23andMe data breach may have targeted those of Jewish and Chinese heritage; company valuation crashes (updated)

23andMe’s hole gets deeper. And deeper. As more dots are connected on their data breach–and financial situation.

Part 1: The data breach that exposed 6.9 million records at genetic testing and data company 23andMe isn’t only being fought in the courts as to who to blame (customers recycling already corrupted passwords versus a site vulnerability to brute-force hacking). It appears the hackers had specifically targeted people with Chinese or Ashkenazi Jewish heritage. Worse, 23andMe is not addressing that. The evidence was there as early as October.

  • 1 October: an unknown person posts on the 23andMe subReddit that they had customer records, posting a sample of the stolen data. Supposedly this is how 23andMe found out that their user data had been hacked and stolen. (Editor’s note–this zero-trust breach beggars credibility in a tech-oriented company.)
  • 6 October: 23andMe’s blog post announcement of the initial 14,000 records hacked in their customer base, which later grew to 6.9 million records revealed through the links to MyHeritage, in adding functionality to Family Tree, or sharing their information by opting into 23andMe’s DNA Relatives feature. 
  • 6 October: Wired’s reveal that earlier in that week, a hacker posted on BreachForums a data sample of what they claimed were 1 million records exclusively on those of Ashkenazi Jewish heritage, plus hundreds of thousands of records on those of Chinese heritage. By Wednesday, the hacker was selling what was claimed as 23andMe profiles with information on display name, sex, birth year, and details on genetic ancestry results, but not raw genetic data. Pricing was between $1 and $10 per account depending on number purchased.
  • By December, 23andMe was squarely blaming users for reusing passwords (credential stuffing), even if they created a unique password, and denigrating their right to demand legal accountability from 23andMe on their lax security procedures. [TTA 6 Dec 23, 19 Jan]

None of the contacts that 23andMe has made with users since October, including the letter sent to breached users (via TechCrunch) refers to any specific ethnic group targeting. 

World events made this targeting and timing very important. The brutal attack by Hamas in the south of Israel was the very next day after the breach was disclosed, 7 October. It killed 1,200 civilians, with over 200 hostages. Israel declared war on Hamas in Gaza which still goes on, as do the demonstrations against Israel and overt anti-semitism. Given the targeting evident in this breach of individuals with information for sale, by 11 January Representative Josh Gottheimer (CD-5, NJ) sent a letter to the director of the FBI to investigate the hacking, specifically because the information could be purchased via sites used by hackers to merch this type of information–and used to target Jews globally.

Third-party data included in the hack? There is also the possibility that DNA information from third parties such as Sequencing entered 23andMe’s database. In Illinois and other states, this type of sharing is illegal without specific consent. This information could also have been stolen without the knowledge of the individual. This has sparked additional class action lawsuits. The Times of Israel

Part 2: 23andMe is in poor shape financially. Like all too many companies that went public in 2021, 23andMe is a cracked SPAC that debuted in February 2021 above $16, with a company valuation of $6 billion, and now is trading on Nasdaq at $0.73 which gives the company a negligible value. Revenue is upside down and the company is torching through the $1.4 billion it raised both in the market and through private investment. The WSJ’s estimate in a far-reaching article is that it is 80% gone. Founder Anne Wojcicki’s stock has supervoting privileges which means she effectively controls the company, not the shareholders.

Both Ancestry (remember them?) and 23andMe had ups and downs from 2015 but the hype, especially after the Theranos implosion that year, was stunning. Genetics became The Next Big Thing That Would Save Health Tech. The large flaw–the market for genetic testing for ancestry and/or health is a ‘one and done’, which TTA predicted back in 2020 and earlier. Wojcicki guessed early on that a revenue model lay in selling de-identified genetic information to pharma. But their five-year exclusive deal with GSK ended last year and led to an 11% layoff [TTA 10 Aug 23]. Subscriptions for lifestyle counseling starting at $200 and exceeding $1,100 never took off. Growing their $4oo million Lemonaid buy from fall 2021 into a more robust and integrated telehealth platform never happened. Her long-term bet was moving into drug discovery using all that DNA data, but only two drugs of 50 have reached early-stage human trials.

Whether 23andMe will climb out of this crater, both financial and data security, as they did several times in early days, is to be seen. But Wojcicki’s personal brand apparently remains in great shape, unlike their data security. Also Futurism

*Updated 2 Feb for additional references, content, and copy editing

Got a data breach? Blame the victims like 23andMe did!

23andMe wished its breached customers Happy New Year by putting the blame…on them!

The hacking that started with 14,000 records and grew to exposing the records and personally identifiable information (PII) of 6.9 million users, about half their customer database, has spawned over 30 class action lawsuits in the US, plus lawsuits in Ontario and British Columbia, Canada. 23andMe, in their responses to law firms and on their blog, told lawyers and users–not unexpectedly–that the data breaches were due to 23andMe users recycling log in credentials, such as passwords, that were used on other–breached–websites, and failed to update them on 23andMe after these incidents.

However, as this Editor noted when this first broke in December, this credential stuffing doesn’t account for the targeting nor the hacking of users who claimed they had unique credentials, including the US National Security Agency (NSA) cybersecurity director Rob Joyce who creates a unique email for each of his accounts (!). It also doesn’t account for how 14,000 brute-force hacked records grew exponentially to 6.9 million records. One reason may be data sharing with a partner, MyHeritage, in adding functionality to Family Tree, or sharing their information by opting into 23andMe’s DNA Relatives feature. 

It also does not account for how 23andMe squarely blamed users–that they were negligent in whatever passwords they used, that two-factor authentication was available since 2019 (but optional), that the information taken didn’t include highly sensitive information such as Social Security number, driver’s license number, or financial information. Therefore any lawsuits were futile, per a letter from 23andMe’s Greenberg Traurig to one of the class action firms, Tycko & Zavareei LLP. Afterwards, 23andMe reset all passwords and instituted mandatory multi-factor authentication, closing the barn door after the horse, cow, and goat got out and made it to the next county.

Playing into this is the weakness of US law around what constitutes ‘reasonable security procedures’ for securing personal information–and that is from the wording of the California Privacy Rights Act (CPRA), which may be the US’ toughest privacy law. On one hand, users have responsibility for a decent, unique password every time–but on the other hand, 23andMe bears responsibility for securing its shared data and not letting a breach get wildly out of hand like this one did. And what if next time it’s the actual DNA information?

The insult to injury: In December, 23andMe changed their terms of service to essentially indemnify themselves. Users had to agree, in the terms of service, exactly 30 days to opt out of the right to participate in a class action lawsuit and instead submit to private arbitration in the event of a dispute.

Not owning up to some fault is not the way to build customer confidence. Especially with a company in a faltering sector now trading around $0.70 per share. TechCrunch, ArsTechnica

Another turkey: potential 9M patients affected by medical transcription vendor data breach

Vendors are hot, hot, hot…with hackers. In another notable vendor data incident, Perry Johnson & Associates (PJ&A), a Henderson Nevada-based provider of transcription services for hospitals and physician practices, reported a data security incident to the US Health & Human Services (HHS) Office of Civil Rights (OCR) on 3 November. The breach occurred in the network and files were copied 27 March-2 May, when it was detected. 8.95 million individuals were affected, with over 4 million individuals in NYC and Syracuse at Northwell Health, the largest health provider in New York State, and Crouse Health. Northwell hasn’t had much luck with transcription providers, having been affected by Nuance Communications’ hack earlier this year by one of their vendors–the Progress Software MOVEit file transfer protocol (FTP) theft traced back to ransomwareistes CLOP [TTA 3 Aug].

Personal health information stolen for all included name, date of birth, address, medical record number, hospital account number, admission diagnosis, and date(s) and time(s) of service. While the records didn’t contain financial information, some patients may have had breaches of their Social Security numbers, insurance information and clinical information from medical transcription files, such as laboratory and diagnostic testing results, medications, the name of the treatment facility, and the name of healthcare providers.

PJ&A notified affected providers on 29 September and affected patients on 31 October. In addition to the 4 million+ in New York, 1.2 million individuals were served by Cook County Health in Illinois. The rest have not been identified. TechCrunch, News4NY, PJ&A notice 

Weekend news roundup: GE Healthcare spins off, adds CTO; Allscripts now Veradigm; NHS Brainomix AI stroke trial success; Withings home urine scanner; Careficient buys Net Health EMR; CommonSpirit’s class action suit on data breach

GE Healthcare now trading on its own. On Wednesday, GEHC rang Nasdaq’s traditional opening bell virtually on its first day of trading Wednesday (4 Jan). The bell ringing was unique as the first company in Wisconsin to do so from their plant in Waukesha. GE retained approximately 19.9% of the outstanding shares of GE HealthCare common stock with the remaining 80.1% distributed to current GE shareholders. Today it closed at $58.95 and remains headquartered in Chicago. (It moved from Amersham UK back in 2016.) Management is now independent, with Peter Arduini as CEO and adding yesterday a new chief technology officer, Taha Kass-Hout MD, MS, from Amazon’s health AI area to lead the company’s new science and technology organization through their four areas: Imaging, Ultrasound, Patient Care Solutions, and Pharmaceutical Diagnostics. Release, Yahoo Finance  Also Mobihealthnews

Remember back in 2019 when problematic EHR Practice Fusion was renamed Veradigm? Allscripts has now renamed the entire company as Veradigm, after expanding it to analytics and research. After two years of reorganizing and downsizing (plus paying off Practice Fusion fines), selling off their hospital/large practice EHRs to Constellation Software/N. Harris Group for $700 million last May, the slimmed-down Veradigm Network encompasses electronic health records, practice management systems, and patient communication platforms. Interestingly, a search first leads you to a main corporate website under Allscripts and doesn’t forward automatically to Veradigm, making this a softer-than-usual name change. Now Veradigm can pick up a few companies on the market, as they announced last year. Release    Hat tip to HISTalk

NHS using Brainomix AI to diagnose stroke faster, tripled near-full recoveries to 48%.  The key finding: patients diagnosed using AI made near full recoveries increased from 16 to 48%. The trial of e-Stroke Suite took place in 22 hospital trusts in England across 111,000 suspected stroke patients. The AI in the e-Stroke Suite cut average diagnosis to treatment time by an hour from 140 to 79 minutes. The AI technology was developed by UK company Brainomix. Daily Mail, Oxford Academic Health Science Network case study (Note: Oxford AHSN, Brainomix, and Royal Berkshire NHS Foundation Trust (RBH) are partners in the National Consortium of Intelligent Medical Imaging (NCIMI).)

Withings is debuting the U-Scan, an in-home urinalysis device, at CES. The 90 mm device sits in the toilet bowl and uses cartridges to analyze urine components, sending results to the Withings Health Mate app. Cartridges for Europe so far are Cycle Sync for menstrual period tracking and ovulation windows, and Nutri Balance for hydration and nutrition. Nutri Balance analyzes specific gravity, pH, vitamin C, and ketone levels. The U-Scan will debut in Europe at the end of Q2, with the U-Scan starter kit priced at €499.95.  Both await FDA clearance. Withings U-Scan page, Mobihealthnews

Careficient buys Net Health’s home health/hospice EMR. Careficient already is present in the home health, hospice and home care cloud EMR market. Net Health is selling its home health, hospice, home care and palliative solutions EMR, marketed under HealthWyse and Hospicesoft, as well as its revenue cycle management (RCM) division, to concentrate on wound care and rehabilitation therapy. This expands Careficient’s client base by 750 locations in 39 states. Transaction cost was not disclosed. Release

Add to the cost of hacking multiple class action lawsuits. CommonSpirit Health, based in Chicago and the second largest health system in the US covering 21 states under CHI and Dignity Health names, not only has to remedy a massive 600,000 patient data breach discovered last October [TTA 3 Dec], but also fight a class action lawsuit filed 29 December by a patient in the US District Court for the Northern District of Illinois. Financial, health insurance, and medical information were all breached. The suit requests damages exceeding $5 million and injunctive relief, including stronger data protection practices. It will be the first of many as a quick search indicates multiple law firms seeking claimants. FierceHealthcare, WGNRadio

Weekend review: FDA clears Apple Watch ‘AFib History’, OS9 adds health features; Amwell’s new CMO; 2M records breached at New England provider, largest this year

Apple Watch adding first-ever ‘AFib History’ in watchOS 9 software release. Announced 6 June, Apple received their FDA 510(k) clearance for this new feature which adds on to the existing ECG app and irregular rhythm notification. The History feature includes an estimate of how frequently a user’s heart rhythm shows signs of atrial fibrillation, including additional weekly notifications to understand and track this on a printable PDF. According to their release, users can view a detailed history in the Health app, including lifestyle factors that may influence AFib, like sleep, alcohol consumption, and exercise, which can be downloaded and printed.

Other health-related features on the watchOS9 release include:

  • Medications app for managing medications, vitamins, and supplements, including a medications list, schedules and reminders, and directly view medication information in the Health app
  • Sleep Insights, an add-on to the existing sleep tracking that informs users of sleep stages. Using signals from the accelerometer and heart rate sensor, it will detect and track when users are in REM, core, or deep sleep.

Apple release 6 June, FierceHealthcare

Amwell names new chief medical officer. Carrie Nelson will be working with payer and provider organizations in care delivery from Amwell’s new platform, Converge. In addition, she will be heading up the Amwell Medical Group, their clinical partner. Dr. Nelson was formerly Advocate Aurora Health’s senior vice president and CMO for Population Health and Health Outcomes, where she was also chief clinical officer for Advocate Physician Partners, their value-based care physician group. Amwell is transitioning practices from its prior platforms and needs to maintain their presence with both groups as many are finding alternative telehealth systems. Amwell release, Healthcare Dive

And what week wouldn’t be complete without a massive healthcare data breach? The leading event so far this year took place over two weeks in March at 60 healthcare facilities affiliated with Massachusetts-based Shields Health Care Group. While it was only 7 to 21 March and discovered 28 March, apparently the quaintly-titled ‘unknown actor’ was able to compromise data. The investigation by Shields and Federal and state regulators is ongoing as to what data was accessed and taken; to date, there is no evidence to indicate that any information from this incident was used to commit identity theft or fraud. The difference in breaches between now and the past is how rapidly it’s discovered.  Shields Health notice, Healthcare Dive

Digital health: why is it a luxury good in a world crying for health as a commodity?

Why digital health still struggles to find its stride. Those of us in the healthcare field, especially Grizzled Pioneers, have been wondering for the past decade why Digital Health’s Year is always Next Year. Or Next Decade. 

Looking back only to 2000, we’ve had 9-11, a dot-com bust, a few years in between when the economy thrived and the seed money started to pollinate young companies, a prolonged recession that killed off many, and now finally a few good economic years where money has flooded into the sector, to good companies and those walking the fine line of mismanagement or fraud. We’ve seen the rise/fall/rise of sensors, wearables, and remote monitoring, giants like Google and Microsoft out and back in, the establishment of EHRs, acceptance by government and private payers, quite a bit of integration, and more. All one has to look is at the investment trends breaking all records, with funding rounds of over $10 million raising barely a notice–enough to raise fears of a bubble. Then there’s another rising tide–that of cyberattack, ransomware, insider and outsider hacking.

Is it this year? It may not be. Despite the sunshine, interoperability holds it all back. Those giant EHRs–Cerner, Epic, Athenahealth, Allscripts–are largely walled gardens and so customized by provider application that they barely are able to talk to their like systems. There are regional health exchanges such as New York’s SHIN-NY, Maryland’s CRISP, and others, but they are limited in scope to their states. The VA’s VistA, the granddaddy of the integrated system, died of old age in its garden. Paul Markovich, CEO of Blue Shield of California cites the lack of interoperability and being able to access their personal health data as a major barrier to both patients and to the large companies who want to advance AI and need the data for modeling. (China and its companies, as we’ve noted, neatly solve this problem by force. [TTA 17 Apr]) Apple is back in with Health Records, but Mr. Markovich estimates it may take 10 years to gather the volume of data it needs to establish AI modeling. Some wags demand that Apple buy Epic, as if Epic was up for sale. BSC, like others, is testing interoperability workarounds like Notable, Ooda Health, and Manifest MedEx. Mr. Markovich cites interoperability and scaling as reasons why healthcare is expensive. CNBC

And what about those thriving startups? Hold on. During the Google Cloud/Rock Health 3 June event, one of the panelists–from Partners HealthCare, which works both side of the street with Pivot Labs–noted that hospitals have figured out their own revenue models, and co-development with hospitals is key. Even if validated, not every tech is commercially ready or lowers cost. And employers are far worse than hospitals at buying in because they ultimately look at financial value, even if initially they adopt for other reasons. In addition, the bar moved higher. The new validation standard is now provider-centric–workload, provider satisfaction, and implementation metrics, because meeting clinical outcomes is a given. Mobihealthnews

And still another barrier–data breaches and cyberattack–is still with us, and growing. Quest Diagnostics’ data breach affects nearly 12 million patients. It was traced to an individual at a vendor, American Medical Collection Agency, and it involved Optum360, a Quest contractor and part of healthcare giant Optum. The unauthorized person had access to the network for eight months – between 1 August 2018, and 30 March 2019–and involved both financial and some health records. Quest now is in the #2 slot behind the massive 79 million person Anthem breach, which, based on a Federal grand jury indictment in Indianapolis in May, was executed by a Chinese group in 2015 using spearfishing and backdoors that gathered data and sent it to China. There were three other US businesses in the indictment which are not identified. Securing health data is expensive — and another limitation on the cost-lowering effects of interoperability. Healthcare IT News

Digital Health’s Year, for now, will remain Next Year–and digital health for now will remain fractional, unable to do much to commoditize healthcare or lower major costs.

Hackers hit another Blue Cross, put 10.5 million members at risk (Breaking)

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]BREAKING NEWS This time the data breach is at Excellus Blue Cross Blue Shield, which covers upstate New York (Rochester-Syracuse area). It was discovered by Excellus on 5 August but dated back to 23 Dec 13, and reportedly has compromised members’ names, addresses, telephone numbers, Social Security numbers, financial account information and in some cases sensitive medical information. According to the AP/NBC, it also breached other divisions of Excellus and the corporate parent, Lifetime Healthcare: Lifetime Benefit Solutions, Lifetime Care, Lifetime Health Medical Group, The MedAmerica Companies and Univera Healthcare. The source of the hack has not yet been determined.

Excellus joins fellow BCBS members Anthem [TTA 11 Feb], soon to be merging with Cigna, with 80 million; Premera Blue Cross [TTA 24 Mar] with 11 million, Care First with a ‘bag o’ shells’ 1.1. million [TTA 2 June]. The pattern has been such that the national Blue Cross Blue Shield Association (BCBSA) announced in July that it will offer all 106 million of its members identity protection starting next January. (Note for our mathematicians: Anthem has millions of non-BCBS members) Chinese hackers are suspected in the Anthem breach.

FierceHealthPayer broke the story, in this Editor’s estimation, to the healthcare trade area. Rochester Democrat & Chronicle. Excellus message to policyholders. The NBC/AP report also has a video interview with Eugene Kaspersky of the eponymous anti-virus software (and whose Kaspersky Lab was also a hacking victim earlier this year)

Updated via the Rochester Democrat & Chronicle:  FireEye is becoming the ‘go-to’ security company for health organization breaches–Excellus hired them in the wake of the Anthem breach and they discovered the vulnerability facilitating the breach.

Australian military health data went straight to China: report

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]The Australian Defence Department confirmed to the Sydney Morning Herald that protected health data of hundreds of Defence Forces personnel went to (guess where!) China. However, as breaches go, this was an easy hack–it was sent by a health contractor, Luxottica Retail Australia, which contracts with manufacturer Tristar Optical in Dongguan, Guangdong province. Those affected included soldiers posted overseas to Afghanistan and special forces commandos who went on to be deployed to Iraq. Luxottica has since lost its contract with principal contractor Medibank Health Solutions. Both Medibank and Defence have had a lot of ‘splainin’ to do with the Government. According to the SMH, “the revelations raised particular concern within the Defence establishment because of China’s extensive involvement in state-sponsored hacking and cyber-espionage, with Beijing showing a particular interest in accessing personal records of government workers in the US.” A ‘twin-spin’ of Data Insecurity: healthcare and military! Hat tip to Malcolm Fisk of Coventry University via LinkedIn updates.

Healthcare vulnerability in a concatenation of data breaches

Concatenation is one of those lovely English words that express far more than its simpler synonyms: sequence, series or chain of events. Perhaps we have experienced that concatenation of data breaches which connect and demonstrate a critical mass that motivate healthcare organizations, including insurers, to ensure that data security and privacy gets primacy in HIT. Our Readers know we’ve been on the case since 2010; we’ve been noting Ponemon Institute and ID Experts studies since then.

While simple, straightforward theft can be the cause of smaller breaches and not part of a Big Hack, it’s not as Three Stooges or Benny Hill-esque as perhaps the JAMA study earlier this year made it out to be, especially if it’s your personal record, or your patient’s, which is breached, identity and financials damaged. (See this Security Intelligence article on a minor health breach and how it affected an individual who happens to be in IBM’s security arm.)

Just in the past few weeks, in the US we have experienced the following major and minor breaches:

  • CareFirst BlueCross BlueShield in Maryland–an insurer, not a hospital or practice–had a Big Hack of 1.1 million health records, with names, birth dates, email addresses and insurance identification numbers (but not SSI or credit card numbers) revealed.
  • Beacon Health Systems (Indiana) had a phishing attack into employee email boxes dating back to 2013. This was a Medium Hack that affected about 220,000 patients. Data taken included SSI and driver’s license. Health Data Management today.
  • Advantage Dental in Redmond, Washington had a 152,000 patient hack during three days in February.
  • Also in February, a New York City Health and Hospitals Corporation employee transferred patient files to her personal and new work email. 90,000 patients may have compromised data as a result. Becker’s

More breaches are listed today in iHealthBeat and the ever-growing list on Privacy Rights Clearinghouse.

Ponemon Institute’s 2015 Cost of a Data Breach Study: Global Analysis, with IBM, was published last week. (more…)

News highlights for Friday

AnthemHealth didn’t encrypt, Blueprint Health collects, HealthSpot funds again, Sense4Baby goes to Europe, Apple Health pilots in hospitals and buddi gets bigger still.

Another hack attack claimed major US health insurer AnthemHealth, the former WellPoint. It’s estimated that 80 million of its customers, former customers and employees had data breached: names, addresses, dates of birth, emails, employment information, income, medical IDs and SSIs. The Wall Street Journal reports that Anthem didn’t encrypt data for analytics reasons. It’s unconfirmed where the hackers originated but Bloomberg’s latest report tags the usual Chinese state-sponsored suspects. Unusually, it was reported within days of discovery; Anthem has called in Mandiant (FireEye) to beef up its cybersecurity. Other reports: WSJ, Modern Healthcare….The Blueprint Health accelerator has a new initiative, the Collective. It is designed to pair up major healthcare providers and payers with startups and early stage companies. So far signed up are Aetna, AstraZeneca, HP, Montefiore, North Shore LIJ, New York-Presbyterian, Samsung, EmblemHealth, Philips and Razorfish Healthware. More information here….The HealthSpot Station telehealth/telemedicine kiosk is readying a $11.6 million funding round from four investors soon, based on (more…)

Staying up at night with telemedicine (and telehealth)

Our readers have many things which keep them up at night, including that extra taco, but René Quashie of leading healthcare/life sciences law firm Epstein Becker Green adds a few more to the list. While muddling telemedicine (remote consults) with telehealth (vital signs tracking and monitoring), he outlines the legal pitfalls (and consequences) that both are facing: non-compliance with state prescribing and licensure laws (physical examination requirements); lack of highly developed protocols and guidelines (liability exposure); lack of greater coverage and reimbursement by payers (low credibility=low/no pay); HIPAA compliance in privacy and security (lack of protection against unauthorized data access). However, how many of these have already experienced accomodation by state regulators, or have started to modify to follow regulations?  Awake yet? This is only Part 1. Things That Should Keep the Telehealth Community Awake at Night (Part 1) (TechHealth Perspectives/EBG blog) Hat tip to reader Ellen Fink-Samnick of Ellen’s Ethical Lens.

VA networks breached from overseas; 20 million records affected (US)

Department of Veterans Affairs IT systems have been breached since 2010 by eight ‘nation-state-sponsored organizations’, affecting records of 20 million veterans, according to recent testimony in hearings held earlier this month by the House Veterans Affairs Oversight and Investigations Subcommittee. While the normal ‘hack’ is due to theft or an inside job for financial gain, these likely have a far more sinister nature. According to former VA Chief Information Security Officer Jerry Davis (now at NASA), the attacks continue from these countries, and according to Subcommittee Chairman Rep. Coffman, may include China and Russia. Testimony and evidence also revealed that those responsible for informing Secretary Shinseki may have understated the problem. The VA has certainly been taking its lumps with a Magic 8 Ball of late, with a derailed joint EHR project with the Department of Defense and wrangling on who’s leading integration [TTA 3 April; iHealthBeat]. VA Systems Hacked From AbroadWas VA Secretary Misled About Breaches? (HealthcareInfoSecurity)

Healthcare data breaches show 25% fraud risk: study

For healthcare institutions, that data breach can really cost. Javelin Strategy & Research has been tracking the cost of data breaches, including healthcare, for the past ten years. Using its data across all their industries tracked (data here), the threat of identity fraud as of 2012 is up to 1 in 4, from 1 in 9  in 2010. In commenting on the big breach last year at the Utah Department of Health (780,000 records, TTA 22 Dec), a Javelin spokesperson has made some news by estimating the additional fraud cost at $406 million–and that is in addition to the estimated $9 million that the state has spent on security audits, upgrades and credit monitoring for victims.  Hackers seem to be more targeted than ever, but often even simple precautions are not taken–in Utah, the factory password to the server was never changed. A cautionary note–no, symphony–to developers and to HIT departments. Healthcare IT News, Salt Lake Tribune, Javelin release

Could iris scans be a solution? Biometrics makers, such as Safran, Fujitsu, AOptix Technologies and M2Sys Technology, are finding new customers in hospitals and large providers. HCA Holdings, the largest US for-profit hospital chain, is testing Eye Controls’ system at their private clinics in London. Medical ID theft is also a problem in the UK, with ‘shame-based theft’ (to conceal an illness) and private billing the given reasons. Iris scanning units cost about $200-300–a moderate cost. According to the World Privacy Forum, iris scanning will rule out hacking, but not ‘inside jobs’–progress of a sort. But an open question is how this integrates into current EHRs. Iris Scans Seen Shrinking $7 Billion Medical Data Breach (Bloomberg)  Editor’s note: The Gimlet Eye is…envious.