has the final and most sympathetically descriptive say in her brief but important article about When ransomware strikes, who to call?  A full read is recommended.

Helplessness or loss of control, especially at a collective level, can be psychologically and emotionally taxing. Recognizing a threat but not knowing what to do about it can increase one’s stress, anxiety and fear. The lack of a known end point of a cyberattack like Change is experiencing can intensify psychological distress. Some independent therapists, for instance, have noted they have halted their insurance billing for a week due to the downtime and expressed fear about going longer without income. 

These mental effects, while lesser-discussed, are exactly what cyberthreats intend to bring on. Cyberterrorists want to create mental and physical harm, and research has found that the psychological effects of cyber threats can rival those of traditional terrorism.

Breaking: Walgreens’ VillageMD shutting in Florida; Change Healthcare system websites cyberattacked (updated 23 Feb)

The New Reality Strikes Again. Walgreens is closing all VillageMD locations in Florida. In addition to the 14 already closed, an additional 38 will be shuttered on 15 March for a total of 52. These are all co-located and attached to Walgreens locations (left).

Florida was a major expansion market for co-located clinics and its third largest market following Texas and Arizona) according to a report by investment analyst Jefferies.  In October, Walgreens announced the closure of 60 Village Medical locations in ‘non-strategic locations’. In January, CEO Tim Wentworth confirmed that about half of those locations were already closed. Doing the math, the rest of those locations will be in Florida.  Updated–see 29 February

Evidently, Walgreens’ US Healthcare unit views Florida as non-supportable to warrant a drastic move like this in a growing population market. Business Insider, which appears to have an inside track on this from the Jefferies report, “theorized” that many of these Village Medical locations were actually inside pharmacies–too small to attract patients and to recruit primary care doctors. If this is true, for a company that prides itself on retail know-how, as in the old real estate saw ‘location-location-location’, it has made a major and costly misstep.

Walgreens has sunk close to $9 billion into VillageMD: $5.2 billion for the majority stake and another $3.5 billion to aid with the Summit Health/CityMD buy. This does not include the earlier minority investment in VillageMD, so the total is likely well north of $10 billion. It all looked very different in 2020 when it was ‘go big or go home’. One wonders if VillageMD / Village Medical or its parts are on the selling block along with Shields Health if Walgreens has decided on a major strategic change.  Healthcare Dive

And another Reality is Cyberattack. Revenue cycle management and leading patient payment processor Change Healthcare is the latest victim. It notified users that it was disconnecting systems hours after Wednesday morning Eastern Time when it noticed disruptions to some applications that grew into “enterprise-wide connectivity issues.” The disruption is continuing into today (Thursday 22 Feb). There are few public specifics other than the timing and confirmation of the attack as of now, but it appears to have reached down to the local pharmacy level, into providers of all sizes, and shut down nearly every Change Healthcare system. This Editor visited the main website, which appears altered (shrunken); attempts to go to connecting links go to blank screens. Optum is not disclosing further information and perhaps shouldn’t at this point. Change Healthcare is part of UnitedHealth Group’s Optum and processes 15 billion transactions a year filled with PHI and PII, which adds to the scariness factor. TechCrunch, Becker’s, HealthITSecurity   This is a developing story and will be updated

Update 22 Feb: HISTalk reports that athenahealth customers are also affected, as their electronic data interchange is supported by Change Healthcare technology.

UnitedHealth Group said in an SEC filing that a “suspected nation-state associated cybersecurity threat actor” gained access to Change Healthcare’s information technology systems. It “cannot estimate the duration or extent of the disruption at this time.” UnitedHealth has retained security experts and was working with law enforcement. As of Thursday evening, the disruption continues and affects pharmacies nationwide in an inability to process insurance claims for prescriptions. Healthcare services are also being disrupted, said an unnamed director at a regional hospital system in Pennsylvania. Reuters

Update 23 Feb: Further corroboration in Fox Business on the above and continuing effects on pharmacies. Tricare, which covers active and retired military, stated on its website in a news release that this is impacting all military pharmacies worldwide. “Military clinics and hospitals will provide outpatient prescriptions through a manual procedure” until the ongoing cyberattack against Change Healthcare “is resolved.”

In more unwelcome news that this cyberattack is ongoing, the American Hospital Association (AHA) is formally advising healthcare facilities to not only disconnect from Change/Optum, but also check their own IT for vulnerabilities. AHA notice.  Also WSJ (not paywalled)

Legal roundup: Teladoc class-action suit dismissed; NextGen EHR $31M Federal settlement; significant AliveCor-Apple antitrust ‘spoiliation’ update; class action suits filed against HCA, Johns Hopkins

The latest legal activity in digital health and cybersecurity:

Teladoc’s pending class action lawsuit by shareholders was tossed. This was originally filed in June 2022 after the crash of Teladoc’s shares after The Big Livongo Writeoff in May 2022. Shareholder Jeremy Schneider, represented at the time by Jeremy Alan Lieberman of Pomerantz LLP, filed a lawsuit in the US Federal Court for the Southern District, located in downtown Manhattan, representing shareholders who purchased Teladoc shares between 28 October 2021 and 27 April 2022. The lawsuit cited materially false statements that Teladoc made on its business, operations, competition, and prospects that were overly positive and inflated share value. Judge Denise Cote agreed with Teladoc’s 20 January motion to dismiss based on specific disclosures that Teladoc made in multiple SEC filings in that period from the 2020 10-K on that countered claims made in the class action lawsuit.

Reading Judge Cote’s decision, Teladoc used specific limiting and warning language (what marketers call ‘downside’ language) on the risks around the merger. Their executives in public statements indicated that operations and competition were challenging.  The class action suit failed to prove conclusively that the statements it identified were ‘materially misleading’ and would mislead a reasonable investor. Other statements made by executives were “largely non-actionable statements of opinion and/or expressions of corporate optimism”, a/k/a “puffery”. Class action suits of this type that go to Federal courts (versus state courts) rarely succeed due to the high bar of proof and volumes of case law at the Federal level.

This Editor noted that this particular class action did not include Mr. Schneider nor Pomerantz LLP. Different plaintiffs were represented by Labaton Sucharow LLP and The Schall Law Firm. Teladoc reportedly had no comment.  Judge Cote’s opinion (Casetext), Mobihealthnews, Healthcare Dive

Easier to settle for $31 million than fight the Feds. Charged with violating the False Claims Act (FCA) and providing illegal incentives for referrals (the Anti-Kickback Statute that applies to Federally funded healthcare), NextGen Healthcare decided to settle with the Department of Justice (DOJ) for a whopping $31 million. The settlement does not admit wrongdoing by NextGen, which in its defense told Healthcare Dive that the claims made were over a decade old–and they were. At the time, their EHR used an auxiliary software that was designed only to perform the certification test scripts, thereby gaining 2014 Edition certification criteria published by HHS’s Office of the National Coordinator (ONC). In this Ur-time of EHRs, fixes like this weren’t (ahem) unusual. Compounding it was that the EHR then lacked certain additional required functionalities, including the ability to record vital sign data, translate data into required medical vocabularies, and create complete clinical summaries. Making NextGen’s decision the proverbial ‘no-brainer’ was that the controversial US Supreme Court ruling in June ruled that under the FCA, defendants are now liable for claims they suspect or knowingly believe are false, versus the previous objective standard. The Anti-Kickback Statute violation was blatant.  NextGen was giving credits often worth as much as $10,000 to current healthcare customers whose recommendation of NextGen’s EHR software led to a new sale, along with incentives such as tickets to sports and entertainment events. Anti-Kickback is one of those ‘biggies’ that the average healthcare employee is trained on within their first 60 days. DOJ release

The AliveCor-Apple Federal antitrust case had a small but important split decision regarding ‘spoiliation’ in the discovery process that could impact the case’s outcome–and future litigation. This June US District Court for the Northern District of California order went against AliveCor in part of what it sought–that Apple’s deleted emails to and from Apple’s then Director of Health Strategy should be considered adverse by a jury. But Apple was then found at fault for deleting them despite their relevance to the case with a ‘duty to preserve’ that started on 25 May 2021 with the antitrust litigation. In general, emails such as these to and from relevant people are subject to a litigation hold.

  • The director departed Apple only one week prior, 14 May 2021. His emails were auto-deleted at some point in accordance with company policy. In the discovery process, through other documents, AliveCor determined over a year later that the director was, indeed, relevant to the case.
  • The order states that Apple should have preserved his emails from the start as he was an individual with potentially relevant information. From the order, “[the director] worked on strategic health initiatives, and the record shows that he regularly corresponded about the Apple Watch and AliveCor with individuals Apple did identify as relevant.” “Apple did not take reasonable steps to preserve electronically stored information that should have been preserved in the anticipation or conduct of litigation…” While it may have been “irresponsible and careless”, it wasn’t purposeful which then would have been considered for sanctions, but there is considerable strong language in the order that Apple’s counsel didn’t disclose the loss of this information even while under oath in a deposition. 
  • In the ‘adverse’ consideration, AliveCor did not gain what it wanted, which was an assumption that the lost emails were prejudicial–that they contained relevant material to AliveCor and Apple’s strategy of eliminating competition. “To the extent they existed, additional emails relevant to these topics may have been useful to enhance AliveCor’s case, but AliveCor has not shown that the absence of these emails will prevent it from proving its antitrust claims.”

AliveCor provided this Editor with a statement on the order:

“The Northern District of California judge’s description of Apple’s actions as ‘irresponsible and careless, and perhaps even grossly negligent’ in their handling of emails belonging to its former Director of Health Strategy that supported our pending antitrust case speaks to Apple’s usual playbook of shamelessly using legal tactics to steamroll innovative companies like AliveCor. Even though the judge stopped short of granting our motion to instruct the jury that they should assume the deleted emails were negative for Apple’s case, we are confident in the outcomes of our antitrust case and grateful for the outpouring of support we have received as we continue to hold Apple accountable.”

Editor’s note: she thanks an AliveCor representative for sharing this information along with the redacted court order. Apple is free to contact this Editor with its own statement.

Recent AliveCor versus Apple coverage on patents: ITC presidential review, ITC vs. PTAB, PTAB decision

Last but certainly not least, a class action lawsuit against HCA. To no one’s surprise, it was filed last week (12 July) in the US District Court for the Middle District of Tennessee, as HCA is headquartered in Nashville. The plaintiffs are named Gary Silvers and Richard Marous, two HCA patients living in Florida, and was filed by two law firms, Shamis & Gentile and Kopelowitz Ostrow Ferguson Wieselberg Gilbert. The suit claims that HCA failed in their duty of confidentiality to protect sensitive information– personally identifiable information (PII) and protected health information (PHI)–that was contained in the hacked records. While HCA has released that the records did not include the most sensitive clinical information as it was used for email communications, the volume of 27 million rows of data that was apparently unencrypted potentially affects 11 million individuals [TTA 12 July]. The suit charges HCA with failure to safeguard ‘Private Information’ as a reasonable expectation using reasonable security procedures in light of current regulations (HIPAA, FTC), plus the susceptibility of healthcare organizations to cyberattacks which is well known. It seeks monetary damages plus injunctive and declaratory relief. This lawsuit is likely the first of many. Healthcare DiveHealthcare IT News, HIPAA Journal

These lawsuits based on hacking and cybersecurity responsibility are becoming routine. On 7 and 10 July, Johns Hopkins was sued twice. This was for a May ransomware data breach on a software vulnerability called MOVEit that was exploited by a Russian ransomware group called CLOP. This may have compromised, according to the first suit, tens to hundreds of thousands of records, including sensitive PHI. Both suits allege negligence, breach of fiduciary duty, breach of confidence, invasion of privacy, breach of implied contract, and unjust enrichment. They seek monetary damages and injunctive relief. Both were filed in US District Court for the District of Maryland.  Becker’s, Healthcare Dive, HIPAA Journal

News roundup: Proteus may be no-teous, DOJ leads on Google-Fitbit, HHS’ mud fight, Leeds leading in health tech, malware miseries, comings and goings

Proteus stumbles hard, cuts back. The original ‘tattle-tale pill’ company, Proteus Digital Health, plans to lay off 292 people in the San Francisco Bay Area and to permanently close its three Redwood City and Hayward locations, starting 18 January, according to notices sent to California state and local offices, including the state employment development department. It is unclear where Proteus will be located after the closures.

This followed after Proteus failed to launch a twelfth funding round of $100 million. According to reports, they furloughed most of their employees for two weeks in November and are reorganizing. This is after a substantial number of investors have put in about $487M in funding through a Series H (Crunchbase), including a game-changing investment by Novartis dating back to 2010.  Proteus achieved unicorn status about three years ago, but its high-priced pill tracking technology with a pill sensor tracked by a skin-worn monitor reporting into a smartphone has a built-in limited market to expensive medication. Otsuka Pharmaceutical in 2017 partnered with Proteus for an FDA-cleared digital medicine system called Abilify MyCite that basically put an off-patent behavioral drug back into a more expensive tracking methodology. But Proteus remains a great idea on tracking compliance in search of a real market, and may not have much of a future. San Jose Mercury News, CNBC

But ingestible detectable pills are still being tested. On Monday, as Proteus’ bad news broke, eTectRx announced its FDA clearance of the ID-Cap System and its testing at Brigham and Women’s Hospital and Fenway Health, focusing on HIV medication when used for treatment and prevention. Release, HISTalk

Department of Justice taking the lead on scrutinizing Google’s Fitbit acquisition. The Federal Trade Commission also sought jurisdiction over the transaction. According to the New York Post, “both agencies are concerned that a Google-owned Fitbit would give the search giant an even bigger window into people’s private data, including sensitive health information, sources said. Under the Hart-Scott-Rodino Act, all large mergers must file proposals with both the DOJ and the FTC, but only one antitrust agency reviews the merger.”

Coal from stockings being thrown about at HHS. According to POLITICO and the New York Times, the disagreements between Seema Verma, the head of the Centers for Medicare and Medicaid Services (CMS), and the Cabinet-level Secretary of Health and Human Services (HHS), Alex Azar, have boiled over, enough to have to be settled by the President’s acting chief of staff, Mick Mulvaney. According to the Times, both President Trump and VP Mike Pence have told them to find a way to work together. Both are administration appointees, but President Trump has not been reluctant to cut a mis-performing or overly contrary appointee loose. The latest salvo from those obviously not on Ms. Verma’s side was the revelation that she requested compensation for jewelry stolen on a business trip, contrary to government policy of course. She was compensated for other items which is standard. (Isn’t that what homeowners’ insurance is for? And what sensible person actually travels with valuable jewelry?) Under Ms. Verma, CMS has been quite progressive in developing new business models in Medicare fee-for-service, moving providers to two-sided risk, and innovating in both Medicare and Medicaid. It will either be settled, or one or both will be gone. Pass the popcorn.

Leeds picks up another health tech company. Mindwave Ventures is opening an office there, as well as appointing Dr Victoria Betton and Dr Janak Gunatilleke to the roles of chief innovation officer and chief operating officer. Mindwave develops technologies around digital products and services in healthcare and health research. Leeds reportedly is home to over 250 health tech companies and holds an annual Leeds Digital Festival in the spring [TTA 11 April].

Ransomware attack hits Hackensack Meridian. Systems were down for about a week. While this large New Jersey health system hasn’t admitted it, sources told the Asbury Park Press that it was ransomware. And if it’s not ransomware, its Emotet and Trickbot. Read ZDNet and be very apprehensive for 2020, indeed, as apparently healthcare is just one big target.

Comings and Goings: There may be some end of year bombshells, but after last week’s big news about John Halamka, it’s been fairly quiet. Paul Walker, whom this Editor knew at New York eHealth Collaborative, has joined CommonWell Health Alliance as executive director. Mr. Walker was most recently Philips Interoperability Solutions’ vice president of strategy and business development. CommonWell’s goal is improving healthcare interoperability and its services are used by more than 15,000 care provider sites nationwide. Blog release, Healthcare Innovation ….Dr. Jacqueline Shreibati, the chief medical officer for AliveCor, is joining Google Health in the health research area. Mum’s the word when it comes to Fitbit (see above). CNBC ….Peter Knight has pleaded guilty to falsifying educational credentials to gain his position as chief information and digital office at Oxford University Hospitals NHS Foundation Trust. He held that position from August 2016 until September 2018. BBC News

Digital health: why is it a luxury good in a world crying for health as a commodity?

Why digital health still struggles to find its stride. Those of us in the healthcare field, especially Grizzled Pioneers, have been wondering for the past decade why Digital Health’s Year is always Next Year. Or Next Decade. 

Looking back only to 2000, we’ve had 9-11, a dot-com bust, a few years in between when the economy thrived and the seed money started to pollinate young companies, a prolonged recession that killed off many, and now finally a few good economic years where money has flooded into the sector, to good companies and those walking the fine line of mismanagement or fraud. We’ve seen the rise/fall/rise of sensors, wearables, and remote monitoring, giants like Google and Microsoft out and back in, the establishment of EHRs, acceptance by government and private payers, quite a bit of integration, and more. All one has to look is at the investment trends breaking all records, with funding rounds of over $10 million raising barely a notice–enough to raise fears of a bubble. Then there’s another rising tide–that of cyberattack, ransomware, insider and outsider hacking.

Is it this year? It may not be. Despite the sunshine, interoperability holds it all back. Those giant EHRs–Cerner, Epic, Athenahealth, Allscripts–are largely walled gardens and so customized by provider application that they barely are able to talk to their like systems. There are regional health exchanges such as New York’s SHIN-NY, Maryland’s CRISP, and others, but they are limited in scope to their states. The VA’s VistA, the granddaddy of the integrated system, died of old age in its garden. Paul Markovich, CEO of Blue Shield of California cites the lack of interoperability and being able to access their personal health data as a major barrier to both patients and to the large companies who want to advance AI and need the data for modeling. (China and its companies, as we’ve noted, neatly solve this problem by force. [TTA 17 Apr]) Apple is back in with Health Records, but Mr. Markovich estimates it may take 10 years to gather the volume of data it needs to establish AI modeling. Some wags demand that Apple buy Epic, as if Epic was up for sale. BSC, like others, is testing interoperability workarounds like Notable, Ooda Health, and Manifest MedEx. Mr. Markovich cites interoperability and scaling as reasons why healthcare is expensive. CNBC

And what about those thriving startups? Hold on. During the Google Cloud/Rock Health 3 June event, one of the panelists–from Partners HealthCare, which works both side of the street with Pivot Labs–noted that hospitals have figured out their own revenue models, and co-development with hospitals is key. Even if validated, not every tech is commercially ready or lowers cost. And employers are far worse than hospitals at buying in because they ultimately look at financial value, even if initially they adopt for other reasons. In addition, the bar moved higher. The new validation standard is now provider-centric–workload, provider satisfaction, and implementation metrics, because meeting clinical outcomes is a given. Mobihealthnews

And still another barrier–data breaches and cyberattack–is still with us, and growing. Quest Diagnostics’ data breach affects nearly 12 million patients. It was traced to an individual at a vendor, American Medical Collection Agency, and it involved Optum360, a Quest contractor and part of healthcare giant Optum. The unauthorized person had access to the network for eight months – between 1 August 2018, and 30 March 2019–and involved both financial and some health records. Quest now is in the #2 slot behind the massive 79 million person Anthem breach, which, based on a Federal grand jury indictment in Indianapolis in May, was executed by a Chinese group in 2015 using spearfishing and backdoors that gathered data and sent it to China. There were three other US businesses in the indictment which are not identified. Securing health data is expensive — and another limitation on the cost-lowering effects of interoperability. Healthcare IT News

Digital Health’s Year, for now, will remain Next Year–and digital health for now will remain fractional, unable to do much to commoditize healthcare or lower major costs.

Yet another NHS cyber-vulnerability: fax machines

[grow_thumb image=”” thumb_width=”250″ /]Now fax machines are hackable, say the white hats at Check Point Research. Your GP or doctor thinks they are safe, but their protocols haven’t been updated since the Big ’80s. Check Point found that all a hacker needs is the fax number to hack into one. 

The ‘how to’ is in the article. New ‘all in one’ printers which are connected to phone lines and wirelessly to networks can receive a malicious fax as an entry point into the network. Data is then exfiltrated through another fax as illustrated above left. Check Point’s study cited the HP OfficeJet Pro All-in-One fax printer but others would be vulnerable as well. Online electronic fax numbers may also have problems.

NHS’ census, released via a FOIA request, indicates it uses 9,000 fax machines. NHS has minimized the risk they present. HP has since issued security updates for its fax printers. Also Digital Health. 

The cybersecurity black hole–and bad flashback–that is the Internet of Things

[grow_thumb image=”” thumb_width=”150″ /]One week after the Dyn DDoS attack, the post-mortems get more alarming. Our Readers knew they were coming in 2014-2015 (our ‘Is IoT really necessary–and dangerous?)

IoT devices, and a lot of older networked medical devices, have been proven to be easy to hack, as even this non-ITer, non-codegeek realized then. But those in tech have been to this movie before–with Bluetooth circa 2002! Now shouldn’t designers have learned? From ZDNet:

“It’s almost like we’ve learned nothing from Bluetooth” says Justin Dolly, CISO at cybersecurity firm Malwarebytes.

“Seeing what these IoT vendors are doing, it just blows me away because they haven’t learned from history,” says Steve Manzuik, director of security research at Duo Security’s Duo Labs. “They’ve completely ignored everything that’s ever had bad vulnerabilities”.

Many of these devices, according to these experts, have default log in credentials, if they have them at all. IoT devices are also allegedly findable on a snoop site called Shodan. Reason why: the financial and market need to get products out fast and cheaply.

Over at data security company Varonis’ blog, with the great title in part, “Revenge of the Internet of Things”, another succinct and telling quote:

Once upon a time in early 2016, we were talking with pen tester Ken Munro about the security of IoT gadgetry — everything from wireless doorbells to coffee makers and other household appliances. I remember his answer when I asked about basic security in these devices. His reply: “You’re making a big step there, which is assuming that the manufacturer gave any thought to an attack from a hacker at all.”

Privacy by Design is not part of the vocabulary of the makers of these IoT gadgets

Varonis also gives a how-to on changing settings in your router so you don’t become a victim, and how to secure your gadgets.

Bottom line: when Hackermania is Running Wild, do you, or anyone, really need to be an early adopter of an internet- connected coffee maker or fridge? And if you need internet-connected home security, telemedicine virtual consults, telehealth/remote patient monitoring or telecare….best heed Varonis and secure it!

Earlier in TTA: Friday’s cyberattack is a shot-over-bow for healthcare 

UCLA Health data breach may affect 4.5 million patients

[grow_thumb image=”” thumb_width=”150″ /]Breaking news out of Los Angeles this afternoon is that the UCLA Health System’s computer network was compromised by an external cyberattack, compromising an estimated 4.5 million patient records. According to the LA Times, “the hospital saw unusual activity in one of its computer servers in October and began investigating with assistance from the FBI. The investigation confirmed May 5 that the hackers had gained access to parts of UCLA Health’s computer system where some patient information was stored. The hackers gained access to names, dates of birth, Social Security numbers, Medicare and health plan identification numbers as well as some medical information like patient diagnoses and procedures.” There also appears to have been a delay in the realization that the sensitive PHI had been accessed, and that the suspicious activity could have started as early as September 2014. Yet the UCLA Health statement equivocates: “At this time, there is no evidence that the attacker (more…)

“Who do I call?” when the cyberalarm goes off

[grow_thumb image=”” thumb_width=”175″ /]A top read for the weekend is this short article by Gillian Tett in the FT on the lack of coordination in the US in not only protecting systems from cyberattack, but also the lack of coordination between public and private sectors in protection–and when something does go wrong. As Henry Kissinger famously said about Europe when various crises loomed, ‘who do I call?’

Indicators of a gathering storm are everywhere:

* Wednesday’s hours-long, still unexplained outages at the NYSE and United Airlines. (The Wall Street Journal website going down for a bit was the topping on the jitters)

* A joint report from Cambridge University and Lloyds insurance group, also released Wednesday, estimated that a hack shutting down the US electrical grid would create $1 trillion in damage. (more…)