Thursday news roundup: IBM Watson Health sale closed, now Merative; OneMedical inviting buyers–maybe; worst healthcare data breaches rounded up

July 7, 2022 | by

It’s a post-Independence Day and early summer holiday relatively quiet week….

It’s Merative, not IBM Watson Health anymore. Francisco Partners‘ buy from IBM of Watson Health closed last Thursday (30 June) but didn’t make the news until after the holiday. The announcement of the new brand, Merative, was splashed on HLTH’s website today (not HIMSS) with the usual language about how their data connects and transforms health through pioneering “cloud, real-world data and industry-leading AI” through health systems, hospitals, health plans, life sciences, and government. Speaking of data points:

  • HQ now in Ann Arbor, MI
  • New CEO Gerry McCarthy from CEO of eSolutions, a former Francisco Partners portfolio company that exited to Waystar in October 2020
  • The former general manager, Paul Roma, will be a Senior Advisor to Francisco Partners
  • Merative will have six product families: Health Insights; MarketScan; Clinical Development; Social Program Management and Phytel; Micromedex, and Merge Imaging 
  • Other investors include True Wind Capital and Sixth Street

Since 2015, IBM had built up Watson Health through four acquisitions and over $4 billion in investment. They sold it for perhaps $1 billion to get it off their books. Once upon a time they were the leader, now they’re up against Oracle and a dozen other competitors like IQVIA that sell connectedness and ‘actionable insights’ across and in chunks of their business (example, life sciences). Given the track record of the controlling private equity partner, Merative needs to become profitable quickly. Merative will not be a long term investment for them. FierceHealthcare. Our prior coverage: 7 Jan, 22 Jan, 25 Feb (Who needs Watson Health?)

Also apparently up for sale to the right buyer is One Medical. The clinic group flirted with but ultimately sent packing CVS Health. One Medical offers concierge in-person and telehealth primary care in seven metros and has over 700,000 members. They bought Medicare value-based primary care provider group Iora Health a year ago [TTA 11 June] but since then their stock (trading under 1Life Healthcare) and valuation has cracked by 75%. Not mentioned in the Bloomberg article is whether Iora is included in the possible deal.

And for those who like their Hackermania on the Wild Side, there’s a massive list over at Wired that racks up the Greatest Hits. It’s only halfway through 2022, but the data breaching and ransomware perps have multiplied. From Russia/Ukraine to extortion gangs like Conti and Lapsus$ to cryptocurrency theft and China, the Old Reliable Healthcare continues to star. Our recent list is here but topping out the Wired list are Shields Health Care Group, Baptist Health System, Resolute Health Hospital, Kaiser Permanente, and Yuma Regional Medical Center. Also Becker’s.

The Breach Barometer hits a new high for healthcare–and the year isn’t over

August 15, 2019 | by

31.6 million healthcare breached records can’t be right? But it is, and it’s double all of 2018. Protenus’ Breach Barometer for the first six months of the year tallied over double the number of patient records breached calculated for 2018 (15.1 million). The number of breach incidents reported was smaller–285 breach incidents disclosed to the US Department of Health and Human Services or the media–compared to 503 breaches in 2018, which means that individual data breaches affected far more records.

Hackermania is running wilder than ever. Nearly half the breaches were due to hacking. The big kahuna of breaches this year was reported in May at American Medical Collection Agency, a third-party billing collections firm. This eight-month breach affected 20 to 22 million records at Quest Diagnostics, LabCorp, Opko Health, under one of its subsidiaries, BioReference Laboratories, Inc., and Clinical Pathology Laboratories [TTA 5 June] This hack also involved Optum360, a Quest contractor and part of healthcare giant Optum. In terms of PII, the records breached included SSI, DOB, and physical addresses.

 Yet insider breaches are still a significant threat at 21 percent, whether from errors without malicious intent or deliberate wrongdoing. In the report, Protenus (with DataBreaches.net) calculated that 60 of the 285 breaches were insider-related affecting 3.5 million records. 35 were insider-error incidents, with 22 additional due to wrongdoing.

When it comes to breaches, the trend is easily not healthcare organizations’ friend, as 2018 tripled 2017’s total breached records. This is despite the new emphasis on healthcare IT security and insider training. Protenus release, FierceHealthcare, Protenus first half report (PDF)

The cybersecurity black hole–and bad flashback–that is the Internet of Things

October 29, 2016 | by
[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2016/10/blackhole_596.jpg” thumb_width=”150″ /]One week after the Dyn DDoS attack, the post-mortems get more alarming. Our Readers knew they were coming in 2014-2015 (our ‘Is IoT really necessary–and dangerous?)

IoT devices, and a lot of older networked medical devices, have been proven to be easy to hack, as even this non-ITer, non-codegeek realized then. But those in tech have been to this movie before–with Bluetooth circa 2002! Now shouldn’t designers have learned? From ZDNet:

“It’s almost like we’ve learned nothing from Bluetooth” says Justin Dolly, CISO at cybersecurity firm Malwarebytes.

“Seeing what these IoT vendors are doing, it just blows me away because they haven’t learned from history,” says Steve Manzuik, director of security research at Duo Security’s Duo Labs. “They’ve completely ignored everything that’s ever had bad vulnerabilities”.

Many of these devices, according to these experts, have default log in credentials, if they have them at all. IoT devices are also allegedly findable on a snoop site called Shodan. Reason why: the financial and market need to get products out fast and cheaply.

Over at data security company Varonis’ blog, with the great title in part, “Revenge of the Internet of Things”, another succinct and telling quote:

Once upon a time in early 2016, we were talking with pen tester Ken Munro about the security of IoT gadgetry — everything from wireless doorbells to coffee makers and other household appliances. I remember his answer when I asked about basic security in these devices. His reply: “You’re making a big step there, which is assuming that the manufacturer gave any thought to an attack from a hacker at all.”

Privacy by Design is not part of the vocabulary of the makers of these IoT gadgets

Varonis also gives a how-to on changing settings in your router so you don’t become a victim, and how to secure your gadgets.

Bottom line: when Hackermania is Running Wild, do you, or anyone, really need to be an early adopter of an internet- connected coffee maker or fridge? And if you need internet-connected home security, telemedicine virtual consults, telehealth/remote patient monitoring or telecare….best heed Varonis and secure it!

Earlier in TTA: Friday’s cyberattack is a shot-over-bow for healthcare 

A Hollywood ending? Medical center’s $17,000 ransom to recover systems from hack attack

February 17, 2016 | by
[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]‘Hollywood’ Hulk Hogan is getting a workout! (UPDATED)

Hollywood Presbyterian Medical Center paid $17,000 (40 bitcoins) last night to hackers to regain control of its IT systems after last week’s ‘ransomware’ attack forced them offline. According to CEO Allen Stefanek, “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key.” HealthcareITNews has the details and the full CEO letter/press release, including that no patient or employee information appears to have been compromised.

Obviously there will be more to follow including the usual opining, but in this resolution and spin, a bad precedent has been set in this Editor’s view. Labeling it a ‘low-tech’ attack shines a Klieg light (this is Hollywood after all) on the vulnerability of this hospital’s system. They now have the decryption key to the malware, but what other bad code and general mischief is buried in their systems to crop up later?  Another question: was the inflated bitcoin number floated to make the paid ransom seem ‘affordable’? Is this a Hollywood ending where all is happy, or is this an episode in the continuing soap opera of ‘Hospital as Cash Machine’?

Our original article follows: (more…)

Fitness trackers, mobile apps shown to leak sensitive data

February 10, 2016 | by
[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2013/09/band1.jpg” thumb_width=”150″ /]An unnerving 35-page report published by Canadian nonprofit OpenEffect, assisted by the Citizen Lab at the Munk School of Global Affairs, University of Toronto, claims that leading fitness trackers and their corresponding mobile apps are veritable sieves of personal data, inviting security breaches. Where Hackermania Runs Wild starts with lack of Bluetooth LE privacy, allowing tracking via Bluetooth even when the tracker isn’t paired to a smartphone. Then many of the companion apps leaked login credentials, transmitted activity tracking information in a way that allowed interception or tampering, or allowed users (or others) to insert false activity tracking information. The trackers studied were the Basis Peak, Fitbit Charge HR, Garmin Vivosmart, Jawbone Up 2, Mio Fuse, Withings Pulse O2 and Xiaomi Mi Band. Notably the Apple Watch 2.0 was secure.  The full report is titled dramatically “Every Step you Fake: A Comparative Analysis of Fitness Tracker Privacy and Security”. Security article, study in PDF, TheStar.com. Hat tip once again to Toni Bunting, former Northern Ireland Contributing Editor. 

Hackers hit another Blue Cross, put 10.5 million members at risk (Breaking)

September 9, 2015 | by
[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]BREAKING NEWS This time the data breach is at Excellus Blue Cross Blue Shield, which covers upstate New York (Rochester-Syracuse area). It was discovered by Excellus on 5 August but dated back to 23 Dec 13, and reportedly has compromised members’ names, addresses, telephone numbers, Social Security numbers, financial account information and in some cases sensitive medical information. According to the AP/NBC, it also breached other divisions of Excellus and the corporate parent, Lifetime Healthcare: Lifetime Benefit Solutions, Lifetime Care, Lifetime Health Medical Group, The MedAmerica Companies and Univera Healthcare. The source of the hack has not yet been determined.

Excellus joins fellow BCBS members Anthem [TTA 11 Feb], soon to be merging with Cigna, with 80 million; Premera Blue Cross [TTA 24 Mar] with 11 million, Care First with a ‘bag o’ shells’ 1.1. million [TTA 2 June]. The pattern has been such that the national Blue Cross Blue Shield Association (BCBSA) announced in July that it will offer all 106 million of its members identity protection starting next January. (Note for our mathematicians: Anthem has millions of non-BCBS members) Chinese hackers are suspected in the Anthem breach.

FierceHealthPayer broke the story, in this Editor’s estimation, to the healthcare trade area. Rochester Democrat & Chronicle. Excellus message to policyholders. The NBC/AP report also has a video interview with Eugene Kaspersky of the eponymous anti-virus software (and whose Kaspersky Lab was also a hacking victim earlier this year)

Updated via the Rochester Democrat & Chronicle:  FireEye is becoming the ‘go-to’ security company for health organization breaches–Excellus hired them in the wake of the Anthem breach and they discovered the vulnerability facilitating the breach.

23andMe’s FDA coup hazardous to personal DNA data security?

March 5, 2015 | by
[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/03/DNA-do-not-access.jpg” thumb_width=”150″ /]Genetic test developer 23andMe’s wins with the FDA [TTA 20 Feb] served to clear the path for their current Bloom Syndrome and future kits as Class II devices. It’s long been believed that the company’s real diamond mine is in selling the DNA data gained through the kits, and with consent, to major pharma and medical companies. Proof: recent collaboration announcements with Genentech and Pfizer on genetic research. But how will this data be safeguarded? It may not be a significant concern now, but “Personal DNA information will become far more critical and more important to safeguard than the details of our life circumstances”. Hackermania’s Running Wild with AnthemHealth-sized data breaches (more…)