News roundup: 4.3M HealthEquity member data breach, CrowdStrike health fallout, more Congress pounding of VA/Oracle; Flo app now unicorn (UK), fundings for Clarapath, CoachCare; AvaSure buying Ouva

Health savings account (HSA/FSA) provider HealthEquity had a three-month breach that compromised 4.3 million member accounts. The breach originated with an undisclosed third-party vendor, in a pattern that has become familiar. According to HealthEquity’s filing with the Maine attorney general (though HQ’d in Utah), the breach occurred in that vendor’s “unstructured data repository” at HealthEquity, outside of their core systems, after the hacker stole the password out of a vendor user account. Unfortunately for HealthEquity, the hack that started in March wasn’t discovered until 26 June, giving the hacker free rein in that database for three months. What’s surprising is that the breach wasn’t worse.

HealthEquity is a third-party administrator for companies of FSA/HRA, Commuter, COBRA, and Lifestyle plans.

The Maine AG filing states that information stolen may include customer names, addresses, phone numbers, their Social Security number, information about the person’s employer, benefit type, diagnoses, prescription details, the person’s dependent (if any), and some payment card information. With HealthEquity claiming 15 million+ members, the breach affects a substantial 29% of its membership. Actions they are taking are to notify members and provide them with credit monitoring services through Equifax with a reference guide. HealthEquity notification page, TechCrunch, HealthcareITNews

CrowdStrike’s antivirus software update that went waaaay sideways continues its fallout. As most know, it happened when they pushed an update and patch to Falcon, a cloud-based anti-cyber attack product that uses AI to detect intrusions. Well, Falcon’s AI wings were fractured on that 19 July push where testing was apparently lacking. BSOD became their new thing. What made the news was the devastating effect on 8.5 million Windows devices, only about 1%–on Delta Air Lines’ aircraft scheduling and the shutdown of many systems such as 911 and police within cities and states, but apparently a curtain was drawn around the healthcare bed. EHRs were affected at major systems such as Kaiser Permanente, Providence, Henry Ford Health, Nationwide Children’s Hospital, the Dana-Farber Cancer Institute, Mass General Brigham, RWJBarnabas Health, Penn Medicine, and Seattle Children’s Hospital, causing postponements of medical procedures. At Providence, it totaled 15,000 of the organization’s servers, as well as about 40,000 of its 150,000 computers. It was the equivalent of a cyberattack without being a cyberattack. According to industry analyst Parametrix, US Fortune 500 companies (excluding Microsoft) lost a total of $5.4 billion. MedCityNews

With this kind of devastation, it’s no surprise that these companies and the government are rethinking their approach to cloud computing. They’re very concerned about the oligopoly of three providers: Google, Microsoft, and Amazon. Microsoft has 40% of the cybersecurity market with CrowdStrike 15% concentrated in larger organizations.“We’re reaching the point where over-centralization makes us less ‘healable,’ and less resilient,” Robert Thomas, owner of cybersecurity company 180A Consulting said. “We’re losing our resiliency as a nation.”  Systems are still not back up and neither is the CrowdStrike stock. Rumors do persist that they were hacked. Epoch Times   Microsoft also published a recovery tool for IT administrators to expedite the repair process. FierceHealthcare

The House Committee on Veterans’ Affairs Subcommittee on Technology Modernization hearing on 22 July had some further flak-gathering from committee members. Most of the criticism concentrated on the joint MHS/VA rollout at Lovell Federal Health Care Center and the amount of work it required to get the Oracle Cerner EHR to work mostly right. While VA and Oracle leaders insist that Lovell went better than anyone expected, the resources used at Lovell cannot be duplicated at the remaining VA facilities. VA is already facing a $15 billion shortfall for FY 2024 and 2025. The Lovell center had a persistent problem in processing prescriptions, with 60% going unfilled. In member Sheila Cherfilus-McCormick (D-Fla.) words, “I think we are far from ready to endorse further go-live activities. The two departments threw more resources at this go-live than will ever be available at any future VA facility.” Healthcare Dive  Earlier coverage TTA 24 July

The UK women’s health app Flo is now a unicorn. Their Series C of $200m (£156m), funded solely (and unusually) by General Atlantic, put them at a valuation of over $1 billion. Their total funding is $275 million. Two General Atlantic executives will be joining Flo’s board, Tanzeen Syed, managing director, and Jessie Cai, principal. Flo helps users track ovulation and menstrual periods, enabling calendaring of fertility, and monitoring of over 70 symptoms. It also assists with pregnancy health guidance. The raise will be used to expand into new user segments including perimenopause and menopause. Its current base is 70 million monthly active users (MAUs) and close to 5 million paid subscribers. Flo is marketed in 66 countries, including the US, India, Indonesia, and Nigeria, with centers in Lithuania and the Netherlands.  Release, UK Tech News

Funding/M&A wrap:

Clarapath, a medical robotics developer based in White Plains, NY, scored $36 million in a Series B-1 funding round from Northwell Ventures with participation from new investors Ochsner Ventures, CU Healthcare Innovation Fund, and Mayo Clinic. Clarapath automates pathology lab work. Its SectionStar platform sections biopsy tissue with improved accuracy. It is pre-revenue with a total of $75 million in funding. Axios, Mobihealthnews

CoachCare, a remote patient monitoring/virtual health monitoring developer for practices and health systems, added $48 million in an unlettered venture round funding led by Integrity Growth Partners with participation from Topmark Funding. The platform combines software and connected devices with outreach for RPM, chronic care management, and other virtual care for about 150,000 patients. Funding to date is $49 million. It has acquired four companies in the past year: NVOLVE, CareSpan Health, Alertive (formerly part of Carbon Health), and WebCareHealth. Release, Mobihealthnews

Another virtual care company, AvaSure, is acquiring Ouva’s smart hospital room solutions. Ouva has been partnering with AvaSure to supply AI-enhanced care automation technology. The acquisition will expand the ambient AI capabilities of AvaSure’s Intelligent Virtual Care Platform and double in-house AI engineering resources. AvaSure’s primary market is hospitals. Ouva will continue as a separate company with its pediatric and wayfinding business. Cost is not disclosed. Release, HIStalk 7/31

News roundup: Change responsible for data breach notices; 37% of healthcare orgs have no cybersec contingency plan; health execs scared by Ascension breach; CVS continues betting on health services; Plenful’s $17M Series A

HHS agrees with providers that the data breach notification is on Change Healthcare, not them. Health and Human Services’ Office for Civil Rights (OCR) moved quickly to formally change the FAQs that kicked off the 100+ provider letter [TTA 23 May]. Now “Covered entities affected by the Change Healthcare breach may delegate to Change Healthcare the tasks of providing the required HIPAA breach notifications on their behalf.” “Covered entities” in this case refers to the providers. Only one entity–Change or the provider–“needs to complete breach notifications to affected individuals, HHS, and where applicable the media.” Providers must contact Change Healthcare for the delegation. 

Chad Golder, general counsel and secretary at the American Hospital Association (AHA) said in their statement, “As we explained then, not only is there legal authority for UnitedHealth Group to make these notifications, but requiring hospitals to make their own notifications would confuse patients and impose unnecessary costs on providers, particularly when they have already suffered so greatly from this attack.” HHS notice, Healthcare Dive

Meanwhile, UHG still does not know the extent of the breach which started in late February. Knowing the extent of the breach is needed to start notifications. It has not formally notified HHS of the breach long past the 60-day mandated window (see #3 in the HHS FAQs). This may create an ‘unreasonable delay’ (see #6). Not all Change systems are back up either–see the Optum Solutions page that has plenty of red Xs.

Only 63% of healthcare organizations have a cybersecurity response plan in place, leaving 37% without a plan. This is based on a survey of 296 IT/data security/management executive respondents working at healthcare organizations in the US performed by Software Advice, an advisory and consulting firm. Other findings:

  • Nearly 1 in 3 have had a data breach in the last three years
  • 42% of practices have experienced a ransomware attack, and of those, 48% say the attack impacted customer data
  • 34% failed to recover data after the ransomware attack
  • 55% of medical practices allow access to more data than employees need to do their job which makes them more vulnerable to attacks
  • While 41% of data breaches are attributable to malicious hacking, another 39% are due to malware, 37% are due to social engineering and phishing scams, 36% are due to software vulnerabilities, and 30% are due to employee error.

It would have been helpful if Software Advice in its report had broken down the type of practices surveyed. Healthcare Dive

Meanwhile, healthcare executives were ‘scared’ by the Ascension Health breach, as they should have been. Katie Adams’ piece in MedCityNews explores reactions from five different C-suite hospital executives about the recent attack on Ascension. The IT and data officers are from MD Anderson, Yale New Haven Health, CommonSpirit Health, Allegheny Health Network, and UPMC. The overall take was that threats are more common than ever, bad actors are abundant and getting better (using tools that can make amateurs into pretty good “bad actors” via “LLM products and have them help you build ransomware code.”), managing weaknesses in third-party vendors that live in the cloud is a Herculean task, phishing, and the need for ‘government’ to be involved. 

This Editor notes that the rush for providers into generative AI, given this environment, is perhaps premature. Yet here they go; researchers from Mount Sinai’s Icahn School of Medicine used structured data, such as vital signs, and unstructured data, such as nurse triage notes, to develop models predicting hospital admissions using ChatGPT-4. It supposedly can learn from fewer examples than other machine-learning models currently used and use data from traditional models. Becker’s

Ascension is slowly coming back, now projecting that all their locations will have their EHRs restored by the week of 14 June. Currently, only Florida, Alabama and Austin are up and running. Ascension Rx retail, home delivery and specialty pharmacy sites are now open as well. They will have some ‘splainin’ to do to HHS OCR. Ascension update site

CVS is confident in the future of its retail health despite their struggles with Minute Clinics and Oak Street.  Despite the struggle of retail health clinics at other providers such as Walgreens/VillageMD and the shutdown of Walmart Health, Sree Chaguturu, MD, CVS Health’s executive vice president and chief medical officer, expressed complete confidence at a recent industry conclave, thINc360 – The Healthcare Innovation Congress. This is despite the closures of dozens of Minute Clinics in Southern California and New England [TTA 31 May] out of their 1,100 total plus that CVS seeking an investment partner for Oak Street [TTA 29 May]. Dr. Chaguturu returned time and again to the 10,000-odd CVS Pharmacy locations and their leverage within communities, leaning very hard on the 5 million people coming in daily and the ‘opportunity for their pharmacists to engage’. As a CVS customer at a small location, those busy pharmacists aren’t engaging with me unless I have a script to fill or need an OTC decongestant that’s on the state signoff list due to an ingredient. In fact, CVS locations have rather few people nowadays, including behind checkout counters. Then again, it was a meeting speech. FierceHealthcare

Concluding on a brighter note, Plenful’s Series A came in at a tidy $17 million. Plenful developed and markets an AI-assisted workflow-automation platform for pharmacy and healthcare operations, claiming that it automates over 95% of the work for disparate administrative workflows. Features include 340B audit, document processing, contracted rates optimization and inventory planning, and pharmacy cycle revenue and reporting. Founded in 2021, the company has already lined up some impressive clients. Lead investor TQ Ventures was joined by Mitchell Rales (cofounder and chairman of Danaher), Susa Ventures, Waterline Ventures, and Bessemer Partners, the lead for last September’s $9 million seed funding for a total of $26 million. Crunchbase, Mobihealthnews

News roundup: Bright Health now NeueHealth; breached patient records double, RCM as vector for hacking; Amazon’s CCM marketplace; JPM reflects the new reality; fundings for Vita Health, Turquoise, CardioSignal

Bright Health Group switches off, takes on NeueHealth name. Now that Bright Health has sold its remaining operating health plans to Molina Healthcare [TTA 3 Jan] with others closed down or insolvent like Texas [TTA 12 Dec 23], they have smartly pivoted to the name of their remaining value-based primary care operation, NeueHealth. (Inexpensive, too) Accordingly, on 29 January, their NYSE listing will convert from BHG to NEUE. The stock value closed today at $13.25, well down from its 52-week high of $79.04. NeueHealth’s operations are divided into NeueCare, which is comprised of their owned clinics and partnerships with affiliated providers, and NeueSolutions, which is a management services entity that organizes independent providers and physician groups into performance-based ACA Marketplace, Medicare, and Medicaid-based ACOs models, including the advanced performance ACO REACH program which covered 60,000 beneficiaries in 2023. Unsurprisingly, the company HQ is moving from chilly Minneapolis to much warmer Doral, Florida, nearer to three of their major clinic networks and 150,000 of its claimed 275-295,000 ‘health consumers’ forecast for 2023. 2023 revenue forecasts for NeueCare are $250-275 million and NeueSolutions $890 million. They have also stated that the corporate move will not affect jobs remaining in Minneapolis, which may be few.

As to the bills coming due for CMS liabilities and debt owed to New Enterprise Associates now that JP Morgan has been paid…not a word. We continue to hand it to Bright, now NeueHealth, for the Best Gordian Knots in Healthcare. Release, Healthcare Dive

Patient records exposed in data breaches doubled in 2023 versus 2022. According to an analysis by cybersecurity firm Fortified Health Security of HHS’ Office of Civil Rights (OCR), which tracks data breaches, in 2023 there were 116 million patient records exposed, topping the over 100 million of 2015, with over 655 breaches, a decrease from 2022’s peak of 721. Of that 116 million, over 112 million were from three health plan breaches: Anthem, Premera Blue Cross, and Excellus, Ten-year total? A stunning 489 million. What also increased over those 10 years by 143% were breaches stemming from business associates–vendors providing services to the covered entity. The just-published Horizon Report (free, available for download here) also reveals that the average recovery cost for a breach is $9.48 million. And health plans and systems are cutting IT staff?  Healthcare Dive

One way that hackers are finding their way into healthcare organizations is via ‘social engineering’, but not always of employees. They’re targeting business associates at revenue cycle management (RCM) companies serving health systems and hospitals. The American Hospital Association is warning members that hackers are cannily evolving their tactics to defeat security procedures such as multi-factor authentication and they have to anticipate hacker tactics. From Becker’s, hackers “steal the identities of revenue cycle employees or other finance staffers, calling IT help desks and correctly answering security questions. They then request to reset their passwords and enroll new devices, getting full access to the employees’ accounts and diverting payments to fraudulent bank accounts.” These are based in the US and then diverted overseas. The AHA recommends at minimum a call back to the employee on these new device enrollments, a call to the person’s supervisor, or as in the case of one health system, a physical appearance at the help desk. AHA article

Amazon enters the chronic care management field through a tried-and-true (for them) vector–e-commerce. Search for a health device like a glucose monitor, a blood pressure cuff, or pulse oximetry, and receive a ‘direction’ to a management service that they may be eligible for at no or low cost through their employer or private health insurance. The kickoff partner with Amazon is chronic care management company Omada Health in the diabetes prevention, diabetes, and hypertension categories. Omada claims 20 million eligible members across 1,900 enterprises. This mode may get better traction with Amazon shoppers than directly providing them with health services such as Amazon Pharmacy, One Medical (primary care), and Amazon Clinic (asynchronous telemedicine). Omada didn’t disclose the revenue model. Omada release, Healthcare Dive

Wrapping up the JP Morgan healthcare conference, the New Reality permeated it, even if some didn’t want to admit it. As this Editor projected back in December, the board is being cleared of the also-rans and never-should-have-beens. You see a general cleansing of the cant and hype infecting a sector, which is initially unnerving. We are cycling through this stage fairly rapidly to emerge…where, we don’t quite know yet. Unlike some other publications, MedCityNews can never be mistaken for an industry cheerleader (even if you have to read between the lines). Their extensive coverage confirmed this emerging view of 2024.

  • Katie Adams didn’t make it to SF for her article on nine JPM takeaways, but she sussed out that life sciences isn’t ready for AI, GLP-1 drugs won’t solve obesity, transactional telehealth for urgent and behavioral care is over, founders are trying to figure out fundraising timelines, and retail clinics are suddenly Not All That. And more.
  • Arundhati Parmar profiled a companyone of all too many–that cycled from high to low–Butterfly Health. They started in 2011 to develop the first point-of-care handheld ultrasonic probe using a semiconductor chip that connected to a smartphone, became a unicorn by 2018, went public via a SPAC in 2021 at over $19, cracked hard, and now trades around $1. Their new CEO used the JPM platform to explain that their 2023 revenue slide wasn’t so bad because they were working their way through the longer-than-they-ever-imagined adoption curve by cutting $200 million in costs out of the company and building up their cash reserve. They may survive, or not, given that competition has names like GE Healthcare, Philips, and Siemens. But their ideas around selling the technology of the semiconductor chip to healthcare companies outside of ultrasound and opening their POCUS to developers (like Apple) are clever. It sounds like a company that could fit into a PE portfolio, if only some wallets and checkbooks opened.

And another marker of the New Reality: Scripps Health in San Francisco, hit hard by a cyberattack in 2021, announced at JPM that they hired Todd Walbridge, recently retired from the FBI as their supervising agent in their San Diego cybersecurity hub, as senior director for corporate and system safety and security. He had worked with Scripps on their cyberattack during his diverse career with the FBI. Mr. Walbridge is not only in charge of cyber, but also of physical security as workplace violence and assaults on staff have soared. FierceHealthcare

And we’ll wind up with some fundings, modest ‘green shoots’ in winter:

  • Vita Health, based in Connecticut, secured $22.5 million from seven investors for their suicide prevention and therapeutic telehealth platform. An 2022 seed raise totaled $8.38 million. Release, Mobihealthnews
  • Turquoise Health, based in San Diego, gained a $30 million Series B investment from four investors for expansion of its healthcare pricing platform used by 160 healthcare organizations. 2021-22 seed and Series A raises totaled $25 million. Price transparency is a 2024 hot button issue from government to enterprises to payers. Release, FierceHealthcare  
  • CardioSignal raised another $10 million in a Series A from three investors, bringing total funding to $23 million. Based in Finland and Palo Alto, CardioSignal uses a smartphone’s accelerometer and gyroscope sensors to analyze precordial micro-vibrations caused by cardiac motion. The initial analysis is completed in one minute and after a transfer to their cloud site for additional analysis, is returned in about one minute. Release, Mobihealthnews

Short takes: ransomware op BlackCat busted by FBI, websites shut–for now; health systems lay off IT staffers; retailers collecting way too much PII including health

FBI busts BlackCat/ALPHV ransomware. In an Eliot Ness-like move, the Federal Bureau of Investigation (FBI) got busy and delivered a nice present to healthcare organizations for Christmas. According to two 19 December articles in Bleeping Computer (article 2), the FBI seized operational darknet websites for the ALPHV ransomware operation (article 1) and created a decryptor to help approximately 500 companies recover their data for free, negating $68 million in ransom demands. The details are a little thin, but Bleeping reconstructed in article 2 what they could out of the search warrant. The FBI arranged with a confidential human source (CHS) to become a backend affiliate, meaning the CHS could log in and use ALPHV’s affiliate panel to manage extortion and ransom campaigns. It sounds like a rather nifty platform with lots of management and negotiation tools if you’re extorting a victim company. How the FBI got the decryption keys is another matter they are mum on, as not available through the affiliate panel, but “they obtained 946 private and public key pairs associated with the ransomware operation’s Tor negotiation sites, data leak sites, and management panel”. 

US law enforcement was assisted by their counterparts in Europol, plus law enforcement in Denmark, Germany, UK, Netherlands, Germany, Australia, Spain, and Austria. This is the third breach of the same gang; as Bleeping Computer put it, they’ll “rebrand under a new name as they have done in the past” in a few months.

But maybe faster than that. Some added details from Healthcare IT News sourced from KrebsonSecurity:  BlackCat briefly unseized its darknet site, wiped out the FBI screen above (courtesy Bleeping Computer), and put in a ‘we’re unseized’ notice (in the Krebs article) that they were still open for business at a different location, offering affiliates a 90% payout, and that for affiliates, you could ransomware anything, anywhere (hospitals and nuclear plants cited!) except those located in Russia and the CIS. 

Given ransomware, hacking, cybersecurity threats, and maintaining/upgrading operations, you’d think hospitals would be hiring, not firing, IT workers. But noooooo. Becker’s listed seven health systems that are either pinkslipping IT staff or transferring them to outsourced companies. They are Kaiser–115 nationwide; Novant Health–unknown due to ‘changing up their IT system’; Tower Health (Reading PA)–outsourced staff to a vendor; Mass General Brigham–staff reduction via voluntary buyouts in effect 22 November; Bon Secours Mercy Health–layoffs plus eliminating open roles; Care New England–outsourced staff to health IT provider Kyndryl; Franciscan Health–moved 61 to a vendor. Pennywise, pound foolish.

Here’s more than money you’ve left behind with your online holiday shopping–data, and lots of it. This study from Incogni Research is unnerving, as it goes far beyond what you think you’ve shared–you buy nasal spray in the winter, allergy eyedrops in the spring, etc.– to what retailers are actually collecting on you. This Editor will cite only the companies in healthcare–CVS, Walgreens, Amazon, and Walmart–according to their study:

  • All four collect PII data that includes customers’ identifiers (like their names, online identifiers, and driver’s license numbers), characteristics of protected classifications (like marital status, ancestry, and disabilities), commercial information (like purchase history and property records), and audio/electronic/visual information (like video and/or audio recordings of consumers).
  • Walmart, CVS, and Walgreens additionally collect Social Security numbers, union membership status, and sex-life data.
  • Their apps collect 15 to 20 data points, such as exact location, personal data, financial data, health and fitness, messages, photos and videos, audio files, files and docs, app activity, web browsing, app info and performance, device or other IDs

Users can opt out of some of these, but most do not. And some go to third parties. And all had been breached at one time or another, whether at the retailer or at the vendor level. Prepare to be shocked and dismayed. Release on DR Journal

Healthcare cyberattack latest: NextGen EHR ransomwared by AlphV/BlackCat, back to normal – 93% of healthcare orgs had 1-5 ransomware incidents

Cyberattacks on healthcare continue their drip-drip-drip. The latest is on an EHR/practice management platform used by small to enterprise-sized specialty practices, NextGen Healthcare. The hacker group associated with the AlphV/BlackCat ransomware moved into the system on 17 January. For a short time, they reportedly exhibited NextGen information on their extortion site but later took it down. NextGen reported a short-term disruption to operations. A NextGen spokesperson stated that “We immediately contained the threat, secured our network, and have returned to normal operations,” the spokesperson said. “Our forensic review is ongoing and, to date, we have not uncovered any evidence of access to or exfiltration of client data. The privacy and security of our client information is of the utmost importance to us.”  NextGen has also stated to this Editor that no patient data was affected.

NextGen is used by about 2,500 practices in the US, UK, India, and Canada, including over 20 specialties.

The group behind AlphV/BlackCat ransomware has an infamous history. Reputedly, the gang has been kicking around since 2012 and was the same group of charmers that attacked the Colonial Pipeline in 2021, using the Darkside ransomware in May 2021 that dried out gas stations across the US East Coast. Their next ransomware edition, BlackMatter, targeted agriculture during fall 2021. Healthcare IT News, The Record/Recorded Future News

More severe attacks affecting 93% of healthcare organizations. While NextGen contained the attack quickly, both the Censinet/Ponemon Institute and Fortified Health Security’s 2023 Horizon Report tracked 2022 healthcare data breaches and concluded that while the number of incidents didn’t change much, their severity ramped up. More according to SC Media in these reports: 

  • Over a dozen of the biggest incidents in 2022 each impacted well over 1 million records
  • Nearly half of the respondents experienced a ransomware attack in the last two years
  • 93% faced between one to five ransomware-related incidents
  • Outages lasted upwards of 35 days

The common ground with NextGen is danger to patient safety, because electronic record damage can translate quickly into unavailable patient care.

Updated PharmaCare Services, a pharmacy management company based in Texas, is listed as a victim on BlackCat’s extortion site. They were exhibited with NextGen and remained when NextGen’s listing was challenged and then taken down. PharmaCare is staying mum on any ransomware disruptions, according to GovInfoSecurity.

One ray of hope is improved medical device security, included in the ‘omnibus’ budget package approved in late 2022. FDA will be required to enforce new standards for premarket device submissions. One is a software bill of materials, adequate evidence to demonstrate the product can be updated and patched, and a description of security testing and controls. This was before Congress in the Protecting and Transforming Cyber Health Care (PATCH) Act which didn’t go far, but elements of which found their way into the omnibus. A needed change for medical devices and long expected by manufacturers. SC Media

Who’s buying, selling, funding wrapup: athenahealth IPO deux?, NextGen EHR buys reseller TSI for $68M, Cloudwave buys Sensato; fundings for Lumen, UpStream, Aide Health

athenahealth may go public a second time. This was teased by CEO Bob Segert in the Boston Globe (paywalled) earlier this week. He claimed in the article that since the company went private in 2019, they have added nearly 2,000 clients each year of the past three and that revenues are in the billions. Healthcare IT News recaps some of their moves from going from public to private and downsizing to today. Their other news is that they have instituted a clinical advisory board of 30 members (!) to provide feedback and guidance on clinical features and direction to athenahealth’s product team. One hopes that the sharper members advise a change in the first letter of their name from the oh-so-twee lowercase to an uppercase ‘A’. 

NextGen Healthcare, an EHR/EMR and revenue cycle management software provider for medical/dental practices, is acquiring reseller partner TSI Healthcare. The agreement is for $68 million in cash upfront, with a contingent consideration of up to $22 million in cash if TSI meets certain goals by March 2025. TSI has been a NextGen reseller for 16 years. The acquisition will enable NextGen to expand in key specialties including rheumatology, pulmonology, and cardiology. No mention is made of management or staff transition, nor of SEC review as NextGen is a publicly traded company on Nasdaq. Hat tip to HISTalk 2 Dec. Release, BusinessJournals Triangle

Massachusetts-based Cloudwave is acquiring Sensato Cybersecurity to increase cybersecurity capabilities. Cloudwave provides cloud services hosting with cybersecurity capabilities exclusively to healthcare organizations. Sensato adds cybersecurity-as-a-service (CaaS) to manage security needs, determine where security gaps are, and threat intelligence. Transaction price and details were not disclosed, but Sensato’s founder John Gomez will join CloudWave as chief security and engineering officer. Healthcare IT News  Cybersecurity continues to be top-of-mind for healthcare organizations. The latest Big Data Breach at CommonSpirit Health system hospitals got even worse, with the third-party breach of an undisclosed number of patient records at their Franciscan Health hospitals in September and October. This followed the ransomware attack on other CommonSpirit system hospitals’ EHRs in October. Healthcare IT News

As we near the end of the year, funding is wrapping up with a flurry in some surprising areas such as optimizing metabolism and care coordination for chronic conditions, reducing burden on primary care practices/GPs. One is for an early-stage company in the UK for the latter.

  • Lumen’s $62 million Series B was led by Pitango Venture Capital with Hanwha Group and Resolute Ventures.   Lumen measures metabolism via a handheld, breathalyzer-like device equipped with a CO2 sensor that analyzes whether the body is burning fats or carbs for fuel which can promote weight loss, energy for fitness, and sleep. With that data, the app delivers to users personalized meal plans and nutrition along with when to eat. The new funding will be used to expand these nutrition and lifestyle coaching services. The device is sold direct to consumers, with the app services sold on a SaaS basis: three yearly plans with a range of services from $249 to (on sale) $349.  Mobihealthnews, MedCityNews
  • Another Series B raise of $140 million went to UpStream, for total funding of $185 million. UpStream is in the decidedly unsexy area of care coordination, workflow, and financial platform technology for groups of advanced primary care practices enrolled in value-based full-risk care models, most of which are centered around Medicare and Medicare Advantage. They also deploy pharmacist-led care teams into primary care practices. Their platform and services are free to the practice, with a risk-sharing agreement that pays UpStream through savings (upside risk) but also holds them accountable if savings are below the benchmark (downside risk). Practices are paid on quality during the performance year versus having to wait for CMS to pay in Q3-4 of the following year. This is an MSO (management services organization) ‘in a box’ versus organizing ACOs that is mainly technology-based, a new wrinkle for this Editor who used to be in marketing this area. MedCityNews, Mobihealthnews
  • Aide Health is a clinician-to-patient platform for better management of chronic conditions now bolstered with £1 million in pre-seed funding. Founded by Ian Wharton, CEO, and Brian Snyder, COO, the platform measures physical, mental, and social wellbeing markers for more proactive care. Aide is piloting with the NHS for asthma or Type 2 diabetes with a cohort aged 18 to 75.  Funding was led by Hambro Perks through its EIS fund, with participation from Fuel Ventures, 1818 Ventures, and APX. BusinessCloud (UK)

Weekend short takes: May telehealth claims up to 5.4%; three health plan breaches, one at its law firm–affecting over 400,000 patients; layoffs hit Calm, Truepill (updated)

FAIR Health’s telehealth claims took two bumps up in both April and May. In April, telehealth medical claims moved slightly upward to 4.9% from March’s 4.6%, but May increased 10% to 5.4%, a percentage not seen since May 2021. Mental health conditions still make up the vast bulk of claims at 62.8%, but 3.6% of telehealth claims involve COVID-19 diagnoses, with 3.2% of claims for respiratory diseases and infections. This is attributed to a regional increase in the Southern and Western states of the latest variants of COVID-19. FAIR Health monthly tracker main page

Priority Health, a Michigan-based nonprofit health plan company, was breached through its law firm Warner Norcross & Judd (WNJ). The October 2021 breach at WNJ wasn’t reported to Priority Health until 6 June. The unauthorized party potentially accessed first and last names, pharmacy and claim information, drug names, and prescription dates from certain prescriptions filled in 2012. 120,000 members were affected. What the information was doing at the plan’s law firm was not disclosed. Priority Health is Michigan’s second-largest plan with over one million members.

In other breaches, Texas-based Behavioral Health Group (BHG), had a data incident that affected 197,507 individuals. The unauthorized party had potentially removed certain files and folders from portions of its network on 5 December 2021.  The files include names, Social Security numbers, driver’s license numbers, financial account information, biometrics, medication information, medical record numbers, dates of service, passports, payment card information, and health insurance information. However, the information accessed doesn’t appear to have been misused.

First Choice Community Healthcare in Albuquerque, New Mexico, also had a data security incident that involved 101,541 patients. The PHI in the 27 March breach included names, Social Security numbers, patient ID numbers, medications, dates of service, diagnosis and treatment information, birth dates, health insurance information, medical record numbers, patient account numbers, and provider information. Again, there appears to be no misuse to date. HealthITSecurity

More health tech companies lay off staff.

  • Calm, one of those incessantly advertised (in US) meditation apps, is discharging 20% (90) staffers, at least 12 in marketing, according to a report in the Wall Street Journal (may be paywalled). From this Editor’s LinkedIn post in response to early reports:
    • Calm was strategically ‘off’ in spending. They overspent on direct to consumer–expensive TV spots on major networks and sponsorships, paid social and search. If you wanted Calm’s full features, you paid for them. Expensive meditation apps are merely a “nice to have” and there are a bunch of free ones available. 
    • There’s also too much app overlap and mistargeting out there. Calm was trying to sell the app to businesses as a benefit (ROTFL) but was hedging its bets with buying Ripple, which designs apps for care coordination and condition management (another crowded area).
    • Another sign–new sole CEO named this summer. Now sole CEO David Ko came from Ripple and the two Calm founders moved over to co-chair roles.
    • This is a company that raised well north of $200 million to become a $2 billion unicorn as early as 2019, another sign of too much cash, too soon, and VCs/equity investors following the fad. ‘Mindfulness’ became a fad as early as 2018.
  • Truepill is up to its third layoff–33% or 175 staff, including all UK staff plus much of the product and data teams.  Their cutbacks relate to multiple failures, the first in betting on ADHD controlled substances, the second in blowing through vast amounts of funding but unable to obtain more (a Series D of $142 million but unable to float a Series E). Truepill’s ADHD med bet fell apart with its relationship with Cerebral, now under Federal investigation [TTA 16 June]. As early as May, Truepill, Cerebral’s primary mail order provider, had stopped filling their prescriptions for Schedule 2 medications [TTA 1 June]. This follows on a June layoff of 15% or 150 people. Truepill had also expanded into telehealth and diagnostics, two areas which will only be lightly supported going forward. TechCrunch

Mid-week news roundup (updated 18 Aug): CVS eyeing Signify Health for in-home/VBC; Babylon Health mixed pic of revenue and losses up; Geisinger doubles telemed specialties; connected IoT devices expand cyber-insecurity (more); Owlet layoffs

CVS has dropped another sandal as to their quest to add primary care and home health to their portfolio [TTA 5 Aug]. Reports indicates that CVS Health is bidding to acquire Signify Health, which is up for sale. Signify is best known as a major provider of in-home health care in both evaluations and community-based services, with users such as health plans, health systems, community groups, non-profits, and government. In March, they added provider value-based care with Caravan Health, a mid-sized Accountable Care Organization (ACO) management service organization (MSO), for $250 million.  This would give CVS both leverage in in-home care and access to value-based care models in health systems and practices, adding a network of jumbo (100,000 lives+) ACOs to Aetna’s 500 ACOs.

Signify did take a bit of a bath with its acquisition/merger of Remedy Partners in 2019 which marked their entry into the Federal shared savings programs around Episodes of Care. While it created a $600 million company. Remedy’s Episodes of Care in the CMS Bundled Payments for Care Improvement (BPCI) program was always problematic for Signify on multiple levels (Editor’s experience). Signify announced its exit from the successor BPCI-A (Advanced) model last month to concentrate on home care and the Caravan business. The wind-down, which will take some time as these are Federal programs through CMS, will save Signify about $115-120 million in costs, compared to their annual direct and shared costs of $145 million. Restructuring costs such as severance may be only $35 million. After IPO-ing in February 2021 at $24 per share, it has only recently climbed to $23, having recently hit a 52-week low of $10.70. FierceHealthcare, HealthcareFinanceNews

Updated Perhaps in preparation for acquisition, Signify Health is shedding 489 people starting 1 October, including 45 in Connecticut, with the remainder in Texas, South Dakota, and New York. The information comes from required notices to the Connecticut Department of Labor. The majority of employees affected are remote workers. It appears to be related to Signify’s winding up of BPCI and Episodes of Care activity which are likely on calendar year contracts. The legacy company, Remedy Partners, had been headquartered in Connecticut with staff in New York. Moving forward with layoffs now makes the company more attractive for sale, as the separation expenses will not be an acquiring company liability. The 1 October start date is also a tell.  CT Insider, Becker’s

A mixed picture for Babylon Health. Its Q2 results were up substantially in revenue–4.6x year-over-year from $57.5 million to $265.4 million–along with key indicators such as US members up 220% and a 7.5% improvement in medical margins over three quarters. The US has been very very good to Babylon with value-based care membership growing 3.2x year-on-year to a total of approximately 269,000 US VBC members with 40% of its VBC revenue from Medicare contracts. However, losses are up along with growth–$157.1 million compared to $64.9 million loss PY. Babylon at end of July announced worldwide layoffs of at least 100 people of its current 2,500 in their bid to save $100 million in Q3. Babylon release, Mobihealthnews

Geisinger Health was one of the pioneers in telehealth and remote patient monitoring, from ur-days in the early 2010s to today. Much of its patient base in Pennsylvania is rural or semi-rural, living well away from care centers, with a clinician base equally scattered. They went with a single system–Teladoc–integrated into Epic. By the early days of the pandemic, Geisinger was able to expand their telehealth coverage from 20 to more than 70 specialties, 200 providers to more than 2,000 providers, and over two years (2020-2022) completing over 784,000 telehealth visits to homes, local clinics, or local hospitals. Case study in HealthcareITNews

If you’re a health system CIO managing lots of connected devices, you may need to go to a psychiatrist with your feelings of insecurity. That’s the gist of a new report, the Insecurity of Connected Devices in Healthcare 2022. A new-to-this-Editor cybersecurity firm, Cynerio, partnered with researchers at the Ponemon Institute to survey 517 executives at US health systems to find that their Internet of Medical Things (IoMT)/Internet of Things (IoT) vulnerabilities haven’t changed much since this Editor banged the gong about them well before the pandemic:

  • Cyberattacks–frequent: 56% of respondents experienced 1+ cyberattacks in the past 24 months involving IoMT/IoT devices; 58% averaged 9+ cyberattacks. Adverse impacts on patient care were reported by 45% and 53% of those resulted in increased mortality rates. 24% of hospitals noted an impact on their mortality rates.
  • Data breaches are routine: 43% of hospitals had one in the past two years
  • Risks may be high, but the reaction is sluggish: 71% rated security risks as high or very high, but only 21% report a mature stage of proactive security actions. 46% performed accepted procedures such as scanning for devices, but only 33% keep inventory.
  • Ka-ching! Goes the ransomware! When attacked, 47% paid the ransom, and 32% were in the $250-500,000 range.

The full report is available for download here. Those who prefer a webinar must wait till 17 August at 2pm (EDT)–registration hereCynerio release, HealthcareITNews

Updated. Having sat in on the webinar, some further information points from the Ponemon survey deepen the ‘gravity of the risk’:

  • IoT is different because a hack or cyberransoming prevents the device from working. It isn’t fixed by backup as data can be.
  • Health systems are still using IoT computer systems running Windows XT/95–and earlier (!)
  • The average total cost of the largest data breaches is $13 million–the most common cost is in the $1-5 million range. 
  • 88% of these data breaches involved at least one IoT/MT device
  • Risks are known, but action is lagging. 72% of health organizations report a high level of urgency in securing devices–yet 67% of organizations do not keep an inventory of IoT/IoMT devices that they scan
  • 79% don’t consider their activities to be ‘mature’
  • Security investment doesn’t reflect the gravity of the risk–only 3.4% of IT budgets focus on IoT/MT device security.

And in sad layoff news, Owlet Baby Care is shedding an unknown number of employees. Here is the notice on LinkedIn. We noted their FDA problems and a fast pivot last in February, but their going public via a SPAC has been rocky at best with shares lingering at $2 from the IPO at $8. Marketing a pricey baby monitor direct to consumer is expensive, even if it meets a need, and this is likely a cash crunch. At least the ‘leader of people & culture’ is giving them a proper sendoff of thanks–and more usefully, providing their contact information for potential job openings with other companies.

[This is in contrast to the gone-viral spectacle of the CEO of something called HyperSocial posting on LinkedIn his angst about laying off staff–along with a selfie of him weeping. Not exactly confidence-making and All About Him. This Editor’s comment is one of 6,000-odd posts which are largely doubtful to negative.]

Week-end news roundup: Fold Health launches OS ‘stack’; admin task automator Olive cuts 450 workers; 38% of UK data breaches from cyber, internal attacks; hacking 80% of US healthcare breaches; does AI threaten cybersecurity?

Startup Fold Health launched this week. It’s developed a suite of modular tools that are interoperable with existing EHRs or platforms to enable them to work better, together. Fold’s main claim is to “move primary care beyond the constraints of a 15-minute visit and provide a revolutionary consumer first experience through micro, automated workflows and campaigns of care.” There is an athenahealth connection, in that the founders were from Praxify, a virtual assistant/patient engagement app bought by athenahealth for $65 million in 2017. It has a $6 million seed investment from athenahealth. FierceHealthcare

On the other side of the funding mountain,  Olive, an AI-enabled data cruncher that automates routine administrative healthcare processes such as revenue cycle management, has pink-slipped 450 employees, about one-third of its staff. In a letter to employees excerpted in Axios, Olive cites ‘missteps’ and ‘lack of focus’. It follows hiring freezes, major staff departures, and overpromising/underdelivering, including not using AI or machine learning for automating tasks, featured in an April Axios investigation. Olive has gone through over $850 million in nine rounds of funding (the last July 2021, Series H–Crunchbase). FierceHealthcare

Cyber attacks with internal breaches account for 38% of UK organizations’ (of all types) data losses in 2022. This is based on the Data Health Check survey of 400 IT decision makers compiled by Data Barracks, a cloud-based business continuity organization. The second and third reasons for data loss are human error and hardware failure. Of those surveyed, over half have experienced a cyber attack, most commonly caused by ransomware. 44% paid the ransom, 34% didn’t and used backups. Their recommendations include frequent backups and keeping track of how many data versions–both will minimize downtime and data loss. Release, full report

By contrast, returning to the US and healthcare, malicious hacking activity accounts for nearly 80% of all breaches. Fortified Health Security’s mid-year report on the state of healthcare cybersecurity, reviewing HHS Office for Civil Rights (OCR) data,  noted that in first half 2022:

  • Healthcare data breaches primarily originated at providers– 72%. The remainder were at business associates at 16% and health plans at 12%.
  • The number of records affected was 138% higher than the first half of 2020 at over 19 million records
  • Breaches were concentrated in relatively few organizations: Seven entities experienced breaches of more than 490,000 records each, in total 6.2 million records or 31% to date.  
  • OCR’s data breach portal recorded 337 healthcare data breaches that each impacted more than 500 individuals, a small decline from 2021’s 368
  • Hacking incidents rose to 80% from 72% in 2021. Unauthorized access/disclosure incidents totaled 15%; loss, theft, or improper disposal accounted for only 5 percent of breaches.
  • AI and ML-enabled security offerings can bolster cyber infrastructure. Organizations should also look at how IT staff shortages impact their planning and security.    HealthITSecurity

Can AI (and machine learning-ML) lessen breaches–or open the door to worse problems, such as algorithmic bias, plus data privacy and security concerns? Vast quantities of data pumped through AI or ML algorithms are harder to secure. If the algorithms are built incorrectly–such as eliminating or underrepresenting certain populations–what comes out will be skewed and possibly misleading. In the Healthcare Strategies podcast, Linda Malek of healthcare law firm Moses & Singer, who chairs their healthcare, privacy, and cybersecurity practice group, discusses the problems. She suggests some best practices around transparency, security, privacy, and accuracy when developing an AI algorithm, including collecting as much data as possible, and as diverse as possible, for accuracy. Additionally, the design should incorporate privacy and security from the start. HealthcareExecIntelligence

Thursday news roundup: IBM Watson Health sale closed, now Merative; OneMedical inviting buyers–maybe; worst healthcare data breaches rounded up

It’s a post-Independence Day and early summer holiday relatively quiet week….

It’s Merative, not IBM Watson Health anymore. Francisco Partners‘ buy from IBM of Watson Health closed last Thursday (30 June) but didn’t make the news until after the holiday. The announcement of the new brand, Merative, was splashed on HLTH’s website today (not HIMSS) with the usual language about how their data connects and transforms health through pioneering “cloud, real-world data and industry-leading AI” through health systems, hospitals, health plans, life sciences, and government. Speaking of data points:

  • HQ now in Ann Arbor, MI
  • New CEO Gerry McCarthy from CEO of eSolutions, a former Francisco Partners portfolio company that exited to Waystar in October 2020
  • The former general manager, Paul Roma, will be a Senior Advisor to Francisco Partners
  • Merative will have six product families: Health Insights; MarketScan; Clinical Development; Social Program Management and Phytel; Micromedex, and Merge Imaging 
  • Other investors include True Wind Capital and Sixth Street

Since 2015, IBM had built up Watson Health through four acquisitions and over $4 billion in investment. They sold it for perhaps $1 billion to get it off their books. Once upon a time they were the leader, now they’re up against Oracle and a dozen other competitors like IQVIA that sell connectedness and ‘actionable insights’ across and in chunks of their business (example, life sciences). Given the track record of the controlling private equity partner, Merative needs to become profitable quickly. Merative will not be a long term investment for them. FierceHealthcare. Our prior coverage: 7 Jan, 22 Jan, 25 Feb (Who needs Watson Health?)

Also apparently up for sale to the right buyer is One Medical. The clinic group flirted with but ultimately sent packing CVS Health. One Medical offers concierge in-person and telehealth primary care in seven metros and has over 700,000 members. They bought Medicare value-based primary care provider group Iora Health a year ago [TTA 11 June] but since then their stock (trading under 1Life Healthcare) and valuation has cracked by 75%. Not mentioned in the Bloomberg article is whether Iora is included in the possible deal.

And for those who like their Hackermania on the Wild Side, there’s a massive list over at Wired that racks up the Greatest Hits. It’s only halfway through 2022, but the data breaching and ransomware perps have multiplied. From Russia/Ukraine to extortion gangs like Conti and Lapsus$ to cryptocurrency theft and China, the Old Reliable Healthcare continues to star. Our recent list is here but topping out the Wired list are Shields Health Care Group, Baptist Health System, Resolute Health Hospital, Kaiser Permanente, and Yuma Regional Medical Center. Also Becker’s.

Thursday news roundup: FTC now investigating Cerebral, Balwani’s Theranos trial rests at last, Proscia pathology AI $37M Series C, health data breaches pile up

Telemental health Cerebral’s miseries pile on. The Federal Trade Commission (FTC) is now investigating Cerebral on deceptive advertising and marketing practices. The Wall Street Journal (may be paywalled) reviewed the 1 June letter sent to the company. The letter requests the usual preservation of documents and asks ‘dozens of questions’ related to their business. Of particular interest to the FTC is the ‘negative option’ practice that continues the subscription fee unless the subscriber takes positive action to cancel it. Subscribers have complained that Cerebral did not cancel their subscriptions after repeated attempts to do so and did not refund their money. Reuters, FierceHealthcare

Also of interest to the FTC will be the dodgy advertising claims about ADHD and obesity which ran on TikTok and Instagram [TTA 10 May]. The WSJ reported that their ad spend topped $65 million for this year–$13 million on TikTok alone from January to May this year, making Cerebral the third-largest advertiser behind HBO and Amazon, according to research firm Pathmatics.

The FTC action follows the Department of Justice (DOJ) investigation of their prescribing of controlled (Schedule 2, high potential for abuse) substances such as Adderall and Xanax, CVS and Walmart refusing their prescriptions, the unceremonious booting of the CEO and co-founder, and a wrongful dismissal lawsuit by a former VP of product and engineering, Matthew Truebe. Certainly, its investors led by SoftBank, which raised $300 million in December less than six months after a raise of $127 million, are unhappy at watching their $4.8 billion baby crash and burn.

The second “rerun” Theranos trial of Sunny Balwani rests. This much-muted trial is winding towards its close. Receiving much less breathless and near-sensational coverage than Elizabeth Holmes’, Theranos president Balwani was tried in the same San Jose Federal district court, with the same prosecutor (Robert Leach), just about the same charges (12 counts of wire fraud), and Judge Davila presiding. Holmes was convicted and her sentencing is scheduled for September.

The prosecution rested on 20 May and the defense on 9 June. The trial took some delays due to at least two jurors falling ill from Covid. The defense strategy rested on Holmes’ founding and operating the company without Balwani for a few years and that he never sold his shares, making him as victimized as any ordinary investor. The prosecution is relying on how close Holmes and Balwani were, that he had great power at Theranos–and used it, plus in his position was well aware of the problems with the lab machines and deliberately sought to defraud investors by covering it up. Unsurprisingly, Holmes did not testify at his trial, although she was a looming presence at his as he was somewhat at hers, especially in her testimony about their relationship. Closing arguments took place on Tuesday (14 June) and the jury will be charged after their conclusion. NBC Bay Area, New York Post, Wall Street Journal

Happier news comes from Proscia, a pathology software company, funding a $37 million Series C. Highline Capital Management, Triangle Peak Partners, and Alpha Intelligence Capital led the round along with participation from five earlier investors. Their total funding is up to $72 million. Their AI-enabled Concentriq platform combines “enterprise scalability with a broad portfolio of AI applications to accelerate breakthroughs and unlock clinical insights that advance precision medicine.” Clients include 10 of the top 20 pharmaceutical companies as well as the Joint Pathology Center, Proscia release, Becker’s 

Adding to the tally of healthcare data breaches are several this week. The year-to-date winner, of course, are the 2 million at Shields Health Care Group in Massachusetts [TTA 10 June], but this week, reports have been breaking out like late spring roses:

  •  A clinical guidance software vendor’s breach reported 10 June has exposed the protected health information (PHI) of patients at Omaha, Nebraska-based CHI Health and Sioux Falls, South Dakota based Avera Health. Avera has about 900 exposed patients, but the number at CHI is not yet known. MCG Health is the vendor. Becker’s
  • Yuma (Ariz.) Regional Medical Center reported an April ransomware attack that while short in duration, exposed PHI of 700,000 patients. An unauthorized user removed files from the hospital’s system that included patient health information such as names, social security numbers, health insurance information, and limited medical information relating to care. The hospital went offline until it was resolved, including reporting to law enforcement. Becker’s, Healthcare Dive
  • UChicago Medicine had its employee accounts hacked in March by an unauthorized user. It exposed about 2,500 patient records that included patient first and last names, social security numbers, health information, legacy Medicare beneficiary identification numbers, health insurance policy numbers, and driver’s license numbers. Becker’s
  • And Kaiser Foundation Health Plan of Washington had about 70,000 patient PHIs exposed on 5 April when an unauthorized user gained access to one employee’s emails with information on patient first and last names, dates of service, laboratory test information, and medical record numbers.

Short, but certainly not sweet, and expensive.

Two healthcare data breaches of note: International Committee of the Red Cross and Jefferson Health

Healthcare data breaches have become so commonplace that this Editor now leaves it to others to report. They all share the same characteristics–international hackers inserting ransomware in compromised systems and demanding billions in bitcoin, disgruntled employees erasing or taking home files, burglaries, inside jobs of various stripes. A steady drumbeat despite many efforts to secure against outside attacks and continously monitor systems, still there are plenty of legacy devices floating around hospitals and clinics using outdated computer software and initial setup passwords.

But this one hits a new high of heartlessness. The International Committee of the Red Cross (ICRC), headquartered in Geneva, reported that on 18 January that servers hosting the personal information of more than 500,000 displaced people receiving aid services from the Red Cross and Red Crescent Movement program had been hacked. The servers were located in Switzerland and were directly targeted. The 515,000 records were of people in the ‘Restoring Family Links’ program which aids missing people and their families, unaccompanied or separated children, detainees, and other people as a result of armed conflict, natural disasters, or migration. The information consisted of names, locations, and contacts.  In addition, log in information of 2,000 workers was also breached. Pray tell, where’s the monetary value in this? Or is there something more nefarious? These systems and their information have been taken offline, hampering this international program. ICRC ‘What We Know’, Becker’s Health IT, Healthcare IT News

A more ‘garden variety’ breach of 9,000 patients’ protected health information (PHI) took place in November at Philadelphia’s Jefferson Health. This was an insurance portal breach that accessed patient billing information with the intent of rerouting the payments from the hospital to themselves. The hacker in the process gained access to patient billing information, names, dates of treatment, treatment codes and costs, but not the jackpot of SSI and other financial information. The article does not disclose whether payments were successfully redirected.  Becker’s Health IT

“All That We Let In”: health apps’ APIs are vulnerable and easy to hack, exposing and altering PHI and PII

Mobile security company Approov has issued a scary report on the hackability of popular health apps. They tested 30 apps (not named in the report) of the 300,000-odd health apps in the market, and found that the application programming interfaces (APIs) used in 100 percent of these apps had hardcoded vulnerabilities that could allow hackers to access protected health information (PHI), personally identifiable information (PII), identity, and billing information. According to the report (registration required), these apps used by patient care organizations for remote account management and telemedicine appointments may expose 23 million individuals. Of the 30 apps tested:

  • 77 percent contained hardcoded API keys, some of which do not expire
  • Seven percent had hardcoded usernames and passwords in plain text
  • 50 percent of the doors that these API vulnerabilities opened led to PHI and billing information
  • 100 percent of the API endpoints tested were vulnerable to Broken Object Level Authorization (BOLA) attacks. These involve a relatively simple process of falsifying user IDs and swapping out numbers. For some apps, the hack could gain clinician-level access and alter medical histories and records (including issuing prescriptions for medication).
  • 100 percent of the apps were vulnerable to man-in-the-middle attacks due to failure to implement certificate pinning, which forces the app to validate the server’s certificate against a known good copy

Alyssa Knight, the ‘recovering hacker’ who authored the report, also hacked into one hospital’s EHR and changed its values by one digit. She was then able to access health records and registration information. She used a hacking tool that looks like it is generating data from a mobile health app.

The use of mobile apps for telehealth and portals has become far more widespread as a result of the pandemic, yet security has lagged–even though the level of sophistication in the apps, and the amount of information they integrate, has accelerated to become the norm. It’s a wakeup call to developers, health systems, and digital health companies that off the shelf and old APIs don’t meet security demands. Unfortunately, Gartner projects that APIs will become the vector for most data breaches by 2022. CPO Magazine, FierceHealthcare

Weekend reading: HISTalk’s interview with Spirion’s CEO on healthcare data security

A short but must-read if you care about data security and your customers/patients/residents. Where this HISTalk interview with Kevin Coppins, CEO of Spirion, excels is leading the reader through areas that are usually filled with fog and IT jargon. The view is from his company and a healthcare organization sitting in a conference room and scoping the problem without ‘paralysis by analysis’ or a turnkey ‘solution’ that may not be one. What’s different here is the clear, and few, logic steps, particularly the first three listed, that Mr. Coppins takes to get the ball rolling rather than befogging the discussion with too many factors or the punitive consequences of regulatory non-compliance.

“The concept of data and sensitive data is at the core of both security and privacy.”

  1. How much data do you have? (Nobody really knows, admit it)
  2. Of that data, what would you consider ‘sensitive’, and how do you define ‘sensitive’? Not only by regulation/compliance directives, but what your patients, clients and the board would consider ‘sensitive’.
  3. How much of that data is actually critical? 
  4. What’s the impact? How personal is it to your organization, not just in a compliance way but in your community, etc.
  5. How do I reduce the risk of loss?
  6. If I lost the data due to hacking or ransomware, what’s the backup? How fast can this happen?

This Editor notes that these points (quantity, definition, risk of loss and recovery, and community impact) can be applied to other situation analyses.

The litany of ransomware attacks that have ramped up during the pandemic waves has pushed data security issues to the ‘gotta tackle’ list. According to Emsisoft, a security company, there were 41 attacks on healthcare organizations in first half 2020. This didn’t stop during the summer, with a rash of them at end of October and a hit list of 400 hospitals, according to Becker’s.) Hacking attacks persist but aren’t getting the headlines.

And his conclusion is pertinent: “When it comes to security and privacy and all the drama and all the noise that you hear about it and read about it, just boil it down to this — am I doing everything I can today to protect what matters most to the constituents I serve?”

Will the rise of technology mean the fall of privacy–and what can be done? UK seeks a new National Data Guardian.

Can we have data sharing and interoperability while retaining control by individuals on what they want shared? This keeps surfacing as a concern in the US, UK, Europe, and Australia, especially with COVID testing.

In recent news, last week’s acquisition of Ancestry by Blackstone [TTA 13 August] raised questions in minds other than this Editor’s of how a business model based on the value of genomic data to others is going to serve two masters–investors and its customers who simply want to know their genetic profile and disease predispositions, and may not be clear about or confused about how to limit where their data is going, however de-identified. The consolidation of digital health companies, practices, and payers–Teladoc and Livongo, CVS Health and Aetna, and even Village MD and Walgreens–are also dependent on data. Terms you hear are ‘tracking the patient journey’, ‘improving population health’, and a Big ’80s term, ‘synergy’. This does not include all the platforms that are solely about the data and making it more available in the healthcare universe.

A recent HIMSS virtual session, reported in Healthcare Finance, addressed the issue in a soft and jargony way which is easy to dismiss. From one of the five panelists:  

Dr. Alex Cahana, chief medical officer at ConsenSys Health.”And so if we are in essence our data, then any third party that takes that data – with a partial or even complete agreement of consent from my end, and uses it, abuses it or loses it – takes actually a piece of me as a human.”

Dignity-Preserving Technology: Addressing Global Health Disparities in Vulnerable Populations

But then when you dig into it and the further comments, it’s absolutely true. Most data sharing, most of the time, is helpful. Not having to keep track of everything on paper, or being able to store your data digitally, or your primary care practice or radiologist having it and interpretation accessible, makes life easier. The average person tends to block the possibility of misuse, except if it turns around and bites us. So what is the solution? Quite a bit of this discussion was about improving “literacy” which is a Catch-22 of vulnerability– ‘lacking skill and ability’ to understand how their data is being used versus ‘the system’ actually creating these vulnerable populations. But when the priority, from the government on to private payers, is ‘value-based care’ and saving money, how does this prevent ‘nefarious use’ of sharing data and identifying de-identified data for which you, the vulnerable, have given consent, to that end? 

It’s exhausting. Why avoid the problem in the first place? Having observed the uses and misuses of genomics data, this Editor will harp on again that we should have a Genomic Data Bill of Rights [TTA 29 Aug 18] for consumers to be fully transparent on where their data is going, how it is being used, and to easily keep their data private without jumping through a ridiculous number of hoops. This could be expandable to all health data. While I’d prefer this to be enforced by private entities, I don’t see it having a chance. In the US, we have HIPAA which is enforced by HHS’ Office of Civil Rights (OCR), which also watchdogs and fines for internal data breaches. Data privacy is also a problem of international scope, what with data hacking coming from state-sponsored entities in China and North Korea, as well as Eastern European pirates.

Thus it is encouraging that the UK’s Department of Health and Social Care is seeking a new national data guardian (NDG) to figure out how to safeguard patient data, based on the December 2018 Act. This replaces Dame Fiona Caldicott who was the first NDG starting in 2014 well before the Act. The specs for the job in Public Appointments are here. You’ll be paid £45,000 per annum, for a 2-3 day per week, primarily working remote with some travel to Leeds and London. (But if you’d like it, apply quickly–it closes 3 Sept!). It’s not full time, which is slightly dismaying given the situation’s growing importance. The HealthcareITNews article has a HIMSS interview video with Dame Fiona discussing the role of trust in this process starting with the clinician, and why the Care.data program was scrapped. Of related interest is Public Health England’s inter-mortem of lessons learned in data management from COVID-19, while reportedly Secretary Matt Hancock is replacing it with a new agency with a sole focus on health protection from pandemics. Hmmmmm…..HealthcareITNews.

Hackermania runs wild…all the way to the bank! Ransomware strikes Crozer-Keystone, UCSF med school, others

News to make you livid. After surviving (to date) the COVID pandemic, health systems and medical schools are being attacked by ransomware criminals. Both the small Crozer-Keystone Health System and the globally known University of California San Francisco School of Medicine have been attacked by the ever-so cutely named Netwalker (a/k/a MailTo). Yes, this criminal hacker gang isn’t outside banging pots for first responders or donating money, or even sticking to a brief truce (Emsisoft), but figuring ways to spread malware into healthcare organizations for fun and profit. 

And profitable it’s been. UCSF paid Netwalker the princely sum of $1.14 million (£910,000) in 116.4 bitcoins after an attack starting 1 June that was also (to add insult to injury) published on Netwalker’s public blog. In the timeline presented by BBC News, it was negotiated down (professionally) from $3 million; BBC also obtained some key parts of the negotiation via an anonymous tipoff, and it’s fascinating reading. Netwalker leads the victim to a dark web ‘customer service’ site where there’s a countdown to double payment or deletion of your now-encrypted data. They are also able to live chat with the victim.

UCSF was able to limit the malware encryption damage to servers within the School of Medicine (according to the BBC, literally unplugging computers; according to UCSF, isolating servers) but decided to pay the ransom to unlock the encrypted data and return data they obtained, stating in its public release “The data that was encrypted is important to some of the academic work we pursue as a university serving the public good”. They will work with the FBI on the incident and have brought on board outside expert help.

According to FierceHealthcare, Netwalker was also behind the attack on the Champaign-Urbana Public Health District (Illinois) website in March and Michigan State University’s network in May.

Paying ransom is contrary to the advice of the major world security services such as the FBI, Europol, and the UK’s National Cyber Security Centre, on the simple basis that it encourages them. It’s a true damned-if-you-do, damned-if-you-don’t situation, as Brett Callow, a threat analyst at cyber-security company Emsisoft, said to the BBC: “But why would a ruthless criminal enterprise delete data that it may be able to further monetise at a later date?” 

Crozer-Keystone to date has refused to pay ransom. On 19 June, bitcoin publication Cointelegraph published a screenshot of Netwalker’s dark web auction page of the data. Apparently it is all financial and not medical records or PHI. Crozer also isolated the intrusion and took systems offline. Crozer is a small system of four hospitals in suburban Philadelphia (Delaware County) and serves parts of the state of Delaware and western New Jersey.

Neither Crozer nor UCSF have gone public with the source of the breach, but it is known that the main lure during the pandemic has been phishing emails with COVID-19 results or news, loaded with malware downloads.

As this Editor wrote back in May 2018 on the anniversary of WannaCry, it’s not a matter of if, but when, at highly vulnerable organizations like healthcare and academia with high-value information records. Right now, the Hakbit spear-phishing ransomware connected to an Excel spreadsheet macro is targeting mid-level individuals at pharma, healthcare, and other sectors in Austria, Germany, and Switzerland, according to tech research firm Proofpoint. TechGenix

More: Becker’s 22 June on Crozer-Keystone, 29 June on UCSF, 12 largest healthcare breaches to date, 10 healthcare system incidents for June, Kroger hacking incident exposing 11,000 health records. DataBreaches.net news page.