TTA Where *Is* Spring?: 23andMe’s bankruptcy–the full story & views, Walgreens cleans up, new product launches, mental health in the balance, more!

 

28 March 2025

There’s a lot of spring cleaning on the agenda, with the week opening with 23andMe’s bankruptcy. Clearly the story this week in health tech–and for a reputed 14 million customers frantic about their genetic data. Walgreens continues to settle before selling, three product launches, and clinician mental health is in the balance. And we have a thoughtful contribution from Iris Telehealth on how telepsychiatry can defuse mental health crises before law enforcement is called in. 

Weekend reading: 23andMe updates, a view at variance from the former co-founder, and a deeper historical analysis (Post-bankruptcy legal moves, a view by an ousted co-founder, and Sergei Polevikov’s deep dive)

News roundup: Walgreens settles 10 year running false claims suit for $5M; UniDoc to buy AGNES Connect; launches from Klarity Health, Tunstall UK, HSE Ireland; VITAL WorkLife survey finds yawning gap in clinician/management mental health perceptions (Walgreens continues to cleanup on aisle 3, health kiosks expand connectivity and analysis, three launches, and the sad state of clinician mental health)

Perspectives: As police step back from mental health calls, telepsychiatry steps forward

Breaking: 23andMe files for Chapter 11 bankruptcy–whither customer data and security? An impact similar to Theranos (Updated as the story broke. And why this has turned into a watershed for health tech like Theranos was.)

Last week: Spring–time to clean up the picnic table. The Walgreens financing took an interesting turn, with WBA chairman Pessina doubling his table stakes. Foodsmart lays out a spread for a new CEO from Amwell. A semi-independent NHS England proved to be an unsteady table for the UK Government–off it goes to the thrift store. Veradigm closed its 2022 books–but their table is a bit wobbly. Elsewhere, two mergers, and Congress keeps limited Federal telehealth flexibilities into September. And our guest Perspectives returns with another view on telehealth and accessibility to addiction treatment.

Short takes: interesting takeaways from the Veradigm earnings call, VA cuts ~6 EHRM contracts; mergers for DispatchHealth-Medically Home, Wysa-April Health (‘Standalone’ for Veradigm may be a bumpy road, as costs are cut at VA, and mergers mark ‘hot’ hospital-at-home and telementalhealth)

News roundup: NHS England to be abolished, absorbed into UK DHSC, while IT glitch shorts 5,200 from screenings; Veradigm *finally* files 2022 financials (updated), VA-Oracle EHR now promises 13 installs in 2026 (Government change whacks NHS England, Veradigm reports 2022 at last, and VA to resume more Oracle installs in 2026)

Breaking: Stefano Pessina to near-double stake in Walgreens after Sycamore Partners takeover–reports (Sr. Pessina surprisingly puts a LOT more chips on the table)

Can kicked down road: telehealth flexibilities extended to 30 September (That takes care of the next six months, but the real story is what the FY2026 budget portends for telehealth expansion)

Perspectives: Telehealth Expands Access to Addiction Treatment and Specialized Care, But Navigating Regulations Remains Key (More on how telehealth prescribing affects addiction care)

Breaking: telehealth nutrition provider Foodsmart taps former Amwell COO Kurt Knight as CEO (Moving from traditional telehealth to lead a newly ‘hot’ part of healthcare)

* * *
Advertise on Telehealth and Telecare Aware
Support not only a publication but also a well-informed international community.

Contact Editor Donna for more information.

Help Spread the News

Please tell your colleagues about this free news service and, if you have relevant information to share with the rest of the world, please let me know!

Donna Cusano, Editor In Chief
donna.cusano@telecareaware.com

Telehealth & Telecare Aware – covering news on latest developments in telecare, telehealth and eHealth, worldwide.

Breaking: 23andMe files for Chapter 11 bankruptcy–whither customer data and security? An impact similar to Theranos?

The exploding plastic inevitable comes to its inevitable end. 23andMe’s board filed for a Chapter 11 bankruptcy with the Eastern District of Missouri (!) Federal bankruptcy court on Sunday night (Case 25-40976). Anne Wojcicki, CEO, 49% controlling shareholder, and board member, stepped down from the CEO position, but remains on the board. Interim CEO is Joseph Selsavage, 23andMe’s chief financial and accounting officer,  according to their SEC Form 8-K filing.

In their announcement, 23andMe will, with court approval, actively solicit asset sales over a 45 day period.

Anne Wojcicki’s final non-binding proposals on 10 and 11 March were rejected by the Special Committee of the board of directors evaluating asset sales and now the bankruptcy.

Anne Wojcicki’s statement on X early on Monday morning was of a piece with her statements as 23andMe entered its death spiral starting in 2023. “We have had many successes but I equally take accountability for the challenges we have today. There is no doubt that the challenges faced by 23andMe through an evolving business model have been real, but my belief in the company and its future is unwavering.” In her post, she also said that she would bid for assets sold by the company. 23andMe has not issued any further statement or response to their former CEO’s comments.

The Chapter 11 versus 7 filing means that 23andMe will continue to operate as it sells assets and eventually shuts. It will be up to the board–including Ms. Wojcicki–and the bankruptcy judge regarding the disposition of the company’s assets, which include teleprescriber Lemonade and the large 23andMe genetic database. Those assets and liabilities essentially cancel each other out: $100-500 million in assets and the same in liabilities, according to the filing.

And about that large genetic database–the California attorney general Rob Bonta has already advised California 23andMe registered users to delete their data and request their samples to be destroyed. However, as previous articles have discussed, your data remains–de-identified, which the AG’s statement doesn’t go into in its “reminder” (more like a press opportunity for a 2026 reelection bid?). Mercury News  See today’s update for how-tos–and experiences in deletion.

23andMe has stated that it will not change the way that consumer data is stored or safeguarded, and will continue to operate as usual through the Chapter 11 process. They published an ‘open letter’ blog for customers that positions them as finding “a partner (Editor’s emphasis) who shares our commitment to customer data privacy and allows our mission of helping people access, understand and benefit from the human genome to live on.” which is frankly, misleading.

Perhaps the Chapter 11 is saving Ms. Wojcicki from a tremendous financial mistake in buying out the rest of the common shareholders, though the filing wipes out her investment in the company. It will be interesting to see the court’s comments on the ownership of what at its peak was a $6 billion-valued public company. CNBC  

This story is developing, but has developed ‘legs’ like Theranos in terms of mainstream impact. When YouTube tarot card readers are covering it….   

Updates 25-26 March   

MedCityNews yesterday recapped the various Wojcicki-led efforts to take the company private as Readers have been following, with the interesting addition that by 10 March, at least one minority shareholder, Zentree Investments, felt slighted. Zentree then bought more Class A stock to boost its ownership stake to 13%. (I wonder how they woke up on Monday.) Unfortunately, there were no further insights on why New Mountain Capital retreated from its short-lived offer to buy 23andMe with Ms. Wojcicki that went sideways by 28 February.  (Perhaps someone found something that led to the mutual conclusion of ‘Are we crazy?’)

The first hearing before the bankruptcy court, the Debtors’ First Day Motions, will be tomorrow, Wednesday 26 March, in St. Louis before the Honorable Brian C. Walsh. 

There is no hint of a pre-packaged bankruptcy leading to a reorganization of the business in any of the materials linked below.

From the Form 8-K and the Kroll case summary (Kroll is the claims agent for the company):

  • 23andMe has agreed with a lender, JMB Capital Partners Lending, LLC, to obtain up to $35 million in a senior secured term loan credit facility (DIP Facility). The debtor-in-possession financing from JMB is to pay for the Chapter 11 administrative costs and for working capital. This is subject to the bankruptcy court’s approval.
  • Subsidiaries of 23andMe (such as Lemonaid) will continue to operate. Lemonaid Health and two pharmacy operations are listed as  debtors in the filing.
  • On 21 March, Joseph Selsalvage was paid a retention cash bonus of $500,000 for his services through 31 December this year or 23andMe’s emergence from bankruptcy, whichever is earliest. If he leaves before the end of the retention period or is terminated for cause, the entire amount will be clawed back. The only exceptions are death, disability, or departure for ‘good reason’ as defined in the retention agreement.
  • The board was increased to five members, adding Thomas B. Walper as a non-employee member of the board and the Special Committee (formed for buyers) through the 2027 shareholders meeting. He will be paid $35,000 per month. Mr. Walper is a partner at Los Angeles’ Munger, Tolles & Olson LLP and specializes in bankruptcy law.
  • Any transaction will be subject to customary regulatory approvals, including, as applicable, the Hart-Scott-Rodino Act and the Committee on Foreign Investment in the United States.

From the 23andMe release:

  • The Special Committee rejected Anne Wojcicki’s final bids in the amended Schedule 13D made on 10 and 11 March.  
  • The company in the Chapter 11 will sell substantially all of its assets in a Section 363 sale.
  • Matt Kvarda, a managing director at Alvarez & Marsal, was appointed as chief restructuring officer.
  • First day motions (tomorrow) include requesting from the court authority to pay employees and certain vendors, reducing operating expenses such as real estate leases, and resolving all outstanding legal liabilities stemming from their October 2023 cyber incident.

Since 23andMe’s database includes personally identifiable information and Lemonaid stores medical information as a prescriber of various remedies, it is possible, but to be confirmed, whether Federal entities such as HHS will be involved in approvals of asset sales that have patient information. Those who submitted their tests for genetic analysis are not covered by HIPAA and in fact signed away many of their privacy rights in their submission. 

Information on deleting your user records if you used 23andMe, or you know someone who needs to know how:

Contrary to what many would like to have or to believe, 23andMe retains parts of user information after user deletion, such as: genetic information, date of birth, and gender “as required for compliance”; deletion request information “including but not limited to, your email address, account deletion request identifier, communications related to inquiries or complaints and legal agreements.”

Despite this, deleting your account is the wisest move, according to every expert this Editor has read.

Basically, you are deleting your account, revoking any research consent, and destroying any samples they may have retained. Simple, eh? Not quite! Step-by-step how-to guides are available on ZDNet (simplest) and TechCrunch (scroll to the end). This Editor cannot test as she never used 23andMe. Arundhati Parmar of MedCityNews‘ experience in attempting this process is chronicled in a LinkedIn video and on TikTok.  Expect website crashes, slow responses at best, and more than a few hitches.

New  FierceHealthcare’s Dave Muoio riffs on the data privacy issues which can be summarized as a “data stewardship crisis”. The few protections that members/users have are based on consumer protection laws. 23andMe’s privacy policy, as noted above, was explicit about the minimal protection they offered and that they had the right to access, disclose to others, and sell your genetic information:  “your Personal Information may be accessed, sold or transferred as part of that transaction and this Privacy Statement will apply to your Personal Information as transferred to the new entity. We may also disclose Personal Information about you to our corporate affiliates to help operate our services and our affiliates’ services.” Mr. Muoio reached out to experts at SOCRadar, QuantHealth, the Future of Privacy Forum, the Holland & Knight law firm, Pixel Privacy, and others. The consensus is that state and Federal safeguards are wholly inadequate.

Editor’s opinion:

23andMe’s cavalier attitude during their 2023 data breach, caused by their sloppy security (well documented by others and analyzed in our article here with previous articles linked within it) but blamed by their management on members reusing passwords, was symptomatic of a certain arrogance and attitude. By 2023, the company was already in trouble. Why would anyone believe that they’d be any less cavalier about personal genetic information?

Will this be another ‘watershed’ event like Theranos? The level of mainstream consumer media coverage the 23andMe bankruptcy has received reminds this Editor of the demise of Theranos. But here, there is no glamorous young founder in a black turtleneck jetting about and working in a Silicon Valley high-tech lab perpetrating a fraud. Here, the founder and key shareholder is a mature wealthy woman who kept a fairly low profile, the technology worked, the consumer business broke fresh consumer ground and, for its time, getting your genetic information and ancestry was a popular concept. GSK’s five year deal was completed–not renewed, but no lawsuits ensued. What was way off was its $6 billion valuation in 2021 after its SPAC and IPO.

Its faltering wasn’t news like Theranos or (for that matter) Walgreens either. The concatenation of failures along the way, save for the 2023-24 data breach/hacking which was news and drove away customers by the carload, was hardly noted at all. Yet suddenly. every one who ever dealt with 23andMe is anxious about their DNA being sold, with rumors of nefarious buyers like Bill Gates and from China popping up with notorious frequency.

We’ll see if this leads to change in genetic privacy laws and policies.

News roundup: 4.3M HealthEquity member data breach, CrowdStrike health fallout, more Congress pounding of VA/Oracle; Flo app now unicorn (UK), fundings for Clarapath, CoachCare; AvaSure buying Ouva

Health savings account (HSA/FSA) provider HealthEquity had a three-month breach that compromised 4.3 million member accounts. The breach originated with an undisclosed third-party vendor, in a pattern that has become familiar. According to HealthEquity’s filing with the Maine attorney general (though HQ’d in Utah), the breach occurred in that vendor’s “unstructured data repository” at HealthEquity, outside of their core systems, after the hacker stole the password out of a vendor user account. Unfortunately for HealthEquity, the hack that started in March wasn’t discovered until 26 June, giving the hacker free rein in that database for three months. What’s surprising is that the breach wasn’t worse.

HealthEquity is a third-party administrator for companies of FSA/HRA, Commuter, COBRA, and Lifestyle plans.

The Maine AG filing states that information stolen may include customer names, addresses, phone numbers, their Social Security number, information about the person’s employer, benefit type, diagnoses, prescription details, the person’s dependent (if any), and some payment card information. With HealthEquity claiming 15 million+ members, the breach affects a substantial 29% of its membership. Actions they are taking are to notify members and provide them with credit monitoring services through Equifax with a reference guide. HealthEquity notification page, TechCrunch, HealthcareITNews

CrowdStrike’s antivirus software update that went waaaay sideways continues its fallout. As most know, it happened when they pushed an update and patch to Falcon, a cloud-based anti-cyber attack product that uses AI to detect intrusions. Well, Falcon’s AI wings were fractured on that 19 July push where testing was apparently lacking. BSOD became their new thing. What made the news was the devastating effect on 8.5 million Windows devices, only about 1%–on Delta Air Lines’ aircraft scheduling and the shutdown of many systems such as 911 and police within cities and states, but apparently a curtain was drawn around the healthcare bed. EHRs were affected at major systems such as Kaiser Permanente, Providence, Henry Ford Health, Nationwide Children’s Hospital, the Dana-Farber Cancer Institute, Mass General Brigham, RWJBarnabas Health, Penn Medicine, and Seattle Children’s Hospital, causing postponements of medical procedures. At Providence, it totaled 15,000 of the organization’s servers, as well as about 40,000 of its 150,000 computers. It was the equivalent of a cyberattack without being a cyberattack. According to industry analyst Parametrix, US Fortune 500 companies (excluding Microsoft) lost a total of $5.4 billion. MedCityNews

With this kind of devastation, it’s no surprise that these companies and the government are rethinking their approach to cloud computing. They’re very concerned about the oligopoly of three providers: Google, Microsoft, and Amazon. Microsoft has 40% of the cybersecurity market with CrowdStrike 15% concentrated in larger organizations.“We’re reaching the point where over-centralization makes us less ‘healable,’ and less resilient,” Robert Thomas, owner of cybersecurity company 180A Consulting said. “We’re losing our resiliency as a nation.”  Systems are still not back up and neither is the CrowdStrike stock. Rumors do persist that they were hacked. Epoch Times   Microsoft also published a recovery tool for IT administrators to expedite the repair process. FierceHealthcare

The House Committee on Veterans’ Affairs Subcommittee on Technology Modernization hearing on 22 July had some further flak-gathering from committee members. Most of the criticism concentrated on the joint MHS/VA rollout at Lovell Federal Health Care Center and the amount of work it required to get the Oracle Cerner EHR to work mostly right. While VA and Oracle leaders insist that Lovell went better than anyone expected, the resources used at Lovell cannot be duplicated at the remaining VA facilities. VA is already facing a $15 billion shortfall for FY 2024 and 2025. The Lovell center had a persistent problem in processing prescriptions, with 60% going unfilled. In member Sheila Cherfilus-McCormick (D-Fla.) words, “I think we are far from ready to endorse further go-live activities. The two departments threw more resources at this go-live than will ever be available at any future VA facility.” Healthcare Dive  Earlier coverage TTA 24 July

The UK women’s health app Flo is now a unicorn. Their Series C of $200m (£156m), funded solely (and unusually) by General Atlantic, put them at a valuation of over $1 billion. Their total funding is $275 million. Two General Atlantic executives will be joining Flo’s board, Tanzeen Syed, managing director, and Jessie Cai, principal. Flo helps users track ovulation and menstrual periods, enabling calendaring of fertility, and monitoring of over 70 symptoms. It also assists with pregnancy health guidance. The raise will be used to expand into new user segments including perimenopause and menopause. Its current base is 70 million monthly active users (MAUs) and close to 5 million paid subscribers. Flo is marketed in 66 countries, including the US, India, Indonesia, and Nigeria, with centers in Lithuania and the Netherlands.  Release, UK Tech News

Funding/M&A wrap:

Clarapath, a medical robotics developer based in White Plains, NY, scored $36 million in a Series B-1 funding round from Northwell Ventures with participation from new investors Ochsner Ventures, CU Healthcare Innovation Fund, and Mayo Clinic. Clarapath automates pathology lab work. Its SectionStar platform sections biopsy tissue with improved accuracy. It is pre-revenue with a total of $75 million in funding. Axios, Mobihealthnews

CoachCare, a remote patient monitoring/virtual health monitoring developer for practices and health systems, added $48 million in an unlettered venture round funding led by Integrity Growth Partners with participation from Topmark Funding. The platform combines software and connected devices with outreach for RPM, chronic care management, and other virtual care for about 150,000 patients. Funding to date is $49 million. It has acquired four companies in the past year: NVOLVE, CareSpan Health, Alertive (formerly part of Carbon Health), and WebCareHealth. Release, Mobihealthnews

Another virtual care company, AvaSure, is acquiring Ouva’s smart hospital room solutions. Ouva has been partnering with AvaSure to supply AI-enhanced care automation technology. The acquisition will expand the ambient AI capabilities of AvaSure’s Intelligent Virtual Care Platform and double in-house AI engineering resources. AvaSure’s primary market is hospitals. Ouva will continue as a separate company with its pediatric and wayfinding business. Cost is not disclosed. Release, HIStalk 7/31

News roundup: Change responsible for data breach notices; 37% of healthcare orgs have no cybersec contingency plan; health execs scared by Ascension breach; CVS continues betting on health services; Plenful’s $17M Series A

HHS agrees with providers that the data breach notification is on Change Healthcare, not them. Health and Human Services’ Office for Civil Rights (OCR) moved quickly to formally change the FAQs that kicked off the 100+ provider letter [TTA 23 May]. Now “Covered entities affected by the Change Healthcare breach may delegate to Change Healthcare the tasks of providing the required HIPAA breach notifications on their behalf.” “Covered entities” in this case refers to the providers. Only one entity–Change or the provider–“needs to complete breach notifications to affected individuals, HHS, and where applicable the media.” Providers must contact Change Healthcare for the delegation. 

Chad Golder, general counsel and secretary at the American Hospital Association (AHA) said in their statement, “As we explained then, not only is there legal authority for UnitedHealth Group to make these notifications, but requiring hospitals to make their own notifications would confuse patients and impose unnecessary costs on providers, particularly when they have already suffered so greatly from this attack.” HHS notice, Healthcare Dive

Meanwhile, UHG still does not know the extent of the breach which started in late February. Knowing the extent of the breach is needed to start notifications. It has not formally notified HHS of the breach long past the 60-day mandated window (see #3 in the HHS FAQs). This may create an ‘unreasonable delay’ (see #6). Not all Change systems are back up either–see the Optum Solutions page that has plenty of red Xs.

Only 63% of healthcare organizations have a cybersecurity response plan in place, leaving 37% without a plan. This is based on a survey of 296 IT/data security/management executive respondents working at healthcare organizations in the US performed by Software Advice, an advisory and consulting firm. Other findings:

  • Nearly 1 in 3 have had a data breach in the last three years
  • 42% of practices have experienced a ransomware attack, and of those, 48% say the attack impacted customer data
  • 34% failed to recover data after the ransomware attack
  • 55% of medical practices allow access to more data than employees need to do their job which makes them more vulnerable to attacks
  • While 41% of data breaches are attributable to malicious hacking, another 39% are due to malware, 37% are due to social engineering and phishing scams, 36% are due to software vulnerabilities, and 30% are due to employee error.

It would have been helpful if Software Advice in its report had broken down the type of practices surveyed. Healthcare Dive

Meanwhile, healthcare executives were ‘scared’ by the Ascension Health breach, as they should have been. Katie Adams’ piece in MedCityNews explores reactions from five different C-suite hospital executives about the recent attack on Ascension. The IT and data officers are from MD Anderson, Yale New Haven Health, CommonSpirit Health, Allegheny Health Network, and UPMC. The overall take was that threats are more common than ever, bad actors are abundant and getting better (using tools that can make amateurs into pretty good “bad actors” via “LLM products and have them help you build ransomware code.”), managing weaknesses in third-party vendors that live in the cloud is a Herculean task, phishing, and the need for ‘government’ to be involved. 

This Editor notes that the rush for providers into generative AI, given this environment, is perhaps premature. Yet here they go; researchers from Mount Sinai’s Icahn School of Medicine used structured data, such as vital signs, and unstructured data, such as nurse triage notes, to develop models predicting hospital admissions using ChatGPT-4. It supposedly can learn from fewer examples than other machine-learning models currently used and use data from traditional models. Becker’s

Ascension is slowly coming back, now projecting that all their locations will have their EHRs restored by the week of 14 June. Currently, only Florida, Alabama and Austin are up and running. Ascension Rx retail, home delivery and specialty pharmacy sites are now open as well. They will have some ‘splainin’ to do to HHS OCR. Ascension update site

CVS is confident in the future of its retail health despite their struggles with Minute Clinics and Oak Street.  Despite the struggle of retail health clinics at other providers such as Walgreens/VillageMD and the shutdown of Walmart Health, Sree Chaguturu, MD, CVS Health’s executive vice president and chief medical officer, expressed complete confidence at a recent industry conclave, thINc360 – The Healthcare Innovation Congress. This is despite the closures of dozens of Minute Clinics in Southern California and New England [TTA 31 May] out of their 1,100 total plus that CVS seeking an investment partner for Oak Street [TTA 29 May]. Dr. Chaguturu returned time and again to the 10,000-odd CVS Pharmacy locations and their leverage within communities, leaning very hard on the 5 million people coming in daily and the ‘opportunity for their pharmacists to engage’. As a CVS customer at a small location, those busy pharmacists aren’t engaging with me unless I have a script to fill or need an OTC decongestant that’s on the state signoff list due to an ingredient. In fact, CVS locations have rather few people nowadays, including behind checkout counters. Then again, it was a meeting speech. FierceHealthcare

Concluding on a brighter note, Plenful’s Series A came in at a tidy $17 million. Plenful developed and markets an AI-assisted workflow-automation platform for pharmacy and healthcare operations, claiming that it automates over 95% of the work for disparate administrative workflows. Features include 340B audit, document processing, contracted rates optimization and inventory planning, and pharmacy cycle revenue and reporting. Founded in 2021, the company has already lined up some impressive clients. Lead investor TQ Ventures was joined by Mitchell Rales (cofounder and chairman of Danaher), Susa Ventures, Waterline Ventures, and Bessemer Partners, the lead for last September’s $9 million seed funding for a total of $26 million. Crunchbase, Mobihealthnews

News roundup: Bright Health now NeueHealth; breached patient records double, RCM as vector for hacking; Amazon’s CCM marketplace; JPM reflects the new reality; fundings for Vita Health, Turquoise, CardioSignal

Bright Health Group switches off, takes on NeueHealth name. Now that Bright Health has sold its remaining operating health plans to Molina Healthcare [TTA 3 Jan] with others closed down or insolvent like Texas [TTA 12 Dec 23], they have smartly pivoted to the name of their remaining value-based primary care operation, NeueHealth. (Inexpensive, too) Accordingly, on 29 January, their NYSE listing will convert from BHG to NEUE. The stock value closed today at $13.25, well down from its 52-week high of $79.04. NeueHealth’s operations are divided into NeueCare, which is comprised of their owned clinics and partnerships with affiliated providers, and NeueSolutions, which is a management services entity that organizes independent providers and physician groups into performance-based ACA Marketplace, Medicare, and Medicaid-based ACOs models, including the advanced performance ACO REACH program which covered 60,000 beneficiaries in 2023. Unsurprisingly, the company HQ is moving from chilly Minneapolis to much warmer Doral, Florida, nearer to three of their major clinic networks and 150,000 of its claimed 275-295,000 ‘health consumers’ forecast for 2023. 2023 revenue forecasts for NeueCare are $250-275 million and NeueSolutions $890 million. They have also stated that the corporate move will not affect jobs remaining in Minneapolis, which may be few.

As to the bills coming due for CMS liabilities and debt owed to New Enterprise Associates now that JP Morgan has been paid…not a word. We continue to hand it to Bright, now NeueHealth, for the Best Gordian Knots in Healthcare. Release, Healthcare Dive

Patient records exposed in data breaches doubled in 2023 versus 2022. According to an analysis by cybersecurity firm Fortified Health Security of HHS’ Office of Civil Rights (OCR), which tracks data breaches, in 2023 there were 116 million patient records exposed, topping the over 100 million of 2015, with over 655 breaches, a decrease from 2022’s peak of 721. Of that 116 million, over 112 million were from three health plan breaches: Anthem, Premera Blue Cross, and Excellus, Ten-year total? A stunning 489 million. What also increased over those 10 years by 143% were breaches stemming from business associates–vendors providing services to the covered entity. The just-published Horizon Report (free, available for download here) also reveals that the average recovery cost for a breach is $9.48 million. And health plans and systems are cutting IT staff?  Healthcare Dive

One way that hackers are finding their way into healthcare organizations is via ‘social engineering’, but not always of employees. They’re targeting business associates at revenue cycle management (RCM) companies serving health systems and hospitals. The American Hospital Association is warning members that hackers are cannily evolving their tactics to defeat security procedures such as multi-factor authentication and they have to anticipate hacker tactics. From Becker’s, hackers “steal the identities of revenue cycle employees or other finance staffers, calling IT help desks and correctly answering security questions. They then request to reset their passwords and enroll new devices, getting full access to the employees’ accounts and diverting payments to fraudulent bank accounts.” These are based in the US and then diverted overseas. The AHA recommends at minimum a call back to the employee on these new device enrollments, a call to the person’s supervisor, or as in the case of one health system, a physical appearance at the help desk. AHA article

Amazon enters the chronic care management field through a tried-and-true (for them) vector–e-commerce. Search for a health device like a glucose monitor, a blood pressure cuff, or pulse oximetry, and receive a ‘direction’ to a management service that they may be eligible for at no or low cost through their employer or private health insurance. The kickoff partner with Amazon is chronic care management company Omada Health in the diabetes prevention, diabetes, and hypertension categories. Omada claims 20 million eligible members across 1,900 enterprises. This mode may get better traction with Amazon shoppers than directly providing them with health services such as Amazon Pharmacy, One Medical (primary care), and Amazon Clinic (asynchronous telemedicine). Omada didn’t disclose the revenue model. Omada release, Healthcare Dive

Wrapping up the JP Morgan healthcare conference, the New Reality permeated it, even if some didn’t want to admit it. As this Editor projected back in December, the board is being cleared of the also-rans and never-should-have-beens. You see a general cleansing of the cant and hype infecting a sector, which is initially unnerving. We are cycling through this stage fairly rapidly to emerge…where, we don’t quite know yet. Unlike some other publications, MedCityNews can never be mistaken for an industry cheerleader (even if you have to read between the lines). Their extensive coverage confirmed this emerging view of 2024.

  • Katie Adams didn’t make it to SF for her article on nine JPM takeaways, but she sussed out that life sciences isn’t ready for AI, GLP-1 drugs won’t solve obesity, transactional telehealth for urgent and behavioral care is over, founders are trying to figure out fundraising timelines, and retail clinics are suddenly Not All That. And more.
  • Arundhati Parmar profiled a companyone of all too many–that cycled from high to low–Butterfly Health. They started in 2011 to develop the first point-of-care handheld ultrasonic probe using a semiconductor chip that connected to a smartphone, became a unicorn by 2018, went public via a SPAC in 2021 at over $19, cracked hard, and now trades around $1. Their new CEO used the JPM platform to explain that their 2023 revenue slide wasn’t so bad because they were working their way through the longer-than-they-ever-imagined adoption curve by cutting $200 million in costs out of the company and building up their cash reserve. They may survive, or not, given that competition has names like GE Healthcare, Philips, and Siemens. But their ideas around selling the technology of the semiconductor chip to healthcare companies outside of ultrasound and opening their POCUS to developers (like Apple) are clever. It sounds like a company that could fit into a PE portfolio, if only some wallets and checkbooks opened.

And another marker of the New Reality: Scripps Health in San Francisco, hit hard by a cyberattack in 2021, announced at JPM that they hired Todd Walbridge, recently retired from the FBI as their supervising agent in their San Diego cybersecurity hub, as senior director for corporate and system safety and security. He had worked with Scripps on their cyberattack during his diverse career with the FBI. Mr. Walbridge is not only in charge of cyber, but also of physical security as workplace violence and assaults on staff have soared. FierceHealthcare

And we’ll wind up with some fundings, modest ‘green shoots’ in winter:

  • Vita Health, based in Connecticut, secured $22.5 million from seven investors for their suicide prevention and therapeutic telehealth platform. An 2022 seed raise totaled $8.38 million. Release, Mobihealthnews
  • Turquoise Health, based in San Diego, gained a $30 million Series B investment from four investors for expansion of its healthcare pricing platform used by 160 healthcare organizations. 2021-22 seed and Series A raises totaled $25 million. Price transparency is a 2024 hot button issue from government to enterprises to payers. Release, FierceHealthcare  
  • CardioSignal raised another $10 million in a Series A from three investors, bringing total funding to $23 million. Based in Finland and Palo Alto, CardioSignal uses a smartphone’s accelerometer and gyroscope sensors to analyze precordial micro-vibrations caused by cardiac motion. The initial analysis is completed in one minute and after a transfer to their cloud site for additional analysis, is returned in about one minute. Release, Mobihealthnews

Short takes: ransomware op BlackCat busted by FBI, websites shut–for now; health systems lay off IT staffers; retailers collecting way too much PII including health

FBI busts BlackCat/ALPHV ransomware. In an Eliot Ness-like move, the Federal Bureau of Investigation (FBI) got busy and delivered a nice present to healthcare organizations for Christmas. According to two 19 December articles in Bleeping Computer (article 2), the FBI seized operational darknet websites for the ALPHV ransomware operation (article 1) and created a decryptor to help approximately 500 companies recover their data for free, negating $68 million in ransom demands. The details are a little thin, but Bleeping reconstructed in article 2 what they could out of the search warrant. The FBI arranged with a confidential human source (CHS) to become a backend affiliate, meaning the CHS could log in and use ALPHV’s affiliate panel to manage extortion and ransom campaigns. It sounds like a rather nifty platform with lots of management and negotiation tools if you’re extorting a victim company. How the FBI got the decryption keys is another matter they are mum on, as not available through the affiliate panel, but “they obtained 946 private and public key pairs associated with the ransomware operation’s Tor negotiation sites, data leak sites, and management panel”. 

US law enforcement was assisted by their counterparts in Europol, plus law enforcement in Denmark, Germany, UK, Netherlands, Germany, Australia, Spain, and Austria. This is the third breach of the same gang; as Bleeping Computer put it, they’ll “rebrand under a new name as they have done in the past” in a few months.

But maybe faster than that. Some added details from Healthcare IT News sourced from KrebsonSecurity:  BlackCat briefly unseized its darknet site, wiped out the FBI screen above (courtesy Bleeping Computer), and put in a ‘we’re unseized’ notice (in the Krebs article) that they were still open for business at a different location, offering affiliates a 90% payout, and that for affiliates, you could ransomware anything, anywhere (hospitals and nuclear plants cited!) except those located in Russia and the CIS. 

Given ransomware, hacking, cybersecurity threats, and maintaining/upgrading operations, you’d think hospitals would be hiring, not firing, IT workers. But noooooo. Becker’s listed seven health systems that are either pinkslipping IT staff or transferring them to outsourced companies. They are Kaiser–115 nationwide; Novant Health–unknown due to ‘changing up their IT system’; Tower Health (Reading PA)–outsourced staff to a vendor; Mass General Brigham–staff reduction via voluntary buyouts in effect 22 November; Bon Secours Mercy Health–layoffs plus eliminating open roles; Care New England–outsourced staff to health IT provider Kyndryl; Franciscan Health–moved 61 to a vendor. Pennywise, pound foolish.

Here’s more than money you’ve left behind with your online holiday shopping–data, and lots of it. This study from Incogni Research is unnerving, as it goes far beyond what you think you’ve shared–you buy nasal spray in the winter, allergy eyedrops in the spring, etc.– to what retailers are actually collecting on you. This Editor will cite only the companies in healthcare–CVS, Walgreens, Amazon, and Walmart–according to their study:

  • All four collect PII data that includes customers’ identifiers (like their names, online identifiers, and driver’s license numbers), characteristics of protected classifications (like marital status, ancestry, and disabilities), commercial information (like purchase history and property records), and audio/electronic/visual information (like video and/or audio recordings of consumers).
  • Walmart, CVS, and Walgreens additionally collect Social Security numbers, union membership status, and sex-life data.
  • Their apps collect 15 to 20 data points, such as exact location, personal data, financial data, health and fitness, messages, photos and videos, audio files, files and docs, app activity, web browsing, app info and performance, device or other IDs

Users can opt out of some of these, but most do not. And some go to third parties. And all had been breached at one time or another, whether at the retailer or at the vendor level. Prepare to be shocked and dismayed. Release on DR Journal

Healthcare cyberattack latest: NextGen EHR ransomwared by AlphV/BlackCat, back to normal – 93% of healthcare orgs had 1-5 ransomware incidents

Cyberattacks on healthcare continue their drip-drip-drip. The latest is on an EHR/practice management platform used by small to enterprise-sized specialty practices, NextGen Healthcare. The hacker group associated with the AlphV/BlackCat ransomware moved into the system on 17 January. For a short time, they reportedly exhibited NextGen information on their extortion site but later took it down. NextGen reported a short-term disruption to operations. A NextGen spokesperson stated that “We immediately contained the threat, secured our network, and have returned to normal operations,” the spokesperson said. “Our forensic review is ongoing and, to date, we have not uncovered any evidence of access to or exfiltration of client data. The privacy and security of our client information is of the utmost importance to us.”  NextGen has also stated to this Editor that no patient data was affected.

NextGen is used by about 2,500 practices in the US, UK, India, and Canada, including over 20 specialties.

The group behind AlphV/BlackCat ransomware has an infamous history. Reputedly, the gang has been kicking around since 2012 and was the same group of charmers that attacked the Colonial Pipeline in 2021, using the Darkside ransomware in May 2021 that dried out gas stations across the US East Coast. Their next ransomware edition, BlackMatter, targeted agriculture during fall 2021. Healthcare IT News, The Record/Recorded Future News

More severe attacks affecting 93% of healthcare organizations. While NextGen contained the attack quickly, both the Censinet/Ponemon Institute and Fortified Health Security’s 2023 Horizon Report tracked 2022 healthcare data breaches and concluded that while the number of incidents didn’t change much, their severity ramped up. More according to SC Media in these reports: 

  • Over a dozen of the biggest incidents in 2022 each impacted well over 1 million records
  • Nearly half of the respondents experienced a ransomware attack in the last two years
  • 93% faced between one to five ransomware-related incidents
  • Outages lasted upwards of 35 days

The common ground with NextGen is danger to patient safety, because electronic record damage can translate quickly into unavailable patient care.

Updated PharmaCare Services, a pharmacy management company based in Texas, is listed as a victim on BlackCat’s extortion site. They were exhibited with NextGen and remained when NextGen’s listing was challenged and then taken down. PharmaCare is staying mum on any ransomware disruptions, according to GovInfoSecurity.

One ray of hope is improved medical device security, included in the ‘omnibus’ budget package approved in late 2022. FDA will be required to enforce new standards for premarket device submissions. One is a software bill of materials, adequate evidence to demonstrate the product can be updated and patched, and a description of security testing and controls. This was before Congress in the Protecting and Transforming Cyber Health Care (PATCH) Act which didn’t go far, but elements of which found their way into the omnibus. A needed change for medical devices and long expected by manufacturers. SC Media

Who’s buying, selling, funding wrapup: athenahealth IPO deux?, NextGen EHR buys reseller TSI for $68M, Cloudwave buys Sensato; fundings for Lumen, UpStream, Aide Health

athenahealth may go public a second time. This was teased by CEO Bob Segert in the Boston Globe (paywalled) earlier this week. He claimed in the article that since the company went private in 2019, they have added nearly 2,000 clients each year of the past three and that revenues are in the billions. Healthcare IT News recaps some of their moves from going from public to private and downsizing to today. Their other news is that they have instituted a clinical advisory board of 30 members (!) to provide feedback and guidance on clinical features and direction to athenahealth’s product team. One hopes that the sharper members advise a change in the first letter of their name from the oh-so-twee lowercase to an uppercase ‘A’. 

NextGen Healthcare, an EHR/EMR and revenue cycle management software provider for medical/dental practices, is acquiring reseller partner TSI Healthcare. The agreement is for $68 million in cash upfront, with a contingent consideration of up to $22 million in cash if TSI meets certain goals by March 2025. TSI has been a NextGen reseller for 16 years. The acquisition will enable NextGen to expand in key specialties including rheumatology, pulmonology, and cardiology. No mention is made of management or staff transition, nor of SEC review as NextGen is a publicly traded company on Nasdaq. Hat tip to HISTalk 2 Dec. Release, BusinessJournals Triangle

Massachusetts-based Cloudwave is acquiring Sensato Cybersecurity to increase cybersecurity capabilities. Cloudwave provides cloud services hosting with cybersecurity capabilities exclusively to healthcare organizations. Sensato adds cybersecurity-as-a-service (CaaS) to manage security needs, determine where security gaps are, and threat intelligence. Transaction price and details were not disclosed, but Sensato’s founder John Gomez will join CloudWave as chief security and engineering officer. Healthcare IT News  Cybersecurity continues to be top-of-mind for healthcare organizations. The latest Big Data Breach at CommonSpirit Health system hospitals got even worse, with the third-party breach of an undisclosed number of patient records at their Franciscan Health hospitals in September and October. This followed the ransomware attack on other CommonSpirit system hospitals’ EHRs in October. Healthcare IT News

As we near the end of the year, funding is wrapping up with a flurry in some surprising areas such as optimizing metabolism and care coordination for chronic conditions, reducing burden on primary care practices/GPs. One is for an early-stage company in the UK for the latter.

  • Lumen’s $62 million Series B was led by Pitango Venture Capital with Hanwha Group and Resolute Ventures.   Lumen measures metabolism via a handheld, breathalyzer-like device equipped with a CO2 sensor that analyzes whether the body is burning fats or carbs for fuel which can promote weight loss, energy for fitness, and sleep. With that data, the app delivers to users personalized meal plans and nutrition along with when to eat. The new funding will be used to expand these nutrition and lifestyle coaching services. The device is sold direct to consumers, with the app services sold on a SaaS basis: three yearly plans with a range of services from $249 to (on sale) $349.  Mobihealthnews, MedCityNews
  • Another Series B raise of $140 million went to UpStream, for total funding of $185 million. UpStream is in the decidedly unsexy area of care coordination, workflow, and financial platform technology for groups of advanced primary care practices enrolled in value-based full-risk care models, most of which are centered around Medicare and Medicare Advantage. They also deploy pharmacist-led care teams into primary care practices. Their platform and services are free to the practice, with a risk-sharing agreement that pays UpStream through savings (upside risk) but also holds them accountable if savings are below the benchmark (downside risk). Practices are paid on quality during the performance year versus having to wait for CMS to pay in Q3-4 of the following year. This is an MSO (management services organization) ‘in a box’ versus organizing ACOs that is mainly technology-based, a new wrinkle for this Editor who used to be in marketing this area. MedCityNews, Mobihealthnews
  • Aide Health is a clinician-to-patient platform for better management of chronic conditions now bolstered with £1 million in pre-seed funding. Founded by Ian Wharton, CEO, and Brian Snyder, COO, the platform measures physical, mental, and social wellbeing markers for more proactive care. Aide is piloting with the NHS for asthma or Type 2 diabetes with a cohort aged 18 to 75.  Funding was led by Hambro Perks through its EIS fund, with participation from Fuel Ventures, 1818 Ventures, and APX. BusinessCloud (UK)

Weekend short takes: May telehealth claims up to 5.4%; three health plan breaches, one at its law firm–affecting over 400,000 patients; layoffs hit Calm, Truepill (updated)

FAIR Health’s telehealth claims took two bumps up in both April and May. In April, telehealth medical claims moved slightly upward to 4.9% from March’s 4.6%, but May increased 10% to 5.4%, a percentage not seen since May 2021. Mental health conditions still make up the vast bulk of claims at 62.8%, but 3.6% of telehealth claims involve COVID-19 diagnoses, with 3.2% of claims for respiratory diseases and infections. This is attributed to a regional increase in the Southern and Western states of the latest variants of COVID-19. FAIR Health monthly tracker main page

Priority Health, a Michigan-based nonprofit health plan company, was breached through its law firm Warner Norcross & Judd (WNJ). The October 2021 breach at WNJ wasn’t reported to Priority Health until 6 June. The unauthorized party potentially accessed first and last names, pharmacy and claim information, drug names, and prescription dates from certain prescriptions filled in 2012. 120,000 members were affected. What the information was doing at the plan’s law firm was not disclosed. Priority Health is Michigan’s second-largest plan with over one million members.

In other breaches, Texas-based Behavioral Health Group (BHG), had a data incident that affected 197,507 individuals. The unauthorized party had potentially removed certain files and folders from portions of its network on 5 December 2021.  The files include names, Social Security numbers, driver’s license numbers, financial account information, biometrics, medication information, medical record numbers, dates of service, passports, payment card information, and health insurance information. However, the information accessed doesn’t appear to have been misused.

First Choice Community Healthcare in Albuquerque, New Mexico, also had a data security incident that involved 101,541 patients. The PHI in the 27 March breach included names, Social Security numbers, patient ID numbers, medications, dates of service, diagnosis and treatment information, birth dates, health insurance information, medical record numbers, patient account numbers, and provider information. Again, there appears to be no misuse to date. HealthITSecurity

More health tech companies lay off staff.

  • Calm, one of those incessantly advertised (in US) meditation apps, is discharging 20% (90) staffers, at least 12 in marketing, according to a report in the Wall Street Journal (may be paywalled). From this Editor’s LinkedIn post in response to early reports:
    • Calm was strategically ‘off’ in spending. They overspent on direct to consumer–expensive TV spots on major networks and sponsorships, paid social and search. If you wanted Calm’s full features, you paid for them. Expensive meditation apps are merely a “nice to have” and there are a bunch of free ones available. 
    • There’s also too much app overlap and mistargeting out there. Calm was trying to sell the app to businesses as a benefit (ROTFL) but was hedging its bets with buying Ripple, which designs apps for care coordination and condition management (another crowded area).
    • Another sign–new sole CEO named this summer. Now sole CEO David Ko came from Ripple and the two Calm founders moved over to co-chair roles.
    • This is a company that raised well north of $200 million to become a $2 billion unicorn as early as 2019, another sign of too much cash, too soon, and VCs/equity investors following the fad. ‘Mindfulness’ became a fad as early as 2018.
  • Truepill is up to its third layoff–33% or 175 staff, including all UK staff plus much of the product and data teams.  Their cutbacks relate to multiple failures, the first in betting on ADHD controlled substances, the second in blowing through vast amounts of funding but unable to obtain more (a Series D of $142 million but unable to float a Series E). Truepill’s ADHD med bet fell apart with its relationship with Cerebral, now under Federal investigation [TTA 16 June]. As early as May, Truepill, Cerebral’s primary mail order provider, had stopped filling their prescriptions for Schedule 2 medications [TTA 1 June]. This follows on a June layoff of 15% or 150 people. Truepill had also expanded into telehealth and diagnostics, two areas which will only be lightly supported going forward. TechCrunch

Mid-week news roundup (updated 18 Aug): CVS eyeing Signify Health for in-home/VBC; Babylon Health mixed pic of revenue and losses up; Geisinger doubles telemed specialties; connected IoT devices expand cyber-insecurity (more); Owlet layoffs

CVS has dropped another sandal as to their quest to add primary care and home health to their portfolio [TTA 5 Aug]. Reports indicates that CVS Health is bidding to acquire Signify Health, which is up for sale. Signify is best known as a major provider of in-home health care in both evaluations and community-based services, with users such as health plans, health systems, community groups, non-profits, and government. In March, they added provider value-based care with Caravan Health, a mid-sized Accountable Care Organization (ACO) management service organization (MSO), for $250 million.  This would give CVS both leverage in in-home care and access to value-based care models in health systems and practices, adding a network of jumbo (100,000 lives+) ACOs to Aetna’s 500 ACOs.

Signify did take a bit of a bath with its acquisition/merger of Remedy Partners in 2019 which marked their entry into the Federal shared savings programs around Episodes of Care. While it created a $600 million company. Remedy’s Episodes of Care in the CMS Bundled Payments for Care Improvement (BPCI) program was always problematic for Signify on multiple levels (Editor’s experience). Signify announced its exit from the successor BPCI-A (Advanced) model last month to concentrate on home care and the Caravan business. The wind-down, which will take some time as these are Federal programs through CMS, will save Signify about $115-120 million in costs, compared to their annual direct and shared costs of $145 million. Restructuring costs such as severance may be only $35 million. After IPO-ing in February 2021 at $24 per share, it has only recently climbed to $23, having recently hit a 52-week low of $10.70. FierceHealthcare, HealthcareFinanceNews

Updated Perhaps in preparation for acquisition, Signify Health is shedding 489 people starting 1 October, including 45 in Connecticut, with the remainder in Texas, South Dakota, and New York. The information comes from required notices to the Connecticut Department of Labor. The majority of employees affected are remote workers. It appears to be related to Signify’s winding up of BPCI and Episodes of Care activity which are likely on calendar year contracts. The legacy company, Remedy Partners, had been headquartered in Connecticut with staff in New York. Moving forward with layoffs now makes the company more attractive for sale, as the separation expenses will not be an acquiring company liability. The 1 October start date is also a tell.  CT Insider, Becker’s

A mixed picture for Babylon Health. Its Q2 results were up substantially in revenue–4.6x year-over-year from $57.5 million to $265.4 million–along with key indicators such as US members up 220% and a 7.5% improvement in medical margins over three quarters. The US has been very very good to Babylon with value-based care membership growing 3.2x year-on-year to a total of approximately 269,000 US VBC members with 40% of its VBC revenue from Medicare contracts. However, losses are up along with growth–$157.1 million compared to $64.9 million loss PY. Babylon at end of July announced worldwide layoffs of at least 100 people of its current 2,500 in their bid to save $100 million in Q3. Babylon release, Mobihealthnews

Geisinger Health was one of the pioneers in telehealth and remote patient monitoring, from ur-days in the early 2010s to today. Much of its patient base in Pennsylvania is rural or semi-rural, living well away from care centers, with a clinician base equally scattered. They went with a single system–Teladoc–integrated into Epic. By the early days of the pandemic, Geisinger was able to expand their telehealth coverage from 20 to more than 70 specialties, 200 providers to more than 2,000 providers, and over two years (2020-2022) completing over 784,000 telehealth visits to homes, local clinics, or local hospitals. Case study in HealthcareITNews

If you’re a health system CIO managing lots of connected devices, you may need to go to a psychiatrist with your feelings of insecurity. That’s the gist of a new report, the Insecurity of Connected Devices in Healthcare 2022. A new-to-this-Editor cybersecurity firm, Cynerio, partnered with researchers at the Ponemon Institute to survey 517 executives at US health systems to find that their Internet of Medical Things (IoMT)/Internet of Things (IoT) vulnerabilities haven’t changed much since this Editor banged the gong about them well before the pandemic:

  • Cyberattacks–frequent: 56% of respondents experienced 1+ cyberattacks in the past 24 months involving IoMT/IoT devices; 58% averaged 9+ cyberattacks. Adverse impacts on patient care were reported by 45% and 53% of those resulted in increased mortality rates. 24% of hospitals noted an impact on their mortality rates.
  • Data breaches are routine: 43% of hospitals had one in the past two years
  • Risks may be high, but the reaction is sluggish: 71% rated security risks as high or very high, but only 21% report a mature stage of proactive security actions. 46% performed accepted procedures such as scanning for devices, but only 33% keep inventory.
  • Ka-ching! Goes the ransomware! When attacked, 47% paid the ransom, and 32% were in the $250-500,000 range.

The full report is available for download here. Those who prefer a webinar must wait till 17 August at 2pm (EDT)–registration hereCynerio release, HealthcareITNews

Updated. Having sat in on the webinar, some further information points from the Ponemon survey deepen the ‘gravity of the risk’:

  • IoT is different because a hack or cyberransoming prevents the device from working. It isn’t fixed by backup as data can be.
  • Health systems are still using IoT computer systems running Windows XT/95–and earlier (!)
  • The average total cost of the largest data breaches is $13 million–the most common cost is in the $1-5 million range. 
  • 88% of these data breaches involved at least one IoT/MT device
  • Risks are known, but action is lagging. 72% of health organizations report a high level of urgency in securing devices–yet 67% of organizations do not keep an inventory of IoT/IoMT devices that they scan
  • 79% don’t consider their activities to be ‘mature’
  • Security investment doesn’t reflect the gravity of the risk–only 3.4% of IT budgets focus on IoT/MT device security.

And in sad layoff news, Owlet Baby Care is shedding an unknown number of employees. Here is the notice on LinkedIn. We noted their FDA problems and a fast pivot last in February, but their going public via a SPAC has been rocky at best with shares lingering at $2 from the IPO at $8. Marketing a pricey baby monitor direct to consumer is expensive, even if it meets a need, and this is likely a cash crunch. At least the ‘leader of people & culture’ is giving them a proper sendoff of thanks–and more usefully, providing their contact information for potential job openings with other companies.

[This is in contrast to the gone-viral spectacle of the CEO of something called HyperSocial posting on LinkedIn his angst about laying off staff–along with a selfie of him weeping. Not exactly confidence-making and All About Him. This Editor’s comment is one of 6,000-odd posts which are largely doubtful to negative.]

Week-end news roundup: Fold Health launches OS ‘stack’; admin task automator Olive cuts 450 workers; 38% of UK data breaches from cyber, internal attacks; hacking 80% of US healthcare breaches; does AI threaten cybersecurity?

Startup Fold Health launched this week. It’s developed a suite of modular tools that are interoperable with existing EHRs or platforms to enable them to work better, together. Fold’s main claim is to “move primary care beyond the constraints of a 15-minute visit and provide a revolutionary consumer first experience through micro, automated workflows and campaigns of care.” There is an athenahealth connection, in that the founders were from Praxify, a virtual assistant/patient engagement app bought by athenahealth for $65 million in 2017. It has a $6 million seed investment from athenahealth. FierceHealthcare

On the other side of the funding mountain,  Olive, an AI-enabled data cruncher that automates routine administrative healthcare processes such as revenue cycle management, has pink-slipped 450 employees, about one-third of its staff. In a letter to employees excerpted in Axios, Olive cites ‘missteps’ and ‘lack of focus’. It follows hiring freezes, major staff departures, and overpromising/underdelivering, including not using AI or machine learning for automating tasks, featured in an April Axios investigation. Olive has gone through over $850 million in nine rounds of funding (the last July 2021, Series H–Crunchbase). FierceHealthcare

Cyber attacks with internal breaches account for 38% of UK organizations’ (of all types) data losses in 2022. This is based on the Data Health Check survey of 400 IT decision makers compiled by Data Barracks, a cloud-based business continuity organization. The second and third reasons for data loss are human error and hardware failure. Of those surveyed, over half have experienced a cyber attack, most commonly caused by ransomware. 44% paid the ransom, 34% didn’t and used backups. Their recommendations include frequent backups and keeping track of how many data versions–both will minimize downtime and data loss. Release, full report

By contrast, returning to the US and healthcare, malicious hacking activity accounts for nearly 80% of all breaches. Fortified Health Security’s mid-year report on the state of healthcare cybersecurity, reviewing HHS Office for Civil Rights (OCR) data,  noted that in first half 2022:

  • Healthcare data breaches primarily originated at providers– 72%. The remainder were at business associates at 16% and health plans at 12%.
  • The number of records affected was 138% higher than the first half of 2020 at over 19 million records
  • Breaches were concentrated in relatively few organizations: Seven entities experienced breaches of more than 490,000 records each, in total 6.2 million records or 31% to date.  
  • OCR’s data breach portal recorded 337 healthcare data breaches that each impacted more than 500 individuals, a small decline from 2021’s 368
  • Hacking incidents rose to 80% from 72% in 2021. Unauthorized access/disclosure incidents totaled 15%; loss, theft, or improper disposal accounted for only 5 percent of breaches.
  • AI and ML-enabled security offerings can bolster cyber infrastructure. Organizations should also look at how IT staff shortages impact their planning and security.    HealthITSecurity

Can AI (and machine learning-ML) lessen breaches–or open the door to worse problems, such as algorithmic bias, plus data privacy and security concerns? Vast quantities of data pumped through AI or ML algorithms are harder to secure. If the algorithms are built incorrectly–such as eliminating or underrepresenting certain populations–what comes out will be skewed and possibly misleading. In the Healthcare Strategies podcast, Linda Malek of healthcare law firm Moses & Singer, who chairs their healthcare, privacy, and cybersecurity practice group, discusses the problems. She suggests some best practices around transparency, security, privacy, and accuracy when developing an AI algorithm, including collecting as much data as possible, and as diverse as possible, for accuracy. Additionally, the design should incorporate privacy and security from the start. HealthcareExecIntelligence

Thursday news roundup: IBM Watson Health sale closed, now Merative; OneMedical inviting buyers–maybe; worst healthcare data breaches rounded up

It’s a post-Independence Day and early summer holiday relatively quiet week….

It’s Merative, not IBM Watson Health anymore. Francisco Partners‘ buy from IBM of Watson Health closed last Thursday (30 June) but didn’t make the news until after the holiday. The announcement of the new brand, Merative, was splashed on HLTH’s website today (not HIMSS) with the usual language about how their data connects and transforms health through pioneering “cloud, real-world data and industry-leading AI” through health systems, hospitals, health plans, life sciences, and government. Speaking of data points:

  • HQ now in Ann Arbor, MI
  • New CEO Gerry McCarthy from CEO of eSolutions, a former Francisco Partners portfolio company that exited to Waystar in October 2020
  • The former general manager, Paul Roma, will be a Senior Advisor to Francisco Partners
  • Merative will have six product families: Health Insights; MarketScan; Clinical Development; Social Program Management and Phytel; Micromedex, and Merge Imaging 
  • Other investors include True Wind Capital and Sixth Street

Since 2015, IBM had built up Watson Health through four acquisitions and over $4 billion in investment. They sold it for perhaps $1 billion to get it off their books. Once upon a time they were the leader, now they’re up against Oracle and a dozen other competitors like IQVIA that sell connectedness and ‘actionable insights’ across and in chunks of their business (example, life sciences). Given the track record of the controlling private equity partner, Merative needs to become profitable quickly. Merative will not be a long term investment for them. FierceHealthcare. Our prior coverage: 7 Jan, 22 Jan, 25 Feb (Who needs Watson Health?)

Also apparently up for sale to the right buyer is One Medical. The clinic group flirted with but ultimately sent packing CVS Health. One Medical offers concierge in-person and telehealth primary care in seven metros and has over 700,000 members. They bought Medicare value-based primary care provider group Iora Health a year ago [TTA 11 June] but since then their stock (trading under 1Life Healthcare) and valuation has cracked by 75%. Not mentioned in the Bloomberg article is whether Iora is included in the possible deal.

And for those who like their Hackermania on the Wild Side, there’s a massive list over at Wired that racks up the Greatest Hits. It’s only halfway through 2022, but the data breaching and ransomware perps have multiplied. From Russia/Ukraine to extortion gangs like Conti and Lapsus$ to cryptocurrency theft and China, the Old Reliable Healthcare continues to star. Our recent list is here but topping out the Wired list are Shields Health Care Group, Baptist Health System, Resolute Health Hospital, Kaiser Permanente, and Yuma Regional Medical Center. Also Becker’s.

Thursday news roundup: FTC now investigating Cerebral, Balwani’s Theranos trial rests at last, Proscia pathology AI $37M Series C, health data breaches pile up

Telemental health Cerebral’s miseries pile on. The Federal Trade Commission (FTC) is now investigating Cerebral on deceptive advertising and marketing practices. The Wall Street Journal (may be paywalled) reviewed the 1 June letter sent to the company. The letter requests the usual preservation of documents and asks ‘dozens of questions’ related to their business. Of particular interest to the FTC is the ‘negative option’ practice that continues the subscription fee unless the subscriber takes positive action to cancel it. Subscribers have complained that Cerebral did not cancel their subscriptions after repeated attempts to do so and did not refund their money. Reuters, FierceHealthcare

Also of interest to the FTC will be the dodgy advertising claims about ADHD and obesity which ran on TikTok and Instagram [TTA 10 May]. The WSJ reported that their ad spend topped $65 million for this year–$13 million on TikTok alone from January to May this year, making Cerebral the third-largest advertiser behind HBO and Amazon, according to research firm Pathmatics.

The FTC action follows the Department of Justice (DOJ) investigation of their prescribing of controlled (Schedule 2, high potential for abuse) substances such as Adderall and Xanax, CVS and Walmart refusing their prescriptions, the unceremonious booting of the CEO and co-founder, and a wrongful dismissal lawsuit by a former VP of product and engineering, Matthew Truebe. Certainly, its investors led by SoftBank, which raised $300 million in December less than six months after a raise of $127 million, are unhappy at watching their $4.8 billion baby crash and burn.

The second “rerun” Theranos trial of Sunny Balwani rests. This much-muted trial is winding towards its close. Receiving much less breathless and near-sensational coverage than Elizabeth Holmes’, Theranos president Balwani was tried in the same San Jose Federal district court, with the same prosecutor (Robert Leach), just about the same charges (12 counts of wire fraud), and Judge Davila presiding. Holmes was convicted and her sentencing is scheduled for September.

The prosecution rested on 20 May and the defense on 9 June. The trial took some delays due to at least two jurors falling ill from Covid. The defense strategy rested on Holmes’ founding and operating the company without Balwani for a few years and that he never sold his shares, making him as victimized as any ordinary investor. The prosecution is relying on how close Holmes and Balwani were, that he had great power at Theranos–and used it, plus in his position was well aware of the problems with the lab machines and deliberately sought to defraud investors by covering it up. Unsurprisingly, Holmes did not testify at his trial, although she was a looming presence at his as he was somewhat at hers, especially in her testimony about their relationship. Closing arguments took place on Tuesday (14 June) and the jury will be charged after their conclusion. NBC Bay Area, New York Post, Wall Street Journal

Happier news comes from Proscia, a pathology software company, funding a $37 million Series C. Highline Capital Management, Triangle Peak Partners, and Alpha Intelligence Capital led the round along with participation from five earlier investors. Their total funding is up to $72 million. Their AI-enabled Concentriq platform combines “enterprise scalability with a broad portfolio of AI applications to accelerate breakthroughs and unlock clinical insights that advance precision medicine.” Clients include 10 of the top 20 pharmaceutical companies as well as the Joint Pathology Center, Proscia release, Becker’s 

Adding to the tally of healthcare data breaches are several this week. The year-to-date winner, of course, are the 2 million at Shields Health Care Group in Massachusetts [TTA 10 June], but this week, reports have been breaking out like late spring roses:

  •  A clinical guidance software vendor’s breach reported 10 June has exposed the protected health information (PHI) of patients at Omaha, Nebraska-based CHI Health and Sioux Falls, South Dakota based Avera Health. Avera has about 900 exposed patients, but the number at CHI is not yet known. MCG Health is the vendor. Becker’s
  • Yuma (Ariz.) Regional Medical Center reported an April ransomware attack that while short in duration, exposed PHI of 700,000 patients. An unauthorized user removed files from the hospital’s system that included patient health information such as names, social security numbers, health insurance information, and limited medical information relating to care. The hospital went offline until it was resolved, including reporting to law enforcement. Becker’s, Healthcare Dive
  • UChicago Medicine had its employee accounts hacked in March by an unauthorized user. It exposed about 2,500 patient records that included patient first and last names, social security numbers, health information, legacy Medicare beneficiary identification numbers, health insurance policy numbers, and driver’s license numbers. Becker’s
  • And Kaiser Foundation Health Plan of Washington had about 70,000 patient PHIs exposed on 5 April when an unauthorized user gained access to one employee’s emails with information on patient first and last names, dates of service, laboratory test information, and medical record numbers.

Short, but certainly not sweet, and expensive.

Two healthcare data breaches of note: International Committee of the Red Cross and Jefferson Health

Healthcare data breaches have become so commonplace that this Editor now leaves it to others to report. They all share the same characteristics–international hackers inserting ransomware in compromised systems and demanding billions in bitcoin, disgruntled employees erasing or taking home files, burglaries, inside jobs of various stripes. A steady drumbeat despite many efforts to secure against outside attacks and continously monitor systems, still there are plenty of legacy devices floating around hospitals and clinics using outdated computer software and initial setup passwords.

But this one hits a new high of heartlessness. The International Committee of the Red Cross (ICRC), headquartered in Geneva, reported that on 18 January that servers hosting the personal information of more than 500,000 displaced people receiving aid services from the Red Cross and Red Crescent Movement program had been hacked. The servers were located in Switzerland and were directly targeted. The 515,000 records were of people in the ‘Restoring Family Links’ program which aids missing people and their families, unaccompanied or separated children, detainees, and other people as a result of armed conflict, natural disasters, or migration. The information consisted of names, locations, and contacts.  In addition, log in information of 2,000 workers was also breached. Pray tell, where’s the monetary value in this? Or is there something more nefarious? These systems and their information have been taken offline, hampering this international program. ICRC ‘What We Know’, Becker’s Health IT, Healthcare IT News

A more ‘garden variety’ breach of 9,000 patients’ protected health information (PHI) took place in November at Philadelphia’s Jefferson Health. This was an insurance portal breach that accessed patient billing information with the intent of rerouting the payments from the hospital to themselves. The hacker in the process gained access to patient billing information, names, dates of treatment, treatment codes and costs, but not the jackpot of SSI and other financial information. The article does not disclose whether payments were successfully redirected.  Becker’s Health IT

“All That We Let In”: health apps’ APIs are vulnerable and easy to hack, exposing and altering PHI and PII

Mobile security company Approov has issued a scary report on the hackability of popular health apps. They tested 30 apps (not named in the report) of the 300,000-odd health apps in the market, and found that the application programming interfaces (APIs) used in 100 percent of these apps had hardcoded vulnerabilities that could allow hackers to access protected health information (PHI), personally identifiable information (PII), identity, and billing information. According to the report (registration required), these apps used by patient care organizations for remote account management and telemedicine appointments may expose 23 million individuals. Of the 30 apps tested:

  • 77 percent contained hardcoded API keys, some of which do not expire
  • Seven percent had hardcoded usernames and passwords in plain text
  • 50 percent of the doors that these API vulnerabilities opened led to PHI and billing information
  • 100 percent of the API endpoints tested were vulnerable to Broken Object Level Authorization (BOLA) attacks. These involve a relatively simple process of falsifying user IDs and swapping out numbers. For some apps, the hack could gain clinician-level access and alter medical histories and records (including issuing prescriptions for medication).
  • 100 percent of the apps were vulnerable to man-in-the-middle attacks due to failure to implement certificate pinning, which forces the app to validate the server’s certificate against a known good copy

Alyssa Knight, the ‘recovering hacker’ who authored the report, also hacked into one hospital’s EHR and changed its values by one digit. She was then able to access health records and registration information. She used a hacking tool that looks like it is generating data from a mobile health app.

The use of mobile apps for telehealth and portals has become far more widespread as a result of the pandemic, yet security has lagged–even though the level of sophistication in the apps, and the amount of information they integrate, has accelerated to become the norm. It’s a wakeup call to developers, health systems, and digital health companies that off the shelf and old APIs don’t meet security demands. Unfortunately, Gartner projects that APIs will become the vector for most data breaches by 2022. CPO Magazine, FierceHealthcare

Weekend reading: HISTalk’s interview with Spirion’s CEO on healthcare data security

A short but must-read if you care about data security and your customers/patients/residents. Where this HISTalk interview with Kevin Coppins, CEO of Spirion, excels is leading the reader through areas that are usually filled with fog and IT jargon. The view is from his company and a healthcare organization sitting in a conference room and scoping the problem without ‘paralysis by analysis’ or a turnkey ‘solution’ that may not be one. What’s different here is the clear, and few, logic steps, particularly the first three listed, that Mr. Coppins takes to get the ball rolling rather than befogging the discussion with too many factors or the punitive consequences of regulatory non-compliance.

“The concept of data and sensitive data is at the core of both security and privacy.”

  1. How much data do you have? (Nobody really knows, admit it)
  2. Of that data, what would you consider ‘sensitive’, and how do you define ‘sensitive’? Not only by regulation/compliance directives, but what your patients, clients and the board would consider ‘sensitive’.
  3. How much of that data is actually critical? 
  4. What’s the impact? How personal is it to your organization, not just in a compliance way but in your community, etc.
  5. How do I reduce the risk of loss?
  6. If I lost the data due to hacking or ransomware, what’s the backup? How fast can this happen?

This Editor notes that these points (quantity, definition, risk of loss and recovery, and community impact) can be applied to other situation analyses.

The litany of ransomware attacks that have ramped up during the pandemic waves has pushed data security issues to the ‘gotta tackle’ list. According to Emsisoft, a security company, there were 41 attacks on healthcare organizations in first half 2020. This didn’t stop during the summer, with a rash of them at end of October and a hit list of 400 hospitals, according to Becker’s.) Hacking attacks persist but aren’t getting the headlines.

And his conclusion is pertinent: “When it comes to security and privacy and all the drama and all the noise that you hear about it and read about it, just boil it down to this — am I doing everything I can today to protect what matters most to the constituents I serve?”