Healthcare cyberattack latest: NextGen EHR ransomwared by AlphV/BlackCat, back to normal – 93% of healthcare orgs had 1-5 ransomware incidents

Cyberattacks on healthcare continue their drip-drip-drip. The latest is on an EHR/practice management platform used by small to enterprise-sized specialty practices, NextGen Healthcare. The hacker group associated with the AlphV/BlackCat ransomware moved into the system on 17 January. For a short time, they reportedly exhibited NextGen information on their extortion site but later took it down. NextGen reported a short-term disruption to operations. A NextGen spokesperson stated that “We immediately contained the threat, secured our network, and have returned to normal operations,” the spokesperson said. “Our forensic review is ongoing and, to date, we have not uncovered any evidence of access to or exfiltration of client data. The privacy and security of our client information is of the utmost importance to us.”  NextGen has also stated to this Editor that no patient data was affected.

NextGen is used by about 2,500 practices in the US, UK, India, and Canada, including over 20 specialties.

The group behind AlphV/BlackCat ransomware has an infamous history. Reputedly, the gang has been kicking around since 2012 and was the same group of charmers that attacked the Colonial Pipeline in 2021, using the Darkside ransomware in May 2021 that dried out gas stations across the US East Coast. Their next ransomware edition, BlackMatter, targeted agriculture during fall 2021. Healthcare IT News, The Record/Recorded Future News

More severe attacks affecting 93% of healthcare organizations. While NextGen contained the attack quickly, both the Censinet/Ponemon Institute and Fortified Health Security’s 2023 Horizon Report tracked 2022 healthcare data breaches and concluded that while the number of incidents didn’t change much, their severity ramped up. More according to SC Media in these reports: 

  • Over a dozen of the biggest incidents in 2022 each impacted well over 1 million records
  • Nearly half of the respondents experienced a ransomware attack in the last two years
  • 93% faced between one to five ransomware-related incidents
  • Outages lasted upwards of 35 days

The common ground with NextGen is danger to patient safety, because electronic record damage can translate quickly into unavailable patient care.

Updated PharmaCare Services, a pharmacy management company based in Texas, is listed as a victim on BlackCat’s extortion site. They were exhibited with NextGen and remained when NextGen’s listing was challenged and then taken down. PharmaCare is staying mum on any ransomware disruptions, according to GovInfoSecurity.

One ray of hope is improved medical device security, included in the ‘omnibus’ budget package approved in late 2022. FDA will be required to enforce new standards for premarket device submissions. One is a software bill of materials, adequate evidence to demonstrate the product can be updated and patched, and a description of security testing and controls. This was before Congress in the Protecting and Transforming Cyber Health Care (PATCH) Act which didn’t go far, but elements of which found their way into the omnibus. A needed change for medical devices and long expected by manufacturers. SC Media

Who’s buying, selling, funding wrapup: athenahealth IPO deux?, NextGen EHR buys reseller TSI for $68M, Cloudwave buys Sensato; fundings for Lumen, UpStream, Aide Health

athenahealth may go public a second time. This was teased by CEO Bob Segert in the Boston Globe (paywalled) earlier this week. He claimed in the article that since the company went private in 2019, they have added nearly 2,000 clients each year of the past three and that revenues are in the billions. Healthcare IT News recaps some of their moves from going from public to private and downsizing to today. Their other news is that they have instituted a clinical advisory board of 30 members (!) to provide feedback and guidance on clinical features and direction to athenahealth’s product team. One hopes that the sharper members advise a change in the first letter of their name from the oh-so-twee lowercase to an uppercase ‘A’. 

NextGen Healthcare, an EHR/EMR and revenue cycle management software provider for medical/dental practices, is acquiring reseller partner TSI Healthcare. The agreement is for $68 million in cash upfront, with a contingent consideration of up to $22 million in cash if TSI meets certain goals by March 2025. TSI has been a NextGen reseller for 16 years. The acquisition will enable NextGen to expand in key specialties including rheumatology, pulmonology, and cardiology. No mention is made of management or staff transition, nor of SEC review as NextGen is a publicly traded company on Nasdaq. Hat tip to HISTalk 2 Dec. Release, BusinessJournals Triangle

Massachusetts-based Cloudwave is acquiring Sensato Cybersecurity to increase cybersecurity capabilities. Cloudwave provides cloud services hosting with cybersecurity capabilities exclusively to healthcare organizations. Sensato adds cybersecurity-as-a-service (CaaS) to manage security needs, determine where security gaps are, and threat intelligence. Transaction price and details were not disclosed, but Sensato’s founder John Gomez will join CloudWave as chief security and engineering officer. Healthcare IT News  Cybersecurity continues to be top-of-mind for healthcare organizations. The latest Big Data Breach at CommonSpirit Health system hospitals got even worse, with the third-party breach of an undisclosed number of patient records at their Franciscan Health hospitals in September and October. This followed the ransomware attack on other CommonSpirit system hospitals’ EHRs in October. Healthcare IT News

As we near the end of the year, funding is wrapping up with a flurry in some surprising areas such as optimizing metabolism and care coordination for chronic conditions, reducing burden on primary care practices/GPs. One is for an early-stage company in the UK for the latter.

  • Lumen’s $62 million Series B was led by Pitango Venture Capital with Hanwha Group and Resolute Ventures.   Lumen measures metabolism via a handheld, breathalyzer-like device equipped with a CO2 sensor that analyzes whether the body is burning fats or carbs for fuel which can promote weight loss, energy for fitness, and sleep. With that data, the app delivers to users personalized meal plans and nutrition along with when to eat. The new funding will be used to expand these nutrition and lifestyle coaching services. The device is sold direct to consumers, with the app services sold on a SaaS basis: three yearly plans with a range of services from $249 to (on sale) $349.  Mobihealthnews, MedCityNews
  • Another Series B raise of $140 million went to UpStream, for total funding of $185 million. UpStream is in the decidedly unsexy area of care coordination, workflow, and financial platform technology for groups of advanced primary care practices enrolled in value-based full-risk care models, most of which are centered around Medicare and Medicare Advantage. They also deploy pharmacist-led care teams into primary care practices. Their platform and services are free to the practice, with a risk-sharing agreement that pays UpStream through savings (upside risk) but also holds them accountable if savings are below the benchmark (downside risk). Practices are paid on quality during the performance year versus having to wait for CMS to pay in Q3-4 of the following year. This is an MSO (management services organization) ‘in a box’ versus organizing ACOs that is mainly technology-based, a new wrinkle for this Editor who used to be in marketing this area. MedCityNews, Mobihealthnews
  • Aide Health is a clinician-to-patient platform for better management of chronic conditions now bolstered with £1 million in pre-seed funding. Founded by Ian Wharton, CEO, and Brian Snyder, COO, the platform measures physical, mental, and social wellbeing markers for more proactive care. Aide is piloting with the NHS for asthma or Type 2 diabetes with a cohort aged 18 to 75.  Funding was led by Hambro Perks through its EIS fund, with participation from Fuel Ventures, 1818 Ventures, and APX. BusinessCloud (UK)

Weekend short takes: May telehealth claims up to 5.4%; three health plan breaches, one at its law firm–affecting over 400,000 patients; layoffs hit Calm, Truepill (updated)

FAIR Health’s telehealth claims took two bumps up in both April and May. In April, telehealth medical claims moved slightly upward to 4.9% from March’s 4.6%, but May increased 10% to 5.4%, a percentage not seen since May 2021. Mental health conditions still make up the vast bulk of claims at 62.8%, but 3.6% of telehealth claims involve COVID-19 diagnoses, with 3.2% of claims for respiratory diseases and infections. This is attributed to a regional increase in the Southern and Western states of the latest variants of COVID-19. FAIR Health monthly tracker main page

Priority Health, a Michigan-based nonprofit health plan company, was breached through its law firm Warner Norcross & Judd (WNJ). The October 2021 breach at WNJ wasn’t reported to Priority Health until 6 June. The unauthorized party potentially accessed first and last names, pharmacy and claim information, drug names, and prescription dates from certain prescriptions filled in 2012. 120,000 members were affected. What the information was doing at the plan’s law firm was not disclosed. Priority Health is Michigan’s second-largest plan with over one million members.

In other breaches, Texas-based Behavioral Health Group (BHG), had a data incident that affected 197,507 individuals. The unauthorized party had potentially removed certain files and folders from portions of its network on 5 December 2021.  The files include names, Social Security numbers, driver’s license numbers, financial account information, biometrics, medication information, medical record numbers, dates of service, passports, payment card information, and health insurance information. However, the information accessed doesn’t appear to have been misused.

First Choice Community Healthcare in Albuquerque, New Mexico, also had a data security incident that involved 101,541 patients. The PHI in the 27 March breach included names, Social Security numbers, patient ID numbers, medications, dates of service, diagnosis and treatment information, birth dates, health insurance information, medical record numbers, patient account numbers, and provider information. Again, there appears to be no misuse to date. HealthITSecurity

More health tech companies lay off staff.

  • Calm, one of those incessantly advertised (in US) meditation apps, is discharging 20% (90) staffers, at least 12 in marketing, according to a report in the Wall Street Journal (may be paywalled). From this Editor’s LinkedIn post in response to early reports:
    • Calm was strategically ‘off’ in spending. They overspent on direct to consumer–expensive TV spots on major networks and sponsorships, paid social and search. If you wanted Calm’s full features, you paid for them. Expensive meditation apps are merely a “nice to have” and there are a bunch of free ones available. 
    • There’s also too much app overlap and mistargeting out there. Calm was trying to sell the app to businesses as a benefit (ROTFL) but was hedging its bets with buying Ripple, which designs apps for care coordination and condition management (another crowded area).
    • Another sign–new sole CEO named this summer. Now sole CEO David Ko came from Ripple and the two Calm founders moved over to co-chair roles.
    • This is a company that raised well north of $200 million to become a $2 billion unicorn as early as 2019, another sign of too much cash, too soon, and VCs/equity investors following the fad. ‘Mindfulness’ became a fad as early as 2018.
  • Truepill is up to its third layoff–33% or 175 staff, including all UK staff plus much of the product and data teams.  Their cutbacks relate to multiple failures, the first in betting on ADHD controlled substances, the second in blowing through vast amounts of funding but unable to obtain more (a Series D of $142 million but unable to float a Series E). Truepill’s ADHD med bet fell apart with its relationship with Cerebral, now under Federal investigation [TTA 16 June]. As early as May, Truepill, Cerebral’s primary mail order provider, had stopped filling their prescriptions for Schedule 2 medications [TTA 1 June]. This follows on a June layoff of 15% or 150 people. Truepill had also expanded into telehealth and diagnostics, two areas which will only be lightly supported going forward. TechCrunch

Mid-week news roundup (updated 18 Aug): CVS eyeing Signify Health for in-home/VBC; Babylon Health mixed pic of revenue and losses up; Geisinger doubles telemed specialties; connected IoT devices expand cyber-insecurity (more); Owlet layoffs

CVS has dropped another sandal as to their quest to add primary care and home health to their portfolio [TTA 5 Aug]. Reports indicates that CVS Health is bidding to acquire Signify Health, which is up for sale. Signify is best known as a major provider of in-home health care in both evaluations and community-based services, with users such as health plans, health systems, community groups, non-profits, and government. In March, they added provider value-based care with Caravan Health, a mid-sized Accountable Care Organization (ACO) management service organization (MSO), for $250 million.  This would give CVS both leverage in in-home care and access to value-based care models in health systems and practices, adding a network of jumbo (100,000 lives+) ACOs to Aetna’s 500 ACOs.

Signify did take a bit of a bath with its acquisition/merger of Remedy Partners in 2019 which marked their entry into the Federal shared savings programs around Episodes of Care. While it created a $600 million company. Remedy’s Episodes of Care in the CMS Bundled Payments for Care Improvement (BPCI) program was always problematic for Signify on multiple levels (Editor’s experience). Signify announced its exit from the successor BPCI-A (Advanced) model last month to concentrate on home care and the Caravan business. The wind-down, which will take some time as these are Federal programs through CMS, will save Signify about $115-120 million in costs, compared to their annual direct and shared costs of $145 million. Restructuring costs such as severance may be only $35 million. After IPO-ing in February 2021 at $24 per share, it has only recently climbed to $23, having recently hit a 52-week low of $10.70. FierceHealthcare, HealthcareFinanceNews

Updated Perhaps in preparation for acquisition, Signify Health is shedding 489 people starting 1 October, including 45 in Connecticut, with the remainder in Texas, South Dakota, and New York. The information comes from required notices to the Connecticut Department of Labor. The majority of employees affected are remote workers. It appears to be related to Signify’s winding up of BPCI and Episodes of Care activity which are likely on calendar year contracts. The legacy company, Remedy Partners, had been headquartered in Connecticut with staff in New York. Moving forward with layoffs now makes the company more attractive for sale, as the separation expenses will not be an acquiring company liability. The 1 October start date is also a tell.  CT Insider, Becker’s

A mixed picture for Babylon Health. Its Q2 results were up substantially in revenue–4.6x year-over-year from $57.5 million to $265.4 million–along with key indicators such as US members up 220% and a 7.5% improvement in medical margins over three quarters. The US has been very very good to Babylon with value-based care membership growing 3.2x year-on-year to a total of approximately 269,000 US VBC members with 40% of its VBC revenue from Medicare contracts. However, losses are up along with growth–$157.1 million compared to $64.9 million loss PY. Babylon at end of July announced worldwide layoffs of at least 100 people of its current 2,500 in their bid to save $100 million in Q3. Babylon release, Mobihealthnews

Geisinger Health was one of the pioneers in telehealth and remote patient monitoring, from ur-days in the early 2010s to today. Much of its patient base in Pennsylvania is rural or semi-rural, living well away from care centers, with a clinician base equally scattered. They went with a single system–Teladoc–integrated into Epic. By the early days of the pandemic, Geisinger was able to expand their telehealth coverage from 20 to more than 70 specialties, 200 providers to more than 2,000 providers, and over two years (2020-2022) completing over 784,000 telehealth visits to homes, local clinics, or local hospitals. Case study in HealthcareITNews

If you’re a health system CIO managing lots of connected devices, you may need to go to a psychiatrist with your feelings of insecurity. That’s the gist of a new report, the Insecurity of Connected Devices in Healthcare 2022. A new-to-this-Editor cybersecurity firm, Cynerio, partnered with researchers at the Ponemon Institute to survey 517 executives at US health systems to find that their Internet of Medical Things (IoMT)/Internet of Things (IoT) vulnerabilities haven’t changed much since this Editor banged the gong about them well before the pandemic:

  • Cyberattacks–frequent: 56% of respondents experienced 1+ cyberattacks in the past 24 months involving IoMT/IoT devices; 58% averaged 9+ cyberattacks. Adverse impacts on patient care were reported by 45% and 53% of those resulted in increased mortality rates. 24% of hospitals noted an impact on their mortality rates.
  • Data breaches are routine: 43% of hospitals had one in the past two years
  • Risks may be high, but the reaction is sluggish: 71% rated security risks as high or very high, but only 21% report a mature stage of proactive security actions. 46% performed accepted procedures such as scanning for devices, but only 33% keep inventory.
  • Ka-ching! Goes the ransomware! When attacked, 47% paid the ransom, and 32% were in the $250-500,000 range.

The full report is available for download here. Those who prefer a webinar must wait till 17 August at 2pm (EDT)–registration hereCynerio release, HealthcareITNews

Updated. Having sat in on the webinar, some further information points from the Ponemon survey deepen the ‘gravity of the risk’:

  • IoT is different because a hack or cyberransoming prevents the device from working. It isn’t fixed by backup as data can be.
  • Health systems are still using IoT computer systems running Windows XT/95–and earlier (!)
  • The average total cost of the largest data breaches is $13 million–the most common cost is in the $1-5 million range. 
  • 88% of these data breaches involved at least one IoT/MT device
  • Risks are known, but action is lagging. 72% of health organizations report a high level of urgency in securing devices–yet 67% of organizations do not keep an inventory of IoT/IoMT devices that they scan
  • 79% don’t consider their activities to be ‘mature’
  • Security investment doesn’t reflect the gravity of the risk–only 3.4% of IT budgets focus on IoT/MT device security.

And in sad layoff news, Owlet Baby Care is shedding an unknown number of employees. Here is the notice on LinkedIn. We noted their FDA problems and a fast pivot last in February, but their going public via a SPAC has been rocky at best with shares lingering at $2 from the IPO at $8. Marketing a pricey baby monitor direct to consumer is expensive, even if it meets a need, and this is likely a cash crunch. At least the ‘leader of people & culture’ is giving them a proper sendoff of thanks–and more usefully, providing their contact information for potential job openings with other companies.

[This is in contrast to the gone-viral spectacle of the CEO of something called HyperSocial posting on LinkedIn his angst about laying off staff–along with a selfie of him weeping. Not exactly confidence-making and All About Him. This Editor’s comment is one of 6,000-odd posts which are largely doubtful to negative.]

Week-end news roundup: Fold Health launches OS ‘stack’; admin task automator Olive cuts 450 workers; 38% of UK data breaches from cyber, internal attacks; hacking 80% of US healthcare breaches; does AI threaten cybersecurity?

Startup Fold Health launched this week. It’s developed a suite of modular tools that are interoperable with existing EHRs or platforms to enable them to work better, together. Fold’s main claim is to “move primary care beyond the constraints of a 15-minute visit and provide a revolutionary consumer first experience through micro, automated workflows and campaigns of care.” There is an athenahealth connection, in that the founders were from Praxify, a virtual assistant/patient engagement app bought by athenahealth for $65 million in 2017. It has a $6 million seed investment from athenahealth. FierceHealthcare

On the other side of the funding mountain,  Olive, an AI-enabled data cruncher that automates routine administrative healthcare processes such as revenue cycle management, has pink-slipped 450 employees, about one-third of its staff. In a letter to employees excerpted in Axios, Olive cites ‘missteps’ and ‘lack of focus’. It follows hiring freezes, major staff departures, and overpromising/underdelivering, including not using AI or machine learning for automating tasks, featured in an April Axios investigation. Olive has gone through over $850 million in nine rounds of funding (the last July 2021, Series H–Crunchbase). FierceHealthcare

Cyber attacks with internal breaches account for 38% of UK organizations’ (of all types) data losses in 2022. This is based on the Data Health Check survey of 400 IT decision makers compiled by Data Barracks, a cloud-based business continuity organization. The second and third reasons for data loss are human error and hardware failure. Of those surveyed, over half have experienced a cyber attack, most commonly caused by ransomware. 44% paid the ransom, 34% didn’t and used backups. Their recommendations include frequent backups and keeping track of how many data versions–both will minimize downtime and data loss. Release, full report

By contrast, returning to the US and healthcare, malicious hacking activity accounts for nearly 80% of all breaches. Fortified Health Security’s mid-year report on the state of healthcare cybersecurity, reviewing HHS Office for Civil Rights (OCR) data,  noted that in first half 2022:

  • Healthcare data breaches primarily originated at providers– 72%. The remainder were at business associates at 16% and health plans at 12%.
  • The number of records affected was 138% higher than the first half of 2020 at over 19 million records
  • Breaches were concentrated in relatively few organizations: Seven entities experienced breaches of more than 490,000 records each, in total 6.2 million records or 31% to date.  
  • OCR’s data breach portal recorded 337 healthcare data breaches that each impacted more than 500 individuals, a small decline from 2021’s 368
  • Hacking incidents rose to 80% from 72% in 2021. Unauthorized access/disclosure incidents totaled 15%; loss, theft, or improper disposal accounted for only 5 percent of breaches.
  • AI and ML-enabled security offerings can bolster cyber infrastructure. Organizations should also look at how IT staff shortages impact their planning and security.    HealthITSecurity

Can AI (and machine learning-ML) lessen breaches–or open the door to worse problems, such as algorithmic bias, plus data privacy and security concerns? Vast quantities of data pumped through AI or ML algorithms are harder to secure. If the algorithms are built incorrectly–such as eliminating or underrepresenting certain populations–what comes out will be skewed and possibly misleading. In the Healthcare Strategies podcast, Linda Malek of healthcare law firm Moses & Singer, who chairs their healthcare, privacy, and cybersecurity practice group, discusses the problems. She suggests some best practices around transparency, security, privacy, and accuracy when developing an AI algorithm, including collecting as much data as possible, and as diverse as possible, for accuracy. Additionally, the design should incorporate privacy and security from the start. HealthcareExecIntelligence

Thursday news roundup: IBM Watson Health sale closed, now Merative; OneMedical inviting buyers–maybe; worst healthcare data breaches rounded up

It’s a post-Independence Day and early summer holiday relatively quiet week….

It’s Merative, not IBM Watson Health anymore. Francisco Partners‘ buy from IBM of Watson Health closed last Thursday (30 June) but didn’t make the news until after the holiday. The announcement of the new brand, Merative, was splashed on HLTH’s website today (not HIMSS) with the usual language about how their data connects and transforms health through pioneering “cloud, real-world data and industry-leading AI” through health systems, hospitals, health plans, life sciences, and government. Speaking of data points:

  • HQ now in Ann Arbor, MI
  • New CEO Gerry McCarthy from CEO of eSolutions, a former Francisco Partners portfolio company that exited to Waystar in October 2020
  • The former general manager, Paul Roma, will be a Senior Advisor to Francisco Partners
  • Merative will have six product families: Health Insights; MarketScan; Clinical Development; Social Program Management and Phytel; Micromedex, and Merge Imaging 
  • Other investors include True Wind Capital and Sixth Street

Since 2015, IBM had built up Watson Health through four acquisitions and over $4 billion in investment. They sold it for perhaps $1 billion to get it off their books. Once upon a time they were the leader, now they’re up against Oracle and a dozen other competitors like IQVIA that sell connectedness and ‘actionable insights’ across and in chunks of their business (example, life sciences). Given the track record of the controlling private equity partner, Merative needs to become profitable quickly. Merative will not be a long term investment for them. FierceHealthcare. Our prior coverage: 7 Jan, 22 Jan, 25 Feb (Who needs Watson Health?)

Also apparently up for sale to the right buyer is One Medical. The clinic group flirted with but ultimately sent packing CVS Health. One Medical offers concierge in-person and telehealth primary care in seven metros and has over 700,000 members. They bought Medicare value-based primary care provider group Iora Health a year ago [TTA 11 June] but since then their stock (trading under 1Life Healthcare) and valuation has cracked by 75%. Not mentioned in the Bloomberg article is whether Iora is included in the possible deal.

And for those who like their Hackermania on the Wild Side, there’s a massive list over at Wired that racks up the Greatest Hits. It’s only halfway through 2022, but the data breaching and ransomware perps have multiplied. From Russia/Ukraine to extortion gangs like Conti and Lapsus$ to cryptocurrency theft and China, the Old Reliable Healthcare continues to star. Our recent list is here but topping out the Wired list are Shields Health Care Group, Baptist Health System, Resolute Health Hospital, Kaiser Permanente, and Yuma Regional Medical Center. Also Becker’s.

Thursday news roundup: FTC now investigating Cerebral, Balwani’s Theranos trial rests at last, Proscia pathology AI $37M Series C, health data breaches pile up

Telemental health Cerebral’s miseries pile on. The Federal Trade Commission (FTC) is now investigating Cerebral on deceptive advertising and marketing practices. The Wall Street Journal (may be paywalled) reviewed the 1 June letter sent to the company. The letter requests the usual preservation of documents and asks ‘dozens of questions’ related to their business. Of particular interest to the FTC is the ‘negative option’ practice that continues the subscription fee unless the subscriber takes positive action to cancel it. Subscribers have complained that Cerebral did not cancel their subscriptions after repeated attempts to do so and did not refund their money. Reuters, FierceHealthcare

Also of interest to the FTC will be the dodgy advertising claims about ADHD and obesity which ran on TikTok and Instagram [TTA 10 May]. The WSJ reported that their ad spend topped $65 million for this year–$13 million on TikTok alone from January to May this year, making Cerebral the third-largest advertiser behind HBO and Amazon, according to research firm Pathmatics.

The FTC action follows the Department of Justice (DOJ) investigation of their prescribing of controlled (Schedule 2, high potential for abuse) substances such as Adderall and Xanax, CVS and Walmart refusing their prescriptions, the unceremonious booting of the CEO and co-founder, and a wrongful dismissal lawsuit by a former VP of product and engineering, Matthew Truebe. Certainly, its investors led by SoftBank, which raised $300 million in December less than six months after a raise of $127 million, are unhappy at watching their $4.8 billion baby crash and burn.

The second “rerun” Theranos trial of Sunny Balwani rests. This much-muted trial is winding towards its close. Receiving much less breathless and near-sensational coverage than Elizabeth Holmes’, Theranos president Balwani was tried in the same San Jose Federal district court, with the same prosecutor (Robert Leach), just about the same charges (12 counts of wire fraud), and Judge Davila presiding. Holmes was convicted and her sentencing is scheduled for September.

The prosecution rested on 20 May and the defense on 9 June. The trial took some delays due to at least two jurors falling ill from Covid. The defense strategy rested on Holmes’ founding and operating the company without Balwani for a few years and that he never sold his shares, making him as victimized as any ordinary investor. The prosecution is relying on how close Holmes and Balwani were, that he had great power at Theranos–and used it, plus in his position was well aware of the problems with the lab machines and deliberately sought to defraud investors by covering it up. Unsurprisingly, Holmes did not testify at his trial, although she was a looming presence at his as he was somewhat at hers, especially in her testimony about their relationship. Closing arguments took place on Tuesday (14 June) and the jury will be charged after their conclusion. NBC Bay Area, New York Post, Wall Street Journal

Happier news comes from Proscia, a pathology software company, funding a $37 million Series C. Highline Capital Management, Triangle Peak Partners, and Alpha Intelligence Capital led the round along with participation from five earlier investors. Their total funding is up to $72 million. Their AI-enabled Concentriq platform combines “enterprise scalability with a broad portfolio of AI applications to accelerate breakthroughs and unlock clinical insights that advance precision medicine.” Clients include 10 of the top 20 pharmaceutical companies as well as the Joint Pathology Center, Proscia release, Becker’s 

Adding to the tally of healthcare data breaches are several this week. The year-to-date winner, of course, are the 2 million at Shields Health Care Group in Massachusetts [TTA 10 June], but this week, reports have been breaking out like late spring roses:

  •  A clinical guidance software vendor’s breach reported 10 June has exposed the protected health information (PHI) of patients at Omaha, Nebraska-based CHI Health and Sioux Falls, South Dakota based Avera Health. Avera has about 900 exposed patients, but the number at CHI is not yet known. MCG Health is the vendor. Becker’s
  • Yuma (Ariz.) Regional Medical Center reported an April ransomware attack that while short in duration, exposed PHI of 700,000 patients. An unauthorized user removed files from the hospital’s system that included patient health information such as names, social security numbers, health insurance information, and limited medical information relating to care. The hospital went offline until it was resolved, including reporting to law enforcement. Becker’s, Healthcare Dive
  • UChicago Medicine had its employee accounts hacked in March by an unauthorized user. It exposed about 2,500 patient records that included patient first and last names, social security numbers, health information, legacy Medicare beneficiary identification numbers, health insurance policy numbers, and driver’s license numbers. Becker’s
  • And Kaiser Foundation Health Plan of Washington had about 70,000 patient PHIs exposed on 5 April when an unauthorized user gained access to one employee’s emails with information on patient first and last names, dates of service, laboratory test information, and medical record numbers.

Short, but certainly not sweet, and expensive.

Two healthcare data breaches of note: International Committee of the Red Cross and Jefferson Health

Healthcare data breaches have become so commonplace that this Editor now leaves it to others to report. They all share the same characteristics–international hackers inserting ransomware in compromised systems and demanding billions in bitcoin, disgruntled employees erasing or taking home files, burglaries, inside jobs of various stripes. A steady drumbeat despite many efforts to secure against outside attacks and continously monitor systems, still there are plenty of legacy devices floating around hospitals and clinics using outdated computer software and initial setup passwords.

But this one hits a new high of heartlessness. The International Committee of the Red Cross (ICRC), headquartered in Geneva, reported that on 18 January that servers hosting the personal information of more than 500,000 displaced people receiving aid services from the Red Cross and Red Crescent Movement program had been hacked. The servers were located in Switzerland and were directly targeted. The 515,000 records were of people in the ‘Restoring Family Links’ program which aids missing people and their families, unaccompanied or separated children, detainees, and other people as a result of armed conflict, natural disasters, or migration. The information consisted of names, locations, and contacts.  In addition, log in information of 2,000 workers was also breached. Pray tell, where’s the monetary value in this? Or is there something more nefarious? These systems and their information have been taken offline, hampering this international program. ICRC ‘What We Know’, Becker’s Health IT, Healthcare IT News

A more ‘garden variety’ breach of 9,000 patients’ protected health information (PHI) took place in November at Philadelphia’s Jefferson Health. This was an insurance portal breach that accessed patient billing information with the intent of rerouting the payments from the hospital to themselves. The hacker in the process gained access to patient billing information, names, dates of treatment, treatment codes and costs, but not the jackpot of SSI and other financial information. The article does not disclose whether payments were successfully redirected.  Becker’s Health IT

“All That We Let In”: health apps’ APIs are vulnerable and easy to hack, exposing and altering PHI and PII

Mobile security company Approov has issued a scary report on the hackability of popular health apps. They tested 30 apps (not named in the report) of the 300,000-odd health apps in the market, and found that the application programming interfaces (APIs) used in 100 percent of these apps had hardcoded vulnerabilities that could allow hackers to access protected health information (PHI), personally identifiable information (PII), identity, and billing information. According to the report (registration required), these apps used by patient care organizations for remote account management and telemedicine appointments may expose 23 million individuals. Of the 30 apps tested:

  • 77 percent contained hardcoded API keys, some of which do not expire
  • Seven percent had hardcoded usernames and passwords in plain text
  • 50 percent of the doors that these API vulnerabilities opened led to PHI and billing information
  • 100 percent of the API endpoints tested were vulnerable to Broken Object Level Authorization (BOLA) attacks. These involve a relatively simple process of falsifying user IDs and swapping out numbers. For some apps, the hack could gain clinician-level access and alter medical histories and records (including issuing prescriptions for medication).
  • 100 percent of the apps were vulnerable to man-in-the-middle attacks due to failure to implement certificate pinning, which forces the app to validate the server’s certificate against a known good copy

Alyssa Knight, the ‘recovering hacker’ who authored the report, also hacked into one hospital’s EHR and changed its values by one digit. She was then able to access health records and registration information. She used a hacking tool that looks like it is generating data from a mobile health app.

The use of mobile apps for telehealth and portals has become far more widespread as a result of the pandemic, yet security has lagged–even though the level of sophistication in the apps, and the amount of information they integrate, has accelerated to become the norm. It’s a wakeup call to developers, health systems, and digital health companies that off the shelf and old APIs don’t meet security demands. Unfortunately, Gartner projects that APIs will become the vector for most data breaches by 2022. CPO Magazine, FierceHealthcare

Weekend reading: HISTalk’s interview with Spirion’s CEO on healthcare data security

A short but must-read if you care about data security and your customers/patients/residents. Where this HISTalk interview with Kevin Coppins, CEO of Spirion, excels is leading the reader through areas that are usually filled with fog and IT jargon. The view is from his company and a healthcare organization sitting in a conference room and scoping the problem without ‘paralysis by analysis’ or a turnkey ‘solution’ that may not be one. What’s different here is the clear, and few, logic steps, particularly the first three listed, that Mr. Coppins takes to get the ball rolling rather than befogging the discussion with too many factors or the punitive consequences of regulatory non-compliance.

“The concept of data and sensitive data is at the core of both security and privacy.”

  1. How much data do you have? (Nobody really knows, admit it)
  2. Of that data, what would you consider ‘sensitive’, and how do you define ‘sensitive’? Not only by regulation/compliance directives, but what your patients, clients and the board would consider ‘sensitive’.
  3. How much of that data is actually critical? 
  4. What’s the impact? How personal is it to your organization, not just in a compliance way but in your community, etc.
  5. How do I reduce the risk of loss?
  6. If I lost the data due to hacking or ransomware, what’s the backup? How fast can this happen?

This Editor notes that these points (quantity, definition, risk of loss and recovery, and community impact) can be applied to other situation analyses.

The litany of ransomware attacks that have ramped up during the pandemic waves has pushed data security issues to the ‘gotta tackle’ list. According to Emsisoft, a security company, there were 41 attacks on healthcare organizations in first half 2020. This didn’t stop during the summer, with a rash of them at end of October and a hit list of 400 hospitals, according to Becker’s.) Hacking attacks persist but aren’t getting the headlines.

And his conclusion is pertinent: “When it comes to security and privacy and all the drama and all the noise that you hear about it and read about it, just boil it down to this — am I doing everything I can today to protect what matters most to the constituents I serve?”

Will the rise of technology mean the fall of privacy–and what can be done? UK seeks a new National Data Guardian.

Can we have data sharing and interoperability while retaining control by individuals on what they want shared? This keeps surfacing as a concern in the US, UK, Europe, and Australia, especially with COVID testing.

In recent news, last week’s acquisition of Ancestry by Blackstone [TTA 13 August] raised questions in minds other than this Editor’s of how a business model based on the value of genomic data to others is going to serve two masters–investors and its customers who simply want to know their genetic profile and disease predispositions, and may not be clear about or confused about how to limit where their data is going, however de-identified. The consolidation of digital health companies, practices, and payers–Teladoc and Livongo, CVS Health and Aetna, and even Village MD and Walgreens–are also dependent on data. Terms you hear are ‘tracking the patient journey’, ‘improving population health’, and a Big ’80s term, ‘synergy’. This does not include all the platforms that are solely about the data and making it more available in the healthcare universe.

A recent HIMSS virtual session, reported in Healthcare Finance, addressed the issue in a soft and jargony way which is easy to dismiss. From one of the five panelists:  

Dr. Alex Cahana, chief medical officer at ConsenSys Health.”And so if we are in essence our data, then any third party that takes that data – with a partial or even complete agreement of consent from my end, and uses it, abuses it or loses it – takes actually a piece of me as a human.”

Dignity-Preserving Technology: Addressing Global Health Disparities in Vulnerable Populations

But then when you dig into it and the further comments, it’s absolutely true. Most data sharing, most of the time, is helpful. Not having to keep track of everything on paper, or being able to store your data digitally, or your primary care practice or radiologist having it and interpretation accessible, makes life easier. The average person tends to block the possibility of misuse, except if it turns around and bites us. So what is the solution? Quite a bit of this discussion was about improving “literacy” which is a Catch-22 of vulnerability– ‘lacking skill and ability’ to understand how their data is being used versus ‘the system’ actually creating these vulnerable populations. But when the priority, from the government on to private payers, is ‘value-based care’ and saving money, how does this prevent ‘nefarious use’ of sharing data and identifying de-identified data for which you, the vulnerable, have given consent, to that end? 

It’s exhausting. Why avoid the problem in the first place? Having observed the uses and misuses of genomics data, this Editor will harp on again that we should have a Genomic Data Bill of Rights [TTA 29 Aug 18] for consumers to be fully transparent on where their data is going, how it is being used, and to easily keep their data private without jumping through a ridiculous number of hoops. This could be expandable to all health data. While I’d prefer this to be enforced by private entities, I don’t see it having a chance. In the US, we have HIPAA which is enforced by HHS’ Office of Civil Rights (OCR), which also watchdogs and fines for internal data breaches. Data privacy is also a problem of international scope, what with data hacking coming from state-sponsored entities in China and North Korea, as well as Eastern European pirates.

Thus it is encouraging that the UK’s Department of Health and Social Care is seeking a new national data guardian (NDG) to figure out how to safeguard patient data, based on the December 2018 Act. This replaces Dame Fiona Caldicott who was the first NDG starting in 2014 well before the Act. The specs for the job in Public Appointments are here. You’ll be paid £45,000 per annum, for a 2-3 day per week, primarily working remote with some travel to Leeds and London. (But if you’d like it, apply quickly–it closes 3 Sept!). It’s not full time, which is slightly dismaying given the situation’s growing importance. The HealthcareITNews article has a HIMSS interview video with Dame Fiona discussing the role of trust in this process starting with the clinician, and why the Care.data program was scrapped. Of related interest is Public Health England’s inter-mortem of lessons learned in data management from COVID-19, while reportedly Secretary Matt Hancock is replacing it with a new agency with a sole focus on health protection from pandemics. Hmmmmm…..HealthcareITNews.

Hackermania runs wild…all the way to the bank! Ransomware strikes Crozer-Keystone, UCSF med school, others

News to make you livid. After surviving (to date) the COVID pandemic, health systems and medical schools are being attacked by ransomware criminals. Both the small Crozer-Keystone Health System and the globally known University of California San Francisco School of Medicine have been attacked by the ever-so cutely named Netwalker (a/k/a MailTo). Yes, this criminal hacker gang isn’t outside banging pots for first responders or donating money, or even sticking to a brief truce (Emsisoft), but figuring ways to spread malware into healthcare organizations for fun and profit. 

And profitable it’s been. UCSF paid Netwalker the princely sum of $1.14 million (£910,000) in 116.4 bitcoins after an attack starting 1 June that was also (to add insult to injury) published on Netwalker’s public blog. In the timeline presented by BBC News, it was negotiated down (professionally) from $3 million; BBC also obtained some key parts of the negotiation via an anonymous tipoff, and it’s fascinating reading. Netwalker leads the victim to a dark web ‘customer service’ site where there’s a countdown to double payment or deletion of your now-encrypted data. They are also able to live chat with the victim.

UCSF was able to limit the malware encryption damage to servers within the School of Medicine (according to the BBC, literally unplugging computers; according to UCSF, isolating servers) but decided to pay the ransom to unlock the encrypted data and return data they obtained, stating in its public release “The data that was encrypted is important to some of the academic work we pursue as a university serving the public good”. They will work with the FBI on the incident and have brought on board outside expert help.

According to FierceHealthcare, Netwalker was also behind the attack on the Champaign-Urbana Public Health District (Illinois) website in March and Michigan State University’s network in May.

Paying ransom is contrary to the advice of the major world security services such as the FBI, Europol, and the UK’s National Cyber Security Centre, on the simple basis that it encourages them. It’s a true damned-if-you-do, damned-if-you-don’t situation, as Brett Callow, a threat analyst at cyber-security company Emsisoft, said to the BBC: “But why would a ruthless criminal enterprise delete data that it may be able to further monetise at a later date?” 

Crozer-Keystone to date has refused to pay ransom. On 19 June, bitcoin publication Cointelegraph published a screenshot of Netwalker’s dark web auction page of the data. Apparently it is all financial and not medical records or PHI. Crozer also isolated the intrusion and took systems offline. Crozer is a small system of four hospitals in suburban Philadelphia (Delaware County) and serves parts of the state of Delaware and western New Jersey.

Neither Crozer nor UCSF have gone public with the source of the breach, but it is known that the main lure during the pandemic has been phishing emails with COVID-19 results or news, loaded with malware downloads.

As this Editor wrote back in May 2018 on the anniversary of WannaCry, it’s not a matter of if, but when, at highly vulnerable organizations like healthcare and academia with high-value information records. Right now, the Hakbit spear-phishing ransomware connected to an Excel spreadsheet macro is targeting mid-level individuals at pharma, healthcare, and other sectors in Austria, Germany, and Switzerland, according to tech research firm Proofpoint. TechGenix

More: Becker’s 22 June on Crozer-Keystone, 29 June on UCSF, 12 largest healthcare breaches to date, 10 healthcare system incidents for June, Kroger hacking incident exposing 11,000 health records. DataBreaches.net news page.

News roundup: stroke rehab uses Hollywood technology, 3M sues IBM Watson Health on analytics software misuse, AI-based skin cancer detection apps fail, Dictum’s successful telemed use post-pediatric surgery, malware attacks Boston practice network

Motion capture technology being used in stroke and TBI rehab. Best known for turning actors into cartoon superheroes, motion capture tech is now being used at Spaulding Rehabilitation Hospital in Boston for returning mobility to stroke and TBI patients. Attached to the patient are sensors–reflective markers–on key parts of the body. Using an array of infrared cameras, the patient is tracked on gait and other affected motion areas. Doctors and therapists can then better target therapy, plus assistive technologies from orthotics to full exoskeletons. Includes video. STAT

When Giants Sue. 3M is suing IBM Watson Health on their use of licensed 3M software in ‘unauthorized ways’ and charging direct copyright infringement and contract breaches. 3M’s Grouper Plus System analyzes claims and other coded data to help calculate reimbursement. 3M contends that IBM was licensed only for internal use dating back to a Truven agreement in 2007, years before their acquisition by IBM. The suit also adds that IBM then integrated the software into Watson platforms without a license transfer and expansion to cover the use, as well as dodged an audit of the use. The suit is in NY Federal Court. Becker’s Health IT Report

Algorithm-based dermatology apps fail to accurately detect risk for melanomas and similar skin cancer.  A just-published BMJ study determined that these smartphone apps, which use algorithms that catalogue and classify images of lesions into high or low risk for skin cancer and return an immediate risk assessment with subsequent recommendation to the user, are not effective. Six apps were examined, including two with a CE mark. None were FDA-approved and two were cited by the Federal Trade Commission for deceptive marketing. Only one, SkinVision, is still commercially available. Study results do not apply to apps that physicians use in direct telemedicine consults. IEEE Spectrum

Successful test and planned rollout of telemedicine tablet for post-surgery checks at Children’s Hospital of Richmond (Virginia–CHoR). The Dictum Health eVER-HOME tablet used for virtual visits had a 92 percent acceptance rate of telemedicine visits in place of in-person visits, zero return to hospital/ER events, earlier patient discharge post-surgery (12 to 24 hours), and avoidance of long-distance travel by patients for follow-up visits, a significant factor as CHoR is a destination hospital for specialized pediatric surgery. The rollout will include AI capabilities in Dictum’s Care Central platform to help determine rising risk and more. Dictum Health is a company best known for telemedicine units for remote workers (e.g. oil rigs) using their Virtual Exam Room (VER) technologies. Dictum release, mHealth Intelligence

CHoR is having a better week than a physician’s network affiliated with Boston Children’s Hospital. Pediatric Physician’s Organization at Children’s (PPOC) is the victim of a malware attack affecting computer systems at about 500 affiliated physicians and clinicians. The impacted systems have been quarantined and does not affect BCH. Becker’s Hospital Review, Health IT Security  Health IT Security also rounds up other recent data breaches, hacks, and phishing attacks.

The Breach Barometer hits a new high for healthcare–and the year isn’t over

31.6 million healthcare breached records can’t be right? But it is, and it’s double all of 2018. Protenus’ Breach Barometer for the first six months of the year tallied over double the number of patient records breached calculated for 2018 (15.1 million). The number of breach incidents reported was smaller–285 breach incidents disclosed to the US Department of Health and Human Services or the media–compared to 503 breaches in 2018, which means that individual data breaches affected far more records.

Hackermania is running wilder than ever. Nearly half the breaches were due to hacking. The big kahuna of breaches this year was reported in May at American Medical Collection Agency, a third-party billing collections firm. This eight-month breach affected 20 to 22 million records at Quest Diagnostics, LabCorp, Opko Health, under one of its subsidiaries, BioReference Laboratories, Inc., and Clinical Pathology Laboratories [TTA 5 June] This hack also involved Optum360, a Quest contractor and part of healthcare giant Optum. In terms of PII, the records breached included SSI, DOB, and physical addresses.

 Yet insider breaches are still a significant threat at 21 percent, whether from errors without malicious intent or deliberate wrongdoing. In the report, Protenus (with DataBreaches.net) calculated that 60 of the 285 breaches were insider-related affecting 3.5 million records. 35 were insider-error incidents, with 22 additional due to wrongdoing.

When it comes to breaches, the trend is easily not healthcare organizations’ friend, as 2018 tripled 2017’s total breached records. This is despite the new emphasis on healthcare IT security and insider training. Protenus release, FierceHealthcare, Protenus first half report (PDF)

About time: digital health grows a set of ethical guidelines

Is there a sense of embarrassment in the background? Fortune reports that the Stanford University Libraries are taking the lead in organizing an academic/industry group to establish ethical guidelines to govern digital health. These grew out of two meetings in July and November last year with the participation of over 30 representatives from health care, pharmaceutical, and nonprofit organizations. Proteus Digital Health, the developer of a formerly creepy sensor pill system, is prominently mentioned, but attending were representatives of Aetna CVS, Otsuka Pharmaceuticals (which works with Proteus), Kaiser Permanente, Intermountain Health, Tencent, and HSBC Holdings.

Here are the 10 Guiding Principles, which concentrate on data governance and sharing, as well as the use of the products themselves. They are expanded upon in this summary PDF:

  1. The products of digital health companies should always work in patients’ interests.
  2. Sharing digital health information should always be to improve a patient’s outcomes and those of others.
  3. “Do no harm” should apply to the use and sharing of all digital health information.
  4. Patients should never be forced to use digital health products against their wishes.
  5. Patients should be able to decide whether their information is shared, and to know how a digital health company uses information to generate revenues.
  6. Digital health information should be accurate.
  7. Digital health information should be protected with strong security tools.
  8. Security violations should be reported promptly along with what is being done to fix them.
  9. Digital health products should allow patients to be more connected to their care givers.
  10. Patients should be actively engaged in the community that is shaping digital health products.

We’ve already observed that best practices in design are putting some of these principals into action. Your Editors have long advocated, to the point of tiresomeness, that data security is not notional from the smallest device to the largest health system. Our photo at left may be vintage, but if anything the threat has both grown and expanded. 2018’s ten largest breaches affected almost 7 million US patients and disrupted their organizations’ operations. Social media is also vulnerable. Parts of the US government–Congress and the FTC through a complaint filing–are also coming down hard on Facebook for sharing personal health information with advertisers. This is PHI belonging to members of closed Facebook groups meant to support those with health and mental health conditions. (HIPAA Journal).

But here is where Stanford and the conference participants get all mushy. From their press release:

“We want this first set of ten statements to spur conversations in board rooms, classrooms and community centers around the country and ultimately be refined and adopted widely.” –Michael A. Keller, Stanford’s university librarian and vice provost for teaching and learning

So everyone gets to feel good and take home a trophy? Nowhere are there next steps, corporate statements of adoption, and so on.

Let’s keep in mind that Stanford University was the nexus of the Fraud That Was Theranos, which is discreetly not mentioned. If not a shadow hovering in the background, it should be. Perhaps there is some mea culpa, mea maxima culpa here, but this Editor will wait for more concrete signs of Action.

Telemedicine virtual visits preferred by majority in Massachusetts General Hospital survey

The results are far better than parity with in-person visits for follow up. A group of 254 patients and 61 health care providers were the subject of a survey conducted by researchers at Massachusetts General Hospital, part of Partners HealthCare, and Johns Hopkins. It found that virtual video visits (VVVs) are perceived by the majority of patients as the same as or better than office visits in convenience and cost, at the same level of quality and personal connection. It measured responses from both patients and providers in the MGH TeleHealth (sic) program, in place since 2012, in follow up care from providers in psychiatry, neurology, cardiology, oncology and primary care (the last two added late in the survey).

The results were: 

  • The vast majority (94.5%) of patients preferred the travel time (minimal) and time convenience (79.5%) of the VVV
  • Most patients (62.6%) and clinicians (59.0%) reported “no difference” between VVV and office visits on “the overall quality of the visit.”
  • When rating “the personal connection felt during the visit”, over half–but more patients than clinicians–said that there was “no difference” with the VVV (patients, 59.1%; clinicians, 50.8%), although 32.7% of patients and 45.9% of clinicians reported that the “office visit is better”.
  • They were also willing to pay for it–and that increased with distance from the doctor. Among those who traveled more than 90 minutes to an office visit, 51.5% indicated they would pay a co-payment of more than $50 for a VVV compared with 30.4% of those who traveled less than 30 minutes.
  • Results graphs are here

The survey results were published in the American Journal of Managed Care. This month’s issue also examines gamification in healthcare, asynchronous communication between primary and specialty care practitioners at Geisinger, EHRs–and the relationship between data breaches and not surprisingly increased advertising expenditures after the fact to rebuild lost trust. According to this last article, breached hospitals were more likely to be large, teaching, and urban hospitals relative to the control group.

Also UPI and HealthDay.