VA’s EHR goes live with four more centers; GAO criticizes VA, MHS on EHR cybersecurity collaboration

VA stays on schedule with four more EHR go-lives. On 6 June, right on schedule, the Oracle EHR went live at four more VA Medical Centers in Ohio and Kentucky: Cincinnati VA Medical Center, Chillicothe VA Medical Center, Dayton VA Medical Center, and the Cincinnati VA Medical Center-Fort Thomas. All are in VISN 10 (VISN=region). This second wave of 2026 transitions, according to the VA release, more than 107,000 veteran patients and 7,200 VA clinicians and staff. The next wave of three more VAMCs will roll out in August with a final two in October.

Interestingly, the VA release also scores the previous Biden Administration on holding up the EHR implementation for two years, starting after the well-publicized disastrous implementations of 2020-2023. Our Readers and this Editor remember that Congress, led by a Republican House and the Veterans committees (the House approves budgets), basically forced VA to end the deployments [TTA 26 April 2023] and renegotiate the next five years of the Oracle contract to contain performance metrics and requirements [TTA 18 May 2023]. At least some of the reforms noted in the release started under that previous administration, but the second Trump Administration starting in 2025 should be credited with accelerating what many of us observers considered a ‘dead in the water’ repair and rollout. The biggest change is the standardization of the system across the VAMCs; the previous deployments allowed for too much customization by facility, something Oracle wasn’t exactly equipped to handle with the legacy Cerner system.  Federal News Network

There’s also an enjoyable, locally made YouTube video of the go-live at the Dayton VAMC. It focuses on the IT team and how they are helping the clinical staff, including the first new patient entered into the EHR. Complete with an opening group prayer service and dancing–how can they lose? YouTube video, 3 minutes

What’s not going so well is VA-Department of War (DoW formerly DoD) cooperation on EHR cybersecurity issues. A new Government Accountability Office (GAO) report discusses how the Federal Electronic Health Record Modernization office (FEHRM) that is responsible for oversight and direction on joint functions is not adhering to “leading practices” in several areas. The Oracle EHR is not only used at the VA but also in a different version covers the Military Health System (MHS),  the US Coast Guard, and the National Oceanic and Atmospheric Administration (NOAA). The DoW has the primary responsibility for ensuring cybersecurity of the EHR systems. Where the agency fell short was in defining common goals, outcomes, and performance metrics, as well as communicating progress on EHR cybersecurity and privacy.

FTR:

GAO is making one recommendation to DOD and one to VA to direct the FEHRM to define common goals, outcomes, and associated performance measures, and monitor, assess, and communicate progress on collaboration efforts toward ensuring the cybersecurity and privacy of the federal enclave. DOD disagreed with our report and VA neither agreed nor disagreed with the recommendations. GAO maintains its recommendations are valid, as discussed in this report.

The GAO is required by the Further Consolidated Appropriations Act of 2024 to conduct performance audits; this one covers June 2024 to June 2026. GAO summary with links to full report, Healthcare IT News

TTA’s It’s June: Anthropic’s pending IPO, the AI Hype Curve, Oracle Health for sale, Schoenberg’s move to Amazon, Mass. sues UnitedHealthcare, Signos/H1 raises, more!

Thursday 4 June 2026

This Editor is closing and sending out Alerts a little early this week as off to an event. Most significant this week is Anthropic’s confidential, unpriced IPO filing on top of a $65B raise, a sure mark of Peak AI and the next stages of the Gartner Hype Curve. The other is an analysis of the potential market for a sell-off of Oracle Health’s EHR and what that entails–oddly coinciding with Roy Schoenberg’s move to Amazon Health. More about raises, UHG’s senior MassCare plans accused of fraud, and new Teladoc business. From last week–our Must Reads about the societal impact and the divinity of AI.

Enjoy your week and weekend!

Please feel free to comment on the articles and pass along this Alert. Let me know if this is worth it to you! Also check out my personal page on Substack.

Chutes & Ladders: MA sues UHG on Medicaid fraud, Teladoc joins Walmart’s Better Care Services, raises for Signos and H1

Breaking: Anthropic files confidential S-1 with SEC for IPO, less than one week after $65B raise. But is this Peak AI?

Selling Oracle Health’s EHR–what are the potential buyers, their odds, and price?

Breaking: Roy Schoenberg moving to Amazon to lead Health Services; Neil Lindsay to depart

Last Week’s Headlines

Weekend Must Reads on AI: its societal and economic effects, and why its developers see it as replacing God

Short takes: Garner Health’s $100M Series E; Veradigm files financial reports for ’23/’24, moved to net loss; Rovex debuts autonomous in-hospital transport robot

Post-holiday news roundup: Oracle Health acute care EHR market share crumbles to 20%–what that means; retail real estate downsizer marketing Walgreens leases; Oura files for US IPO, Swoop buys NimbleRx

Holiday weekend roundup: VA asks for ‘cyberspeed’ 25% EHR budget bump, update on EHRM fraud indictment; Commure raises $70M; Innovaccer buys Caduceus, lays off staff; Doximity, OpenEvidence slugfest gets hot

 

 * * *
Advertise on Telehealth and Telecare Aware
Support not only a publication but also a well-informed international community.

Contact Editor Donna for more information.

Help Spread the News

Please tell your colleagues about this free news service and, if you have relevant information to share with the rest of the world, please let me know!

Donna Cusano, Editor In Chief
donna.cusano@telecareaware.com

Selling Oracle Health’s EHR–what are the potential buyers, their odds, and price?

The speculation is now “official”, since it is by a London investment banking firm, but it confirms this Editor’s earlier view: Oracle, to become an “AI Infrastructure Landlord” (in their apt term), has to sell off what was Cerner and the EHR operation. 

That train is now approaching, though realistically, no one knows when it is due and at what station.

The need: Oracle must reduce the extent of its “liquidity and capital expenditure crisis” in order to stay in the AI Game. Layoffs of 30,000 staff, or 18% of their global employees, is not enough. A fresh financing of $16 billion from the PIMCO bond fund and others cannot relieve the financial stress created by a previous estimated $72 to $100 billion in previous debt load and payments, so significant that banks refused to lend to still-profitable Oracle. And the AI transformation itself is high risk. Oracle owes OpenAI alone $553 billion in remaining performance obligations, and it has obligations to Meta as well. Add to this the long “taffy pull”–the years-long process of building, chip expenditure, then making a data center operational and generating cash. [TTA 14 May, 7 May, and prior; also Ed Zitron’s article for a much longer take.] Take all of them together, and they are polite words for “rock and a hard place” or a Very Dark Corner.

The London investment banking firm Nelson Advisors has taken a deep yet remarkably easy-to-digest analysis on a potential sale. Highlights are below. The paper is one long web page, not a deck of 50 pages. It is well worth your reading time.

Background: Cerner was bought four years ago in the go-go days of June 2022 for $28 billion. Cerner had an aging EHR and a deteriorating market share. Recently it’s plummeted to a 27% market share versus Epic’s 48% in large health systems. Oracle’s interest was not only in health, but also the health data Cerner contained. The plans were to update the software based EHR to a cloud-native data platform as the linchpin of Healthcare Transformation (Ed. note), except that integration proved to be slow and far more expensive than estimated.

Oracle also inherited from Cerner two huge and impossible to escape Federal obligations: the Military Health System EHR and the Veterans Health Administration EHR Modernization, two separate but mandatorily interoperable systems. MHS was the first implemented and is now  completed, but remains an obligation. The VA EHRM, as TTA has chronicled, started rolling out in 2020 and by 2023 was halted after five implementations Due to Disaster. It resumed in April 2026. The VA and Congressional process for funding now has tight guardrails in place on continuance.  

Who will buy the Oracle/Cerner EHR operation is the question. For how much isn’t as clear. Selling Oracle Cerner “represents the most significant “lump sum” of liquidity available. In the Nelson analogy, Oracle took the Cerner cow, milked it of data to feed its data into its LLMs, and no longer wants knackered ol’ Bessie even rejuvenated by the cloud. (In this Editor’s view, Oracle knows it is fighting a losing battle against Epic, which does privately pretty much what it wants and plans to stay that way.)

The obvious group of potential buyers are ‘hyperscalers’ who view health data as the Next Frontier. They already have feet in this healthcare pond. They also meet approved FedRAMP High security requirements for the VA and MHS contracts. Equally, they all have drawbacks.

Microsoft seems the most logical. It already has a huge footprint and expertise within health systems, courtesy of ambient scribe Nuance/DAX Copilot and cloud computing platform Azure.

  • Conflict #1: Epic is a major Azure customer. Would Microsoft be willing to lose this business in a high-stakes move?
  • Conflict #2: FTC would likely challenge the acquisition based on this huge existing footprint.

Amazon is also engaged in healthcare, but not with health systems. It has Amazon Health Services comprising Pharmacy, One Medical, and DTC telehealth services. (Editor’s note: not mentioned by Nelson is that Amazon Health has a new leader, Dr. Roy Schoenberg, with experience in Federal contracts via Amwell for the Defense Health Agency and MHS. This broke late last week.)

  • Conflict: Amazon Web Services is an established vendor in other areas of health systems, and acquiring an EHR could be seen as too much under one roof.
  • Problem: no experience with EHRs (same as Oracle) nor highly regulated health systems. The scale of the MHS/VA implementation and academic hospitals would be a steep learning curve with little existing precedent or credibility in Amazon-World.

Google certainly has the size and resources, and could position the EHR to rival both Microsoft and Epic. 

  • Conflict #1: Cultural. Google moves fast and healthcare slowly.
  • Conflict #2: Lacks the enterprise sales and support needed to service health systems. It doesn’t have a service culture.
  • Editor’s note: Google has tried and failed to be a healthcare giant at least twice. It doesn’t seem to fit.

Nelson also looked at two outliers, UnitedHealth Group/Optum and the hospital groups HCA or CommonSpirit Health. Both would be vertical integrators. Hospital groups do not have the margin nor borrowing power to make the move. UHG and their Optum operation face cash crunches and ongoing Federal scrutiny. (Had this been a few years ago under a different management, this would have been on strategy for UHG.)

Another outlier from the international space is SAP. Their aim would be global expansion into the Middle East and Europe with another asset their enterprise resource planning (ERP) expertise. Their problem? Lack of experience in the highly regulated US environment. In the Nelson view, the US Government could be the make/break for any deal.

The final destination for this ‘hard to sell’ asset? Private equity. And more than one involved. Nelson looked at five PE players in the healthcare space: Thoma Bravo, Francisco Partners, Bain Capital, Blackstone, and New Mountain Capital. (All are familiar PEs to Readers.) Even with their considerable individual assets, it would likely take a consortium to buy Oracle Health in a $20 to $25 billion deal. Nelson rates this as the most likely scenario as long as a consortium could be formed and it can be seen as a turnaround. The drawbacks are a governance structure and the real lack of an exit strategy. (PEs always need exit strategies to keep the funders happy. They are not in it to buy and keep.) The lower price could be made palatable to Oracle if they retained the Oracle Cloud Infrastructure (OCI) network and the Oracle Autonomous Database revenue streams.

The other partner in this consortium scenario? The Federal Government. It’s a high priority to secure the EHR for both the MHS and VA. Congress is already concerned.

Place your bets!  Hat tip to a Reader who wishes to remain anonymous.

News roundup: PSI awarded $156M contract for VA EHR testing; $50M for Fay nutrition; General Catalyst’s wealth management expansion; UniDoc’s HealthCube debuts in Ukraine

VA awards Planned Systems International a potential five-year, $156.1 million contract to support the VA’s EHRM (Electronic Health Record Modernization). The Independent Enterprise Testing and Support Services (IETSS) contract supports the EHRM-IO (Integration Office) team that is restarting the transition from VistA to the Oracle Cerner EHR. PSI will test and evaluate software, infrastructure, and environments, plus the operations of the independent verification and validation test center and test center environments hosted in VA Enterprise Cloud. It covers PSI’s project management, test and evaluation support, testing and technology support, test systems engineering and implementation support, and test process and quality management support. The five-year contract, as is typical with Federal contracts, is for an initial year then renewable for four 12-month terms. Another confirmation that EHRM-IO is moving forward on their plan announced before Christmas 2024, when the VA formally stated that they were planning for deployment in four Michigan facilities — Ann Arbor, Battle Creek, Detroit, and Saginaw–for implementation by mid-2016 [TTA 8 Jan]. GovConWire

Food as medicine is catching on. San Francisco-based Fay has scored a $50 million Series B round, led by Goldman Sachs with participation from previous investors General Catalyst and Forerunner, bringing their investment since 2024 to $75 million. The fresh funding will pay for growth and network expansion. They are claiming a valuation of $500 million.

Fay at present has a network covering most states of 2,300 registered dietitians (RDs) that integrate through Fay’s platform with major payers including United Healthcare, Aetna CVS Health, Blue Cross, Anthem, Cigna, Optum, and Humana, plus large employers such as Amazon, Microsoft, and Pepsi. The RDs provide personalized, in-person or virtual nutrition and lifestyle counseling to members or employees at little to no cost, while the platform automates processes such as insurance claims, scheduling, and patient follow-ups for the RDs. In addition, Fay can help RDs build their private practice and get credentialed with insurance. Over half of Americans struggle with diet-related chronic conditions (Frontiers in Public Health). Fay is in an especially sweet spot, as nutrition and quality of food, with the pending confirmation of Robert F. Kennedy, Jr. as HHS Secretary, is front and center. Release, MedCityNews

Speaking of General Catalyst, they are expanding beyond being one of the few dominant venture capital groups in a consolidating investment sector by expanding GC Wealth into a wealth management firm for entrepreneurs and others who have Struck It Rich (or have the potential to) in hot sectors such as AI. Running it out of San Francisco (where else?) is Dave Breslin, a former First Republic Bank executive who headed their private wealth unit. He recently hired several First Republic alums based out of Boston. According to the BBJ, it now has $2.3 billion in assets under management–and clients were invited last year to invest in General Catalyst’s seventh fund.  Founders should think long and hard about having your funder also manage your personal wealth–so it seems to this Editor. Boston Business Journal. Axios previously reported that General Catalyst is quietly exploring selling a share in its holding company. It currently has $32 billion in assets.

The ‘doc-in-a-box’ idea now has a fresh life in very specific uses. Canada’s UniDoc Health’s H3 Health Cubes have some interesting placements with the Italian Government to serve rural areas as a remote virtual clinic in locations such as the Municipality of Aliano’s Territorial Health Center. Also in Italy, the Aiutamoli a Vivere Foundation aid organization will place up to 15 units in Ukraine and the Gaza strip (though one suspects that events have eclipsed the latter placements).

For Ukraine, the H3 Health Cube funded by the Italian Agency for Development Cooperation (AICS), was delivered to a hospital in Yasinya in Ukraine scheduled to reopen on 14 February. It was received in mid-January by the Mayor of the City of Yasinia. along with additional aid such as food and hospital beds. It will connect doctors in that hospital, which treats wounded coming from the war zone as well as the local community, with Prof. Carlo Ventura’s team from I.N.B.B. of Bologna. Another Ukrainian hospital placement scheduled, in partnership with HP Inc., is for Okhmatdyt, Ukraine’s largest children’s hospital. A video of the HealthCube is on the UniDoc website.

Veradigm update report: initial bids collected to take company private

Veradigm (formerly Allscripts), which announced in May that it was seeking ‘strategic alternatives’, reportedly has some initial bids for parts or all of the sprawling data and tech platform company. Bids are coming in at above $9.50/share according to Axios, but only three players have been mentioned by the usual ‘inside sources’.

  • Thoma Bravo, which took NextGen Healthcare EHR private for $1.8 billion last November [TTA 19 Sept 2023]. NextGen has worked with Veradigm in a strategic data exchange partnership dating back to 2019.
  • Roche, current owner of Flatiron Health, which also has a specialized EHR for managing cancer data. However, Roche recently put Flatiron up for sale, which could make serious interest in Veradigm doubtful. 
  • Vista Equity Partners, which owns EHR Greenway Health,

Because some parts are more interesting to bidders than others, two or more could partner to buy Veradigm’s assets in healthcare data systems and services. Veradigm’s market capitalization remains about $1 billion.

Veradigm was delisted from Nasdaq on 29 February because of software problems making their 2022 and 2023 reporting inaccurate and being unable to file required current financial reports. It trades OTC under MDRX closing today at $9.55. Yet they reported profitable results in 2023 with net income from continuing operations between $49 million and $58 million and shortly after acquired two companies this year, ScienceIOfor $140 million in cash [TTA 15 Mar] and Koha Health [TTA 3 Jan]. For 2024, Veradigm forecasts revenue between $620 million and $635 million, with adjusted EBITDA between $104 million and $113 million. One wonders why there aren’t more bids, even joint bids, financing, and other structured offers for what appears to be a fairly healthy going business. Ionanalytics.com

NHS electronic patient records linked to 100 ‘serious harm’ issues, with ~50% of NHS England trusts reporting patient issues: BBC News

EHR harm is not exclusive to the VA, or the US. An investigation published last week by BBC News uncovered problems with IT systems used by NHS England regional trusts to manage patient records. Through a Freedom of Information (FOI) request, it uncovered multiple problems with Electronic Patient Record (EPR) systems that could affect patient care or lead to potential harm. Their investigation found that “IT system failures have been linked to the deaths of three patients and more than 100 instances of serious harm at NHS hospital trusts in England.”

The NHS has spent £900 million over the past two years in pushing trusts to procure EPR systems and to go entirely paperless. The original deadline of end of 2024 has long since been modified to 2026.

Currently, each trust manages its own IT adoption. Teaching hospitals are at the top with the best IT, whether EPRs or operational and clinical systems. Acute care hospitals come next with current systems and infrastructure. The trusts also commission and pay for community and mental health organizations plus general practitioners. They tend to be at the end of the technology chain, without data centers but maybe a computer room. There are lots of variations between trusts, plenty of custom systems, and paper. And as in the US, systems were not necessarily interoperable. (Background courtesy of Rackspace)

The NHS published last November that 90%, or 189, trusts had contracted for and adopted EPRs. EPRs adopted by the trusts include Oracle Cerner, Epic, Meditech, and Dedalus Orbis (replacing the ancient Lorenzo).

What the BBC found through the FOI:

  • 89 trusts confirmed they monitored and logged instances when patients could be harmed as a result of problems with their Electronic Patient Record (EPR) systems. Almost half recorded instances of potential patient harm linked to their systems.
  • Nearly 60 trusts reported IT problems that could affect patient care.
  • There were 126 instances of serious harm linked to IT issues across 31 trusts
  • There were three deaths across two trusts related to EPR problems
  • At the County Durham and Darlington NHS Foundation Trust, more than 2,000 incidents of potential patient harm and three other serious incidents were connected to their new Cerner EPR

Additionally, hundreds of thousands of medical letters went unsent to patients. From the FOI, 200,000 letters were not sent across 21 trusts. Last September, a separate BBC investigation found that 24,000 letters from Newcastle hospitals had not been sent from their EPR system, with more than 400,000 letters lost in computer systems at hospitals in Nottingham.

Separate from the FOI, the BBC report goes into two of the deaths relating to EPR lost information.

  • At Sheffield Teaching Hospitals Trust, a sickle cell anemia and cerebral palsy patient, Darnell Smith, aged 22, was admitted to the Royal Hallamshire Hospital with cold like symptoms in November 2022. His personal care plan was not easily visible in the hospital’s computerized records. He didn’t get the hourly checks he needed for heart rate, blood pressure and temperature. After the records were found, Mr. Smith was then moved to critical care, put on a ventilator the next morning, and died from pneumonia two weeks later. The coroner in this case warned of a “real risk of further deaths” if care teams couldn’t access needed medical information.
  • At University Hospital of North Durham, Emily Harkleroad collapsed and was taken to A&E, where a pulmonary embolism was diagnosed. However, due to errors in the newly installed Cerner EPR, she didn’t receive the blood thinners she needed and died the morning after admission. The coroner found that the EPR did not clearly identify which patients were the most critically ill and needed to be prioritized, a complaint that clinicians at the hospital had previously expressed.  

Clinicians who came forward to the BBC pointed to EPRs making critical information difficult or impossible to find–it could be “buried anywhere”, creating medication errors, and “incorrect patient details on theatre (sic) lists, incorrect operations listed, incorrect allergy status”. 

Professor Joe McDonald, a former NHS clinical leader, dubbed the current rollout of EPRs across trusts “a broken jigsaw” because very few are interoperable. His conclusion: “There is undoubtedly a culture of cover-up in the NHS and nowhere is that stronger than in the health IT sector. It’s not safe. It’s really not safe.”

BBC News also included a response from Professor Erika Denton, national medical director for transformation at NHS England. She stated that EPRs represent an improvement over paper and patchwork systems and have been shown to improve safety and care for patients. “However, like any system, it’s essential that they are introduced and operated to high standards, and NHS England is working closely with trusts to review any concerns raised and provide additional support and guidance on the safe use of their systems where required.”  Also Daily Mail and Yahoo News Canada (reprint of the BBC News article if blocked).

Oracle’s Glueck kicks back hard at Business Insider’s ‘deadly gamble’ article, Epic’s Faulkner (now with additional audio commentary)

Oracle is making great progress at the VA. And they want EHR interoperability. Epic doesn’t. Take that, Business Insider! And Judy Faulkner! Ken Glueck, an EVP at Oracle, authored an Oracle blog post (or at least one written under his name) that has generated much industry controversy. It first goes after Business Insider for daring to criticize the problems on the Oracle Cerner rollout that made it into five (count ’em, five) VA regional systems, calling it a ‘regurgitated story’. It calls the ‘deadly gamble’ headline ‘clickbait’, moves to patting itself on the back for the apparently non-problematic EHR rollout in about 3,900 locations in the DOD-Military Health System (partnering with Leidos), then swerves to stating the obvious in kicking around poor old, outdated VistA that meets very different needs and a massive population at the VA, and ends with a tap dance around the Oracle Cerner EHR problems at the VA citing all the progress that Oracle is making. It builds to a final slam fest, taking a minor quote in the article regarding why Oracle’s Larry Ellison preferred to buy Cerner–a ‘more relaxed approach to data privacy’–and expanding that to hard personal takedowns of Epic and its founder Judy Faulkner.  It then gets personal with BI, depicting the publication as “rooting against us” which he finds “invigorating”.

One can understand the craving for Oracle management to respond to BI. It’s a media outlet that apparently doesn’t have the most friendly relationship with Oracle. (But since when is that a feature of the Fourth Estate?) The article vividly takes Oracle to task, weaving together an accessible story out of dry facts and the many technical failures well documented by the VA, the OIG, and in Congressional hearings. It’s framed in the noble ambitions of Oracle’s founder Larry Ellison to transform healthcare which, in this Editor’s view, are treated sympathetically. The extremely well-read review last week of the BI article notes all, as well as the lack of contrast with the non-eventful DOD-Military Health System’s implementation and why it went largely according to plan, including the joint Lovell MHS/VA EHR. While this Editor tends to cast a gimlet eye at the clichéd mention of ‘transforming healthcare’, she still has some hope that progress in simplification, transparency, better-informed decisions, and truly intelligent assistance that enables human providers to heal their patients will be made in the next decade. And in that, she is on the side of Mr. Ellison as well as most founders and companies in health tech chronicled in TTA’s articles since 2005.

You have to give Mr. Glueck some credit for not holding back on how he really feels. Unfortunately, he was writing a corporate communication even if it was slotted in Oracle’s blog pages. He’s worked in corporate for decades and early in his career in government in the late Senator Joe Lieberman’s (D-CT) office. From the blunt view of a marketer, he should know better. Tone matters. And the frostier the tone, the better. If even a response is needed. Consider: is responding to this a smart move? What are the knock on effects?

In fact, it’s almost a textbook on how not to respond to negative press.

  • The headline sets up a straw man argumentBusiness Insider is not responsible for healthcare modernization, nor conceivably will ever be. It’s a cheap shot. 
  • The overly personal tone, written (one can guess) as he was seething about the BI article, undermines the response.
  • Nearly all of the same points could have been made in a concise, objective, fact-by-fact rebuttal that would be far more powerful in its restraint.
  • It meanders. It’s defensive. It’s easy to read into the Congressional Record or at the next hearing of the Veterans Affairs committee by a House member or Senator who’d like to see Oracle Cerner derailed at the VA. 
  • Where it truly goes off the rails is the personal invective directed at their competition. “…Epic’s CEO Judy Faulkner is the single biggest obstacle to EHR interoperability. She opposes interoperability because it threatens Epic’s franchise.” Mr. Glueck goes further in stating that Oracle enables provider collaboration across silos, while “Epic’s contracts expressly appropriate all patient EHR data as Epic’s own.” This is a fair criticism if true but maybe Epic’s hospital customers like it that way for their own reasons like security.

The blog comes across as barely restrained and defensive, especially versus Epic, the #1 EHR. When your EHR is losing ground to the competition, this is not a good look. It hands Epic another club to beat Oracle with. When your audience consists of professional hospital and practice executives, plus the VA and Congress, who right now aren’t overly happy with your EHR and are firing Oracle or considering it, this is almost guaranteed to backfire. It also gives a provocative article in a small online publication (ask Elon Musk) what Oracle doesn’t want–very long legs and a long shelf life. Plus now, there is even more reason for BI to beat up on Oracle.

Perhaps ignoring it, coupled with a sober internal communication (email/intranet/Slack) on the progress being made with the VA EHR (given that internal comms leak onto Reddit and similar), would have been the best response choices. And what about a conversation with BI? 

Like the old Sicilian saying about revenge, dishes like this should be served cold. 

Some interesting responses to the Oracle blog post are in HIStalk Reader Comments 5-31-24   Also Becker’s

And if anyone at Oracle wants a free tutorial in what not to do to respond to negative press, from the perspective of someone who’s had to deal with it in two industries….donna.cusano@telecareaware.com

Listen to Editor Donna provide extra commentary–a take on this take–on the Ken Glueck blog and this article. Now on Soundcloud (~18 minutes).

News roundup: VillageMD sued on Meta Pixel trackers; Cerebral pays $7.1M FTC fine on data sharing, cancellation policy; VA may resume Oracle Cerner implementation during FY2025; Epic-Particle Health dispute on PHI sharing

It’s all about personal health data–sharing, bad sharing, and bad transfers in this roundup.

VillageMD takes another hit, this time on Meta Pixel ad tracker issues. A class-action lawsuit filed on 10 April charges VillageMD (formally Village Practice Management Company), via its Village Medical website, of using the Meta Pixel ad tracker for disclosing user-protected health information (PHI) and other identifiable information generally classified as PII. This included visitors to their website villagemedical.com seeking information and patient users of Village Medical’s web-based tools for scheduling and the patient portal. The lawsuit by a “John Doe”, a patient since January 2023 resident in Quincy, Massachusetts but brought by three Midwest law firms in the US District Court for the Northern District of Illinois, states that VillageMD used trackers that transferred this personal information to Meta Networks’ Facebook and Instagram, as well as other third parties like Google, for use in targeted advertising, in violation of HIPAA and other regulations. The lawsuit seeks 1) an injunction stopping Village Medical from using ad trackers and 2) monetary redress via damages–actual, compensatory, statutory, and punitive for the entire affected class. The suit also alleges that VillageMD violated its own internal procedures. Crain’s Health Pulse, Healthcare Dive

Readers will recall that in June 2022, STAT and The Markup published a study and follow-ups on Meta Pixel and ad tracker use by healthcare organizations. Ostensibly, the ad trackers were there to better track website performance and to tailor information for the patient [TTA 17 June, 21 June 2022], but they sent information to third parties that violated HIPAA and privacy guidelines. Ad trackers were also monetized. Meta blamed the health systems [TTA 16 May 2023] for misuse though they used the data for ad serving.  Congressional hearings, FTC, and DOJ followed later in 2022 and 2023. Multiple class action lawsuits against providers large and small have ensued. Providers have pushed back on FTC and HHS rules on ad trackers, stating the restrictions hamper their ability to build better websites based on customer usage and to serve individuals with useful information. 

Another ‘oversharing’ company, troubled telemental Cerebral, whacked with $7.1 million FTC fine on disclosing consumer information via ad trackers plus ‘negative option’ cancellation policy. The proposed order for a permanent injunction filed by the Department of Justice (DOJ) and docketed on 15 April has to be approved by the Federal District Court for the Southern District of Florida. The fine for the company only penalized the following:

  • Cerebral released 3.2 million consumers’ information to third parties such as practices, LinkedIn, and TikTok. This included PHI and PII such as names, medical histories, addresses, IP addresses, payment methods including insurance, sexual orientation, and more. Even more outrageously, they also used the mail for postcards that had sensitive information such as diagnosis printed on them. The insult on injury was that Cerebral failed to disclose or buried information on data sharing to consumers signing up for their ‘safe, secure, and discreet’ services. Cerebral now has to restrict nearly all information to third parties.
  • Cerebral also set up their service cancellation as a ‘negative option’ cancellation policy, which in reality meant that it was renewed indefinitely unless the customer took action to cancel. It was not adequately disclosed in violation of the federal Restore Online Shoppers’ Confidence Act (ROSCA). Then Cerebral made it extremely difficult to cancel by instituting a complex procedure that required multiple steps and often took several days to execute. They even eliminated a one-step cancel button at their then-CEO Kyle Robertson’s direction. The order requires this to be corrected including deleting the negative option.
  • Former employees were not blocked from accessing patient medical records from May to December 2021. It also failed to ensure that providers were only able to access their patients’ records.

Cerebral’s settlement with the FTC and DOJ breaks down to $5.1 million to provide partial refunds to consumers impacted by their deceptive cancellation practices. They also levied a civil penalty of $10 million, reduced to $2 million as Cerebral was unable to pay the full amount. The decision and fine do not cover charges to be decided by the court against the former Cerebral CEO Robertson due to his extensive personal involvement in these practices. Those have not been settled and apparently were severed from the company as a separate action (FTC case information). Since 2022, Mr. Robertson has consistently blamed company management and investors for pushing for bad practices such as prescribing restricted stimulant drugs. Cerebral countersued him for defaulting on a $49.8 million loan taken in January 2022 to buy 1.06 million shares of Cerebral common stock. More to come, as the order also does not address other Federal violations under investigation, such as those under the Controlled Substances Act.  FTC release, FierceHealthcare  

VA to possibly resume Oracle Cerner EHR implementation at VA sites before the end of FY 2025, even if not in budget. During House Veterans’ Affairs Committee hearings on FY 2025 and 2026 budgets, VA Secretary Denis McDonough last Thursday (11 April) said that the VA intends to resume deploying the Oracle Cerner EHR as part of VA’s Electronic Health Records Modernization (EHRM) before the end of FY 2025. As Federal years go from October to September, FY 2025 starts October 2024 and ends September 2025. When asked if VA plans to maintain the “program reset” as they termed it in April 2023 for all of FY25, Secy. McDonough said that “we do not.”However, there is no budget allocated for additional implementations in either FY. The plan is to use carryover funding.

Oracle Cerner’s Millenium EHR was implemented at five VA locations before suspending in April 2023 for a massive re-evaluation which involved reworking systems such as the Health Data Repository which created critical scheduling and pharmacy problems detailed by the Office of Inspector General (OIG)  [TTA 28 Mar]. The joint VA and MHS/Genesis Lovell FHCC implementation, which went live in March, is not included.  NextGov/FCW, Healthcare Dive

And in another dispute about data sharing, leading EHR Epic cut off requests made by some Particle Health customers, expressing concern about privacy risks. Particle Health is a health data exchange API platform for developers. Both Epic and Particle are part of Carequality, a large scale data exchange group that connects 600,000 care providers, 50,000 clinics, and 4,200 hospitals to facilitate the exchange of patient medical records On 21 March, Epic filed a dispute with Carequality that some of Particle’s users “might be inaccurately representing the purpose associated with their record retrievals.” and stopped responding to some Particle Health customer queries. This has now degenerated into a ‘who said what‘ dispute, with Particle and their CEO alleging that Epic implied that it completely disconnected Particle Health and its customers from Epic’s data, while Epic has said that after a review by its 15-member Care Everywhere Governing Council, they flagged three companies who were using Particle’s Carequality connection to access data not related to patient care or treatment. There’s also a larger concern being brought up by providers on the use of these mass data exchanges for fraudulent extraction of data or use that would violate HIPAA guidelines. FierceHealthcare, CNBC, Becker’s, Morningstar

UHG’s Optum UK closes £1.24B buy of EMIS Group

UHG and Optum wasted no time. A year after their bid yet less than one month after approval by the Competition and Markets Authority (CMA), EMIS Group is now part of Optum Health Solutions (UK) Limited. The £1.24 billion transaction became effective on Friday 27 October when shares were suspended from trading on the London Stock Exchange. The sale was formally to Bordeaux UK Holdings II Limited, an affiliate of Optum Health Solutions UK Limited.

As we noted on 2 October, EMIS is the leading EHR system used by NHS GPs throughout the UK. EMIS also has systems for business intelligence, pharmacy, EDs and urgent care, and to identify patients for clinical trials.  It started as Egton Medical Information Systems by two Yorkshire physicians, back when IT was called MIS 35 years ago. In their statement, EMIS will remain HQ’d in Leeds and remain primarily a UK-based company. “…there will be no material changes to our existing operations or locations. Optum UK intends to continue EMIS’s technology development investments, such as EMIS-X, without any material changes to our focus on the key areas of interoperability, elite partners, community pharmacy and data analytics.” There is no indication in the statement about changes in management, more about reassurance in continuity of operations. MarketScreener

CMA clears £1.2B EMIS acquisition by UnitedHealth Group’s Optum (UK)

It took a year, but it’s approved. The Competition and Markets Authority (CMA), the UK agency tasked with approving acquisitions, approved the acquisition of UK healthcare tech systems developer EMIS by UnitedHealth Group (UHG)’s Optum. The actual acquisition will be made by Bordeaux UK Holdings II, a UK Optum unit. 

The £1.2 billion bid for the private company was made in June 2022. In March 2023, CMA moved its review to an independent group for a Phase 2 review due to EMIS’ engagement with the NHS. The Phase 2 review determined that the acquisition by Optum did not raise competitive concerns. Optum is currently a supplier to NHS and GP practices in pharmacy prescription, advisory services, and data analytics. The acquisition of the EMIS system was found to not effectively restrict other entities’ access to data or population health services, and that any restriction could be regulated by the NHS to prevent its use by Optum as a business strategy. Further discussion is presented in the CMA release.

EMIS is the leading EHR system used by NHS GPs throughout the UK. EMIS also has systems for business intelligence, pharmacy, EDs and urgent care, and to identify patients for clinical trials. 

This final approval indicates that the acquisition will close before the end of this year.  Becker’s Payer, CMA release, Medical Buyer (India), Reuters

Mid-week roundup: Holmes turns herself in, ChatGPT as good ER explainer, VA Spokane to cut staff to pay for Oracle Cerner EHR problems?, former Cerner campus conversion

Holmes’ time at Bryan begins. Today (30 May) in a Texas morning, Elizabeth Holmes self-surrendered to the Federal Prison Camp (FPC) at Bryan to begin her 135-month sentence (11 years+). With good behavior and enrollment in certain programs, she may serve about 85% or about 9.5 years as No. 24965-111. The ‘shakycam’ video link here from Sky News (scroll to 3:18) initially from across the street then at the fence shows her delivery in a NY state-plated Ford Expedition to the facility parking lot. Her parents give her paperwork to the officers, then she with the officers walk into the camp facility, with a goodbye wave by partner Billy Evans (ballcap by the car). After all the drama, the denouement is bog-standard save for the paparazzi. She is wearing glasses, a tan sweater and blue jeans, the latter two which will be exchanged for a uniform. Many might be surprised that the prison camp has green grass lawns and trees, without towers or impenetrable fences. This is a low security facility for 650 women on 37 acres, but it remains a prison with all the schedules and restrictions that entails.

Her appeals to the Ninth Circuit Court on her conviction and sentencing, with now the restitution, continue as does the puzzle of how to compensate the victims identified by the US District Court as being owed $452 million payable jointly by her and Sunny Balwani. The order of restitution is here (PDF) There are a dozen identified financial victims from the relatively small (the Eisenmans’ $150,000) to the $125 million of Keith Rupert Murdoch. Both Safeway ($14.5 million) and Walgreens ($40 million) are identified separately. At this point at Bryan, she will be earning between $0.12 and $1.15, earning perhaps $25 every four months based on older data. According to the BBC article today, half of that will go to her victims, said Randy Zelin, a professor at Cornell Law School. The Feds will continue to scrutinize for hidden assets. Mercury News

Our Theranos Saga that started in October 2015 now endeth here, except for news on appeals or changes in circumstances.

On a somewhat lighter note, this non-paywalled Insider article charts the up and downsides of using ChatGPT as an explainer to patients in the ER/ED.  Joshua Tamayo-Sarver, MD, has been an ER doctor for almost 14 years as well as a VP of innovation for two healthcare tech companies, Vituity and Inflect Health. He recently started using ChatGPT4 as an adjunct to treatment, to explain difficult emergency situations to patients and family in simple non-medical language. Dr. Tamayo-Sarver’s article in Fast Company provides a solid narrative of how the simplicity and empathy of ChatGPT’s explaining treatment (in this case of a 96 year old woman with lung edema and dementia) works and helps the staff de-escalate the situation developing with her children and give them a chance to start her correct treatment determined by the doctor, not ChatGPT. (What was her outcome?) As the doctor explains, working with ChatGPT is inadequate for diagnostics, but adequate for ‘hungover intern’ level actions: taking patient history, creating long-form communication for patients and staff, and explaining highly technical information with empathy and compassion.

Will the Spokane VA location which proved to be The Last Straw for the VA with Oracle Cerner from October 2022 pay for it with cuts in staff? This year, Mann-Grandstaff VA Medical Center is projected to run a budget deficit of about $35 million. In a March email, the Mann-Grandstaff director Robert Fischer stated that the Northwest VA VISN (regional) director said this will require Mann-Grandstaff to cut about 15% of staff. Yet the VA chief of VA health care, Shereef Elnahal, has denied this. The controversy around this has prompted VA’s secretary, Denis McDonough, to issue a statement that he will look into these reports but stopped short of confirming that no staff would be cut. Spokesman-Review (Spokane)  Hat tip to HISTalk 31 May

Cerner’s Continuous Campus in Kansas City, Kansas, apparently will be redeveloped. Two local developers are in contract with Oracle to buy the empty 63.5 acre property with twin nine-story office towers. Last week, local authorities approved rezoning with an amended master plan. Developer plans are to convert the north tower to 224 to 232 market-rate apartments above ground-floor commercial space. While the plan for the south tower is to stay as 660,000 square feet of office space plus parking, no interest has come from lessees. According to reports, Oracle’s purchase of Cerner and shutdown of many operations in the area dumped 4.1 million square feet of real estate in the area.  Fox4KC

VA renews Oracle Cerner EHR contract, but with multiple caveats, metrics, and annual renegotiations

VA finally gets tough with Oracle Cerner–when things are not peachy at the latter. The Oracle Cerner EHR contract with the Department of Veterans Affairs (VA) was renewed with 28 key performance metrics attached to monetary credits. Instead of another five-year term, there are five one-year terms that allow VA to revisit the contract annually. It was not a ringing vote of confidence in the relationship, with good reason, as the EHR implementation has ground embarrassingly to a halt over five years with only five deployments in VA medical centers, of 166 centers plus their medical clinics [TTA 26 Apr, 18 Mar].

The renegotiated contract holds Oracle accountable in four key areas, according to a VA update document obtained by Bloomberg Government:

  1. Reliability: Minimizing outages (time when the system crashes completely), incidents (time when one component of the system isn’t working), and interruptions (time when the system is operating slowly) of the system.
  2. Responsiveness: Quickly and reliably resolving help tickets and clinician requests.
  3. Interoperability with other health care systems: Ensuring that VA can quickly and reliably access patient health records from private sector hospitals when necessary, so we can provide informed, world-class care to those we serve.
  4. Interoperability with other applications: Ensuring that the EHR system interfaces with VA’s website, mobile app, and other critical applications, so Veterans have a seamless and integrated health care experience.

With 28 performance metrics that if not met will result in Oracle paying a monetary credit to the VA, there’s a big monetary incentive for Oracle. For instance, in the VA update document, they claim that Oracle would have paid approximately a 30-fold increase in credits for the system outages, which is only one of the metrics. “The amended contract lays the groundwork for VA and Oracle Cerner to resolve the EHR issues identified by the “assess and address period” and optimize EHR configuration for future sites.” Becker’s, Healthcare IT News

The contract negotiations were a hot button in recent weeks for both the House and Senate veterans’ committees, with multiple bills proposed and hearings. The 9 May hearing by the House Subcommittee on Technology Modernization Oversight (Committee on Veterans’ Affairs) was no love-fest, with chair Matt Rosendale (R-MT) once again concluding that the best thing for the VA would be, as he proposed in his bill H.R. 608, to cut Oracle loose and start over. VA obviously did not agree, being between a rock and a hard place, but this hearing put Oracle’s Mike Sicilia on the hot seat about the EHR’s pharmacy software to support the VA’s role as both prescriber and prescription filler–which he previously committed to having fixed by this past April. Carol Harris, Director, Information Technology and Cybersecurity, Government Accountability Office (GAO), responding to Rep. Rosendale’s questions, described a system that is not fully functioning and puts veterans at risk with failings by both Oracle and VA. In the current state, VA users are extremely dissatisfied. The present workarounds and ad hoc processes outside of the system are not sustainable and are set to fail. She also pointed out that VA needs to set goals for what constitutes user satisfaction with clear and objective measures before future deployments. VA must take a leadership role in change management beyond what Oracle does in the deployment. Hearing on YouTube (2.01:50) Witnesses and support documents

The added scrutiny comes at a bad time for Oracle Health with turmoil reportedly festering within the Cerner acquisition. Oracle has laid off 3,000 workers, pausing raises and promotions. Don Johnson, who once was a successor to CEO Larry Ellison, departed from leading Oracle Health and AI. Reportedly, Dr. David Feinberg who briefly headed Cerner prior to the sale, is now a ‘ceremonial’ chairman of Oracle Health. Cerner’s signature buildings in Kansas City are being sold and emptied. If Mr. Ellison wants to transform healthcare, he needs to start at home, rebuilding Cerner-Oracle Health rather than decimating it, and fixing VA as Job #1. Business Insider

Additional recent coverage: 28 April, 20 April, 19 April, 31 March

Mid-week roundup: DEA extends telehealth prescribing waiver to November; telehealth usage continues to erode; NextGen EHR hacked, 1M records breached

The answer: 11 November. The question: how long was the Drug Enforcement Administration (DEA) planning to extend their telehealth waiver of in-person prescribing requirements on Schedule II and higher controlled substances?  Both the DEA and the Substance Abuse and Mental Health Services Administration (SAMHSA) issued the “Temporary Extension of COVID-19 Telemedicine Flexibilities for Prescription of Controlled Medications”rule on 9 May before the Public Health Emergency (PHE) expired on 11 May. It’s a six-month reprieve for the beleaguered telemental health providers/prescribers and their patients–and sure to be hotly debated over the next few months as a final rule must replace the temporary extension rule and the Ryan-Haight Act isn’t going away. DEA release, TTA 4 May

FAIR Health’s tracking of telehealth medical claims has languished in the Fives–as in 5%–since last year. February is the latest month of tracking and it declined from 5.9% in January to 5.5% in February. Again, the vast majority of claims are for mental health codes (66.7%) far ahead of diagnosis #2, acute respiratory diseases and infections, where Covid-19 once resided. However, the latter accounted for 25.6% of asynchronous (store and forward) telehealth diagnoses. A new metric on the report is audio-only telehealth, which is only slightly more popular in rural versus urban areas. The greatest difference from the national norm is in the West, where February telehealth claims were 7.6%. Monthly national summary, FAIR Health main page for monthly and regional summaries.

NextGen’s EHR/practice management system hacked, 1.05 million patient records breached. Information stolen included patient name, dates of birth, addresses, and Social Security numbers. This was revealed in a filing with the Maine attorney general’s office since it included over 4,000 Maine residents. The hack of the NextGen Office system took place between 29 March and 14 April 2023. It’s been a bad year for NextGen’s IT and security teams, as it also experienced a short-term ransomware attack in January by AlphV/BlackCat. (The two couldn’t be related…could they?) No word yet on class action lawsuits or Federal penalties.  TechCrunch

VA EHR update: four deaths traced to Oracle Cerner EHR; four safety issues identified by VA EHRM Sprint Team

The Senate Veterans Affairs Committee is unhappy. Very unhappy. With good reason. The ongoing problems with the Department of Veterans Affairs (VA) rollout of the Oracle Cerner EHR multiply. There were six instances of ‘catastrophic harm’ attributed to a feature of the EHR modernization program since the rollout, four of which resulted in the death of a veteran patient. According to information given to the staff of Senator Richard Blumenthal (D-CT), one fatality was at Spokane’s Mann-Grandstaff VA Medical Center and the other three died as patients in the VA Central Ohio Healthcare System, launched in April 2022. The nonfatal cases happened to veteran patients in the Inland Northwest (also Spokane).

While Senator Patty Murray (D-WA), the chair of the powerful Appropriations Committee, threatened to withhold further funding for the EHR migration, Senator Jon Tester (D-MT) is not fed up enough to be in favor of terminating the contract, as the House Veterans Affairs technology subcommittee head, Rep. Matt Rosendale (R-also MT), proposed in January in H.R. 608, [TTA 1 Feb] now in the House Subcommittee on Oversight and Investigations. The VA has paid Oracle Cerner $4.4 billion on the contract so far, with a refund of $325,000 paid as compensation for ‘incomplete technology and poor training’. Obligations through the contract are at least $9.4 billion. It comes up for renegotiation on 17 May and VA’s contracting officer, Michael Parrish, has testified he will push for a more favorable contract

The Government Accountability Office is also unhappy. The GAO, which calculated the above obligations, told the committee that the EHR contract “as currently written, has not sufficiently motivated Oracle-Cerner to perform better,” and that the current terms of the contract are “not necessarily in the best favor of the government in this particular case.” The GAO surveyed VA users of the Oracle Cerner EHR and found that only 6% agreed the system enabled quality care. Some of this may be reluctance to change technologies after 40 years of VistA, as Senator Marsha Blackburn (R-TN) pointed out in what this Editor expects is a ‘devil’s advocate’ statement, but there is also a fatigue factor–it’s the fourth attempt at replacing VistA.  Federal News Network 16 March, Spokane Spokesman-Review, Becker’s HealthIT

The VA’s EHRM Sprint Team identified four main issues in the EHR Modernization Sprint Report (PDF) released on 10 March.

1) Unknown queue and related issues (including medications)
2) No show and cancelled appointment orders failed to route to scheduling queues
3) Add Referral button not creating visible external site referral for worklist action
4) Usability issues with the EHR application, allowing providers to order procedure charge codes for imaging without ordering the actual clinical imaging

There were 30 safety issues examined by the team (pages 6-7) of 450 submitted. The report also identified EHR workarounds for VA medical centers that conduct medical research, an issue that surfaced publicly with Ann Arbor Healthcare System in delaying their go-live until 2024 [TTA 1 Mar]. They also examined the Data Collection Workbooks (DCW) process to better ensure consistency with VA standards through moving to a standardized approach. The VA is developing an Enterprise Site Readiness Dashboard for determining if a site is ready to migrate their EHR. Federal News Network 13 March

Mid-week roundup: another hurdle for Oracle Cerner VA delay, Walmart builds out clinic infrastructure, Cerebral round 3 layoff of 15%, Evolent Health’s 9% layoff, Quil Health age-in-place tech shuts

Oracle Cerner EHR rollout faces yet another hurdle. The Department of  Veterans Affairs (VA) announced that the next go-live, Ann Arbor (Michigan) Healthcare System, originally scheduled for completion by July 2023, would be delayed until much later this year or even early 2024.  It turns out that a key reason for the delay is that Ann Arbor is a VA research center, and there are major concerns that the EHR changeover won’t blend well with their medical research. VA Under Secretary for Health Dr. Shereef Elnahal told FedScoop during a media roundtable that “…there are many VA medical centers that are heavy with clinical research because of their academic affiliations, and so those centers will need this research functionality. It’s not just an issue with the Ann Arbor Hospital.” In the article, Dr. Elnahal also lamented that the VA health system running on two separate EHRs, VistA and Oracle Cerner, presented additional risks to security. Also FedHealthIT   Hat tip to HISTalk 24 Feb

Walmart’s 32 clinics are building out their infrastructure. Working with their Epic EHR, all the clinics are now operating on the Horizon Cloud on Azure platform paired with VMware cloud infrastructure and digital workspace technology services. A blog published by VMware interviewing BreAnne Buehl, director of life sciences solutions for VMware, and David Rhew, MD, global chief medical officer at Microsoft, details the ambitions of Walmart to move beyond ‘minute clinic’ to broader primary care and chronic disease management, into proactive predictive analytics. Becker’s Hospital Review, VMWare

And on the less cheerful side:

  • Beleaguered telemental health/ADHD provider/prescriber Cerebral announced another 15% layoff, cutting 285 people. It is its third layoff in one year, following a 20% cut last October.  Cerebral is also closing its medication-assisted treatment (MAT) program for opioid use disorder (OUD). A Cerebral spokesperson said the decisions were made to reorganize the company to “refocus on the most important service offerings for our patients.” Another reason for the MAT program closing is the pending renewal of requiring in-person visits for certain mental health medications. For instance, the Drug Enforcement Agency (DEA) is proposing that buprenorphine can be prescribed via telehealth for treating OUD for 30 days but then an in-person exam would be required.  Last year, Cerebral faced still-unresolved DOJ and FTC actions on their telehealth prescribing of ADHD and other controlled Schedule 2 medications, from deceptive advertising (FTC) to overprescribing (DOJ) [TTA 18 Nov 22]. Topping this off are dueling lawsuits with former CEO Kyle Robertson [TTA 30 Nov 22]. Cerebral at the end of 2021 was valued at $4.8 billion by Softbank and other investors, but no one wants to talk about its worth today.  Reuters, Layoffs Tracker, Behavioral Health Business
  • Payer/provider management services organization Evolent Health quietly laid off 460 positions in its Chicago operations, about 9% of their 5,100 person staff, starting in December 2022 into last month.  Their Q4 net loss doubled to $11.25 million on $382 million in revenue, doubling 2021’s $5.65 million loss, though full year 2022 closed with a final loss of $19 million, about half of 2021. The company projects Q1 revenue of $420 million to $440 million, with 2023 revenue of $1.92 billion to $1.96 billion with a shift of emphasis to specialty care, bolstered by its closed acquisition in January of Magellan Specialty Health from Centene. Layoffs Tracker, Washington Business Journal
  • Quil Health shut down operations, with employees departing 10 February and executives 24 February. The Philadelphia-based Comcast-Independence Blue Cross joint venture was founded in 2018 to support older adults and caregivers in ‘aging-in-place’ alert and monitoring technology. The sole report in HISTalk states that the website is offline plus their CEO Carina Edwards updated her LinkedIn profile for Quil with a February 2023 end date and changed the company description to past tense, pushing up her board positions. Their Facebook page is still live but no posts after 16 January after announcing their joining the AARP AgeTechCollaborative. In 2019, this Editor wrote that they were developing pre- and post-care support through TV (!) with Comcast working on an ambient sensor-based device to monitor basic vital signs and fall detection, which launched in 2020 as Quil Assure. To this Editor, it sounded like a home version of QuietCare circa 2009 with multiple sensors and diagnostics. 

Healthcare cyberattack latest: NextGen EHR ransomwared by AlphV/BlackCat, back to normal – 93% of healthcare orgs had 1-5 ransomware incidents

Cyberattacks on healthcare continue their drip-drip-drip. The latest is on an EHR/practice management platform used by small to enterprise-sized specialty practices, NextGen Healthcare. The hacker group associated with the AlphV/BlackCat ransomware moved into the system on 17 January. For a short time, they reportedly exhibited NextGen information on their extortion site but later took it down. NextGen reported a short-term disruption to operations. A NextGen spokesperson stated that “We immediately contained the threat, secured our network, and have returned to normal operations,” the spokesperson said. “Our forensic review is ongoing and, to date, we have not uncovered any evidence of access to or exfiltration of client data. The privacy and security of our client information is of the utmost importance to us.”  NextGen has also stated to this Editor that no patient data was affected.

NextGen is used by about 2,500 practices in the US, UK, India, and Canada, including over 20 specialties.

The group behind AlphV/BlackCat ransomware has an infamous history. Reputedly, the gang has been kicking around since 2012 and was the same group of charmers that attacked the Colonial Pipeline in 2021, using the Darkside ransomware in May 2021 that dried out gas stations across the US East Coast. Their next ransomware edition, BlackMatter, targeted agriculture during fall 2021. Healthcare IT News, The Record/Recorded Future News

More severe attacks affecting 93% of healthcare organizations. While NextGen contained the attack quickly, both the Censinet/Ponemon Institute and Fortified Health Security’s 2023 Horizon Report tracked 2022 healthcare data breaches and concluded that while the number of incidents didn’t change much, their severity ramped up. More according to SC Media in these reports: 

  • Over a dozen of the biggest incidents in 2022 each impacted well over 1 million records
  • Nearly half of the respondents experienced a ransomware attack in the last two years
  • 93% faced between one to five ransomware-related incidents
  • Outages lasted upwards of 35 days

The common ground with NextGen is danger to patient safety, because electronic record damage can translate quickly into unavailable patient care.

Updated PharmaCare Services, a pharmacy management company based in Texas, is listed as a victim on BlackCat’s extortion site. They were exhibited with NextGen and remained when NextGen’s listing was challenged and then taken down. PharmaCare is staying mum on any ransomware disruptions, according to GovInfoSecurity.

One ray of hope is improved medical device security, included in the ‘omnibus’ budget package approved in late 2022. FDA will be required to enforce new standards for premarket device submissions. One is a software bill of materials, adequate evidence to demonstrate the product can be updated and patched, and a description of security testing and controls. This was before Congress in the Protecting and Transforming Cyber Health Care (PATCH) Act which didn’t go far, but elements of which found their way into the omnibus. A needed change for medical devices and long expected by manufacturers. SC Media