BT Group hacked by Black Basta, China’s Salt Typhoon breached 8 telecoms in dozens of countries, government records

Telecoms, as linkages to digital health tools and remote patient monitoring, are vital–and lately the target of hackers.

BT Group’s BT Conferencing business division shut down some of its servers following a Black Basta RaaS ransomware breach. After an initial denial to Bleeping Computer, other reports confirmed that the breach was successful in snatching 500GB of data, including financial and organizational data, “users data and personal docs,” NDA documents, confidential information, and more (see screenshot of Black Basta’s leak site, left). BT confirmed that only some servers for the Conferencing business were taken offline and that live conferencing services were unaffected. According to Bleeping Computer, “The cybercrime group also published folder listings and multiple screenshots of documents requested by the company during the hiring process as proof of their claims. The ransomware gang also added a countdown to their dark web leak site, saying the allegedly stolen data would be leaked next week.” BT Group is continuing to monitor and is coordinating with international law enforcement entities. The Russian-based Black Basta since 2022 has been quite successful at its ransomware-as-a service business; its affiliates have breached over 500 organizations and collected $100 million in ransom payments from over 90 victims, according to CISA and the FBI.

Chinese state-sponsored hackers are no slouches in the telecom hacking business either. Their operation dubbed Salt Typhoon has breached at least eight telecom operations and their operations in dozens of countries. Anne Neuberger, deputy national security adviser to the currently expiring administration, seemed not to be overly alarmed that this activity has been going on for a year or two, stating that “at this time, we don’t believe any classified communications have been compromised. ” Companies confirmed by CISA and the FBI are T-Mobile, Verizon, AT&T, and Lumen Technologies. T-Mobile’s breach came via a connected wireline provider’s network, but their chief security officer stated that T-Mobile has no more attacker activity within its network.

Access to telecom allowed the Chinese hackers to intercept and steal internet traffic from internet service providers. Neuberger also confirmed that some government traffic had been compromised–that of government officials, the US government’s wiretapping platform, and there was theft of law enforcement request data and customer call records. Salt Typhoon has also used nom de plumes FamousSparrow, Earth Estries, Ghost Emperor, and UNC2286 to breach Southeast Asia government entities and telecom companies since at least 2019. FBI advice–encryption. Bleeping Computer

Mid-week roundup: UK startup Anima gains $12M, Hippocratic AI $53M, Assort Health $3.5M; Abridge partners with NVIDIA; VillageMD sells 11 Rhode Island clinics; $60 for that medical record on the dark web

It may be a little chilly out, but it feels like Springtime For Early Round Funding and Big Partnerships.

Anima, a London-based startup fresh out of Y Combinator, now has a $12 million Series A raise. It was led by Molten Ventures, with participation from existing investors Hummingbird Ventures, Amino Collective and Y Combinator. Its platform combines online consultation with productivity tools for integrated care enablement in one dashboard for primary care. Their founders position it as a single source for patient truth across care settings, avoiding missed diagnoses. As of today, Anima is deployed in over 200 NHS clinics in England caring for a combined 2 million patients and a monthly request volume of over 400,000 requests. They also claim to halve the time the time practices spend on coding, processing, and filing documents and resolve 85% of patient inquiries within a day. Shun Pang, co-founder and CEO of Anima, who trained as a doctor at Cambridge University, told TechCrunch. “The entire clinic collaborates in a real-time multiplayer dashboard, like Figma, and can ping cases to each other, and chat with a Slack-like UX.” he said. He also added that Anima’s processing system can “autonomously ingest any document, like handwritten, diagrams, imaging, and output a summary, with structured fields.” Anima has not entered the US market yet. Anima blog/release, Tech.EU

Hippocratic AI raised a jumbo $53 million Series A for what they term the first safety-focused Large Language Model (LLM) for healthcare. AI of course is the hottest funding area in healthcare. With two previous rounds raised in mid-2023, their total funding is $118 million (Crunchbase), creating a valuation estimated at $500 million. Investors were co-led by Premji Invest and General Catalyst with participation from SV Angel and Memorial Hermann Health System as well as existing investors Andreessen Horowitz (a16z) Bio + Health, Cincinnati Children’s, WellSpan Health, and Universal Health Services (UHS). Their product is a novel staffing marketplace where health systems, payors, and others can “hire” auto-pilot generative AI-powered agents to conduct low-risk, non-diagnostic, patient-facing services to help solve the massive healthcare staffing crisis. This is now being released for phase three safety testing with 5,000 licensed nurses, 500 licensed physicians, and the company’s health system partners. Release

San Francisco-based startup Assort Health now has a seed round of $3.5 million to advance its generative AI approach to healthcare call centers. Its goal is to eliminate front desk stress and call center/service holds. Their system in development uses AI and NLP (natural language processing) to understand a caller’s intent, then to integrates with the medical providers’ EHR, including Epic, to resolve patient inquiries without human intervention. Funding was led by Quiet Capital (!) joined by Four Acres, Tau Ventures, and a number of angel investors from tech companies. Release

Another generative AI company with a substantial Series C under its belt, Abridge, is partnering with super-hot NVIDIA.  The partnership also comes with undisclosed funding from NVIDIA’s VC arm, NVentures, to add to last month’s $150 million raise. Abridge is developing conversational AI technology using LLM and speech recognition to ease the burden of taking notes during the doctor’s appointment, with fluency in 14 languages across 55 medical specialties. Abridge’s technology is designed to capture clinician-patient conversations and structure the scribing. NVIDIA’s partnership will give Abridge access to NVIDIA’s computing resources, foundation models, and expertise in efficiently deploying AI systems at scale. Release

Another episode in the continuing Walgreens Restructuring Saga has VillageMD selling 11 practices to Arches Medical Partners. The practices are located in the Providence metro area of Rhode Island and consist of three urgent cares and eight offices with a total of 50 physicians and 75,000 patients. It is unusual because it is the first time that VillageMD sold their practices instead of closing the offices, which they are doing with 85 to 90 offices. Transaction cost was not disclosed but closed on 2 March. Arches is based in Cambridge, Massachusetts. They acquired these practices but also deploy software from its wholly-owned technology subsidiary, New Era Medical Operations (NEMO), to enable IPAs to negotiate and manage global risk contracts. Arches release, Becker’s, Crain’s Chicago Business

Wondering why ransomwareistes, their affiliates, and hackers in general are attracted to healthcare? It’s the value of a medical record. Going rates on the ‘dark web’ are now topping $60, according to CNBC’s source, a cybersecurity researcher Jeremiah Fowler. By comparison, Social Security number are a bargain $15 and a credit card number but $3. It’s also easier to hack than ever due to affiliate relationships termed ransomware-as-a-service or RaaS. The ransomware is supplied, the affiliate hackers do the work, and they share in the rewards–most of the time (see ‘notchy’ being scammed by BlackCat/ALPHV on the Change Healthcare cyberattack TTA 5 Mar). But this doubles or triples the potential for company extortion, with multiple ‘actors’ attacking a company, extorting a ransom, and then keeping healthcare data and selling it through their channels.

The article concludes that healthcare execs need to get very, very serious about protecting their data. Yet this year has marked healthcare downsizing IT departments in order to save money. This is as security software has proliferated–but has to be purchased and managed. Another distressing fact: this Editor only last week attended a major NYC conference on cybersecurity. Healthcare was mentioned only in passing as a market. Worse, till this Editor questioned a speaker from the floor, was the massive Change Healthcare attack even mentioned–and unfortunately she knew more about it than the speaker!

Change Healthcare cyberattack persists–is the BlackCat gang back and using LockBit malware? BlackCat taking credit. (update 28 Feb #2)

On Day 7, reports, like recollections, may differ. Today’s Reuters report (26 Feb) attributes the attack on Change Healthcare, which has snarled pharmacies and hospitals since Wednesday [TTA 23 Feb], to a revived BlackCat (a/k/a ALPHV) ransomware operation. Readers will recall that the FBI busted BlackCat right before Christmas last year, seizing their operational darknet websites and putting up a most showy home screen. They worked their way into the BlackCat operation via their affiliate operation. However, BlackCat rebooted a few days later, made an appearance, and went back underground. As Bleeping Computer predicted then, BlackCat is apparently back and, adding insult, not even under a new name. 

Bleeping Computer today reported that BlackCat’s hack went through a critical ConnectWise ScreenConnect auth bypass flaw (CVE-2024-1708 and 1709) which was actively exploited in attacks to deploy ransomware on unpatched servers. This was confirmed by Reuters and Health-ISAC, a healthcare-focused organization engaged in cyber best practices and threat intelligence, via the American Hospital Association’s AHA Cybersecurity Advisory today (26 Feb). AHA is advising healthcare organizations to actively reevaluate their connection or disconnection status of Change Healthcare systems which have been deemed safe by Optum.

As of today, BlackCat did not claim credit for taking down Change’s systems nor is there any report of a ransom demand. It is perhaps too early to determine if there has been any data theft. Nor are there reports of other healthcare or other organizations being attacked through the ScreenConnect flaw.

Optum has a page detailing the status of Change Healthcare’s individual systems here. Optum has a statement that has remained nearly the same on issues with connectivity since last Wednesday.* This Editor’s experience of the page is that it needs refreshing to view the full version. Regarding the systems, they are a long list to scroll through and your Editor lost count after 100. Most have red Xs by them. Some systems are checked green. Change is also holding Zoom calls to update partners. Reuters reported that Alphabet’s cybersecurity unit Mandiant is in charge of investigating the attack.

Change Healthcare processes 15 billion healthcare claims annually. This attack seems to have hit their pharmacy software the hardest. These software tools are used to verify patient eligibility for specific medication and also their insurance coverage. The outage not only covers the big chains like CVS and Walgreens, but also Tricare and the Military Health System (MHS) globally. TTA 22 Feb, updated 23 Feb.

A Friday report in SC Magazine indicated that the malware used by BlackCat was a strain of LockBit malware going through the ConnectWise ScreenConnect bypass flaw. Their source, Toby Goucker, chief security officer at First Health Advisory, stated that their firm found the ScreenConnect flaws and sent out a notification on 19 February. Goucker noted that bad actors prey on the gap between when these vulnerabilities are uncovered and announced, but before when patches are applied. However, Goucker was not able to confirm that Change uses ScreenConnect.

Ironically, the LockBit ransomwareistes were busted only last week by a combined UK NCA and US DOJ/FBI effort. Like weeds, they never go away entirely.

Oddly, Change Healthcare’s website home page does not have a notice about their problem or direct to a page on their or UHG’s site about it for assistance. We know you’re busy, guys, but from this Editor’s marketing perspective not having an information banner and redirect to the Optum page is a basic communication failure.

**This is a developing story and will be updated.**

*Update 27 Feb 9am Eastern Time.

A repeat of Optum’s boilerplate statement on their page today indicates this cyberattack is still unresolved for most of Change Healthcare–and will remain unresolved at least through today:

Update – Change Healthcare is experiencing a cyber security issue, and our experts are working to address the matter. Once we became aware of the outside threat, and in the interest of protecting our partners and patients, we took immediate action to disconnect Change Healthcare’s systems to prevent further impact. This action was taken so our customers and partners do not need to. We have a high-level of confidence that Optum, UnitedHealthcare and UnitedHealth Group systems have not been affected by this issue.

We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online. We will continue to be proactive and aggressive with all our systems and if we suspect any issue with the system, we will immediately take action and disconnect. The disruption is expected to last at least through the day. We will provide updates as more information becomes available.
Feb 272024 – 09:03 EST

Identical message 28 Feb 10:48am ET indicating that the effects of this attack are now one week old.

Updated 28 Feb: DataBreaches.net (“The Office of Inadequate Security”) reports that BlackCat is taking credit for it.

“BlackCat informed DataBreaches that yes, they are responsible for the attack. DataBreaches has asked them if they are willing to share any additional details and will update this post if any are received.”

This Editor is also following coverage in the usually reliable The Register which added a reply they obtained from Optum: “Since identifying the cyber incident, we have worked closely with customers and clients to ensure people have access to the medications and the care they need. We also continue to work closely with law enforcement and a number of third parties, including Mandiant and Palo Alto Networks, on this attack against Change Healthcare’s systems.” They are not confirming the perpetrators. 

#2 update from DataBreaches may point to Change Healthcare as well as healthcare in general. Here is part of a Cybersecurity Advisory (CSA) that is an ongoing #StopRansomware effort by the Cybersecurity and Infrastructure Security Agency (CISA). CISA was joined by the FBI and interestingly, the Department of Health and Human Services (HHS). They “are releasing this joint CSA to disseminate known IOCs and TTPs associated with the ALPHV Blackcat ransomware as a service (RaaS) identified through FBI investigations as recently as February 2024.” The addition of HHS as well as February 2024 should be noted. “FBI, CISA, and HHS encourage critical infrastructure organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ALPHV Blackcat ransomware and data extortion incidents.” Could this be behind what is going on at Change Healthcare–a BlackCat full-court press versus US healthcare?

And at least one major hospital CEO wants answers now. Tampa General Hospital CEO John Couris went up to Optum’s CEO Amar Desai in the speaker room at the ViVE conference in Los Angeles on Monday, and the answer was far less than satisfactory. “And his answer to me was, ‘We’ll have an update in two days.’ So I don’t think he knows.” Mr. Couris’ speculates that Change Healthcare will 1) not pay ransom and 2) will rebuild its systems in maybe four weeks–and how that puts hospitals like his that use Change as a clearing house for claims in, to put it mildly, a pickle. MedCityNews

23andMe data breach may have targeted those of Jewish and Chinese heritage; company valuation crashes (updated)

23andMe’s hole gets deeper. And deeper. As more dots are connected on their data breach–and financial situation.

Part 1: The data breach that exposed 6.9 million records at genetic testing and data company 23andMe isn’t only being fought in the courts as to who to blame (customers recycling already corrupted passwords versus a site vulnerability to brute-force hacking). It appears the hackers had specifically targeted people with Chinese or Ashkenazi Jewish heritage. Worse, 23andMe is not addressing that. The evidence was there as early as October.

  • 1 October: an unknown person posts on the 23andMe subReddit that they had customer records, posting a sample of the stolen data. Supposedly this is how 23andMe found out that their user data had been hacked and stolen. (Editor’s note–this zero-trust breach beggars credibility in a tech-oriented company.)
  • 6 October: 23andMe’s blog post announcement of the initial 14,000 records hacked in their customer base, which later grew to 6.9 million records revealed through the links to MyHeritage, in adding functionality to Family Tree, or sharing their information by opting into 23andMe’s DNA Relatives feature. 
  • 6 October: Wired’s reveal that earlier in that week, a hacker posted on BreachForums a data sample of what they claimed were 1 million records exclusively on those of Ashkenazi Jewish heritage, plus hundreds of thousands of records on those of Chinese heritage. By Wednesday, the hacker was selling what was claimed as 23andMe profiles with information on display name, sex, birth year, and details on genetic ancestry results, but not raw genetic data. Pricing was between $1 and $10 per account depending on number purchased.
  • By December, 23andMe was squarely blaming users for reusing passwords (credential stuffing), even if they created a unique password, and denigrating their right to demand legal accountability from 23andMe on their lax security procedures. [TTA 6 Dec 23, 19 Jan]

None of the contacts that 23andMe has made with users since October, including the letter sent to breached users (via TechCrunch) refers to any specific ethnic group targeting. 

World events made this targeting and timing very important. The brutal attack by Hamas in the south of Israel was the very next day after the breach was disclosed, 7 October. It killed 1,200 civilians, with over 200 hostages. Israel declared war on Hamas in Gaza which still goes on, as do the demonstrations against Israel and overt anti-semitism. Given the targeting evident in this breach of individuals with information for sale, by 11 January Representative Josh Gottheimer (CD-5, NJ) sent a letter to the director of the FBI to investigate the hacking, specifically because the information could be purchased via sites used by hackers to merch this type of information–and used to target Jews globally.

Third-party data included in the hack? There is also the possibility that DNA information from third parties such as Sequencing entered 23andMe’s database. In Illinois and other states, this type of sharing is illegal without specific consent. This information could also have been stolen without the knowledge of the individual. This has sparked additional class action lawsuits. The Times of Israel

Part 2: 23andMe is in poor shape financially. Like all too many companies that went public in 2021, 23andMe is a cracked SPAC that debuted in February 2021 above $16, with a company valuation of $6 billion, and now is trading on Nasdaq at $0.73 which gives the company a negligible value. Revenue is upside down and the company is torching through the $1.4 billion it raised both in the market and through private investment. The WSJ’s estimate in a far-reaching article is that it is 80% gone. Founder Anne Wojcicki’s stock has supervoting privileges which means she effectively controls the company, not the shareholders.

Both Ancestry (remember them?) and 23andMe had ups and downs from 2015 but the hype, especially after the Theranos implosion that year, was stunning. Genetics became The Next Big Thing That Would Save Health Tech. The large flaw–the market for genetic testing for ancestry and/or health is a ‘one and done’, which TTA predicted back in 2020 and earlier. Wojcicki guessed early on that a revenue model lay in selling de-identified genetic information to pharma. But their five-year exclusive deal with GSK ended last year and led to an 11% layoff [TTA 10 Aug 23]. Subscriptions for lifestyle counseling starting at $200 and exceeding $1,100 never took off. Growing their $4oo million Lemonaid buy from fall 2021 into a more robust and integrated telehealth platform never happened. Her long-term bet was moving into drug discovery using all that DNA data, but only two drugs of 50 have reached early-stage human trials.

Whether 23andMe will climb out of this crater, both financial and data security, as they did several times in early days, is to be seen. But Wojcicki’s personal brand apparently remains in great shape, unlike their data security. Also Futurism

*Updated 2 Feb for additional references, content, and copy editing

2023’s global cyberattack disaster: healthcare #3 in weekly attacks, 10% of organizations ransomwared–report

An average of 1,100+ cyberattacks per organization per week. Let that sink in.  While it represents only a 1% increase over 2022, and averages are well…averages, this is a lot to handle for any organization even if nowhere near the weekly average.

The report from Check Point Software Technologies, Ltd. an Israel (Tel Aviv HQ) and US-based IT security organization, is depressing reading for any company, especially for healthcare. (Editor’s note: Check Point’s data is derived from ThreatCloud AI, their intelligence engine.) Many of the large numbers are boiled down to averages per organization per week.

  • In terms of general cyber attacks globally, healthcare is #3 with an above-average 1,500 per organization per week attacks on average, right behind #2 government and military, with education far ahead, #1, with 2,046 per organization per week. It was up 3% versus 2022.
  • Retail and wholesale attacks are up 22% annually–a cautionary note for healthcare organizations engaging in retail operations.
  • Regionally, APAC (1,930 attacks) and Africa (1,900 attacks) led with increases at 3% and 12% respectively.

We not only must be concerned with ransomware–but mega-ransomware. These include zero-day exploits (a software flaw exploited by the hacker/ransomwareiste before the vendor or developer finds it). Rather than being content with encrypting data and demanding bitcoin for its release, the hyper version is now data theft followed by extortion campaigns threatening public disclosure of the stolen data, such as by MOVEit and GoAnywhere. Not mentioned here is another vector–business associates and vendors, using ‘social engineering’ tactics to steal passwords and other secure information to gain access into the larger system [TTA 24 Jan

  • 10% of global organizations were targeted by a ransomware attack, up 3 percentage points from 2022
  • Healthcare again was above average, #3 with 12% of organizations experiencing attacks. Government/military was #2 with 16% and education/research with 22% of organizations. 
  • The Americas went up from 5% in 2022 to 9% in 2023. APAC and EMEA were higher and also increased

Advice they give on security is logical: robust data backup, cyber awareness training, up-to-date patches, stronger user authentication, implementing anti-ransomware solutions, and utilizing better threat prevention. Can healthcare do this while leaning out IT, fighting collapsing margins, and transforming care delivery?

News roundup: Bright Health now NeueHealth; breached patient records double, RCM as vector for hacking; Amazon’s CCM marketplace; JPM reflects the new reality; fundings for Vita Health, Turquoise, CardioSignal

Bright Health Group switches off, takes on NeueHealth name. Now that Bright Health has sold its remaining operating health plans to Molina Healthcare [TTA 3 Jan] with others closed down or insolvent like Texas [TTA 12 Dec 23], they have smartly pivoted to the name of their remaining value-based primary care operation, NeueHealth. (Inexpensive, too) Accordingly, on 29 January, their NYSE listing will convert from BHG to NEUE. The stock value closed today at $13.25, well down from its 52-week high of $79.04. NeueHealth’s operations are divided into NeueCare, which is comprised of their owned clinics and partnerships with affiliated providers, and NeueSolutions, which is a management services entity that organizes independent providers and physician groups into performance-based ACA Marketplace, Medicare, and Medicaid-based ACOs models, including the advanced performance ACO REACH program which covered 60,000 beneficiaries in 2023. Unsurprisingly, the company HQ is moving from chilly Minneapolis to much warmer Doral, Florida, nearer to three of their major clinic networks and 150,000 of its claimed 275-295,000 ‘health consumers’ forecast for 2023. 2023 revenue forecasts for NeueCare are $250-275 million and NeueSolutions $890 million. They have also stated that the corporate move will not affect jobs remaining in Minneapolis, which may be few.

As to the bills coming due for CMS liabilities and debt owed to New Enterprise Associates now that JP Morgan has been paid…not a word. We continue to hand it to Bright, now NeueHealth, for the Best Gordian Knots in Healthcare. Release, Healthcare Dive

Patient records exposed in data breaches doubled in 2023 versus 2022. According to an analysis by cybersecurity firm Fortified Health Security of HHS’ Office of Civil Rights (OCR), which tracks data breaches, in 2023 there were 116 million patient records exposed, topping the over 100 million of 2015, with over 655 breaches, a decrease from 2022’s peak of 721. Of that 116 million, over 112 million were from three health plan breaches: Anthem, Premera Blue Cross, and Excellus, Ten-year total? A stunning 489 million. What also increased over those 10 years by 143% were breaches stemming from business associates–vendors providing services to the covered entity. The just-published Horizon Report (free, available for download here) also reveals that the average recovery cost for a breach is $9.48 million. And health plans and systems are cutting IT staff?  Healthcare Dive

One way that hackers are finding their way into healthcare organizations is via ‘social engineering’, but not always of employees. They’re targeting business associates at revenue cycle management (RCM) companies serving health systems and hospitals. The American Hospital Association is warning members that hackers are cannily evolving their tactics to defeat security procedures such as multi-factor authentication and they have to anticipate hacker tactics. From Becker’s, hackers “steal the identities of revenue cycle employees or other finance staffers, calling IT help desks and correctly answering security questions. They then request to reset their passwords and enroll new devices, getting full access to the employees’ accounts and diverting payments to fraudulent bank accounts.” These are based in the US and then diverted overseas. The AHA recommends at minimum a call back to the employee on these new device enrollments, a call to the person’s supervisor, or as in the case of one health system, a physical appearance at the help desk. AHA article

Amazon enters the chronic care management field through a tried-and-true (for them) vector–e-commerce. Search for a health device like a glucose monitor, a blood pressure cuff, or pulse oximetry, and receive a ‘direction’ to a management service that they may be eligible for at no or low cost through their employer or private health insurance. The kickoff partner with Amazon is chronic care management company Omada Health in the diabetes prevention, diabetes, and hypertension categories. Omada claims 20 million eligible members across 1,900 enterprises. This mode may get better traction with Amazon shoppers than directly providing them with health services such as Amazon Pharmacy, One Medical (primary care), and Amazon Clinic (asynchronous telemedicine). Omada didn’t disclose the revenue model. Omada release, Healthcare Dive

Wrapping up the JP Morgan healthcare conference, the New Reality permeated it, even if some didn’t want to admit it. As this Editor projected back in December, the board is being cleared of the also-rans and never-should-have-beens. You see a general cleansing of the cant and hype infecting a sector, which is initially unnerving. We are cycling through this stage fairly rapidly to emerge…where, we don’t quite know yet. Unlike some other publications, MedCityNews can never be mistaken for an industry cheerleader (even if you have to read between the lines). Their extensive coverage confirmed this emerging view of 2024.

  • Katie Adams didn’t make it to SF for her article on nine JPM takeaways, but she sussed out that life sciences isn’t ready for AI, GLP-1 drugs won’t solve obesity, transactional telehealth for urgent and behavioral care is over, founders are trying to figure out fundraising timelines, and retail clinics are suddenly Not All That. And more.
  • Arundhati Parmar profiled a companyone of all too many–that cycled from high to low–Butterfly Health. They started in 2011 to develop the first point-of-care handheld ultrasonic probe using a semiconductor chip that connected to a smartphone, became a unicorn by 2018, went public via a SPAC in 2021 at over $19, cracked hard, and now trades around $1. Their new CEO used the JPM platform to explain that their 2023 revenue slide wasn’t so bad because they were working their way through the longer-than-they-ever-imagined adoption curve by cutting $200 million in costs out of the company and building up their cash reserve. They may survive, or not, given that competition has names like GE Healthcare, Philips, and Siemens. But their ideas around selling the technology of the semiconductor chip to healthcare companies outside of ultrasound and opening their POCUS to developers (like Apple) are clever. It sounds like a company that could fit into a PE portfolio, if only some wallets and checkbooks opened.

And another marker of the New Reality: Scripps Health in San Francisco, hit hard by a cyberattack in 2021, announced at JPM that they hired Todd Walbridge, recently retired from the FBI as their supervising agent in their San Diego cybersecurity hub, as senior director for corporate and system safety and security. He had worked with Scripps on their cyberattack during his diverse career with the FBI. Mr. Walbridge is not only in charge of cyber, but also of physical security as workplace violence and assaults on staff have soared. FierceHealthcare

And we’ll wind up with some fundings, modest ‘green shoots’ in winter:

  • Vita Health, based in Connecticut, secured $22.5 million from seven investors for their suicide prevention and therapeutic telehealth platform. An 2022 seed raise totaled $8.38 million. Release, Mobihealthnews
  • Turquoise Health, based in San Diego, gained a $30 million Series B investment from four investors for expansion of its healthcare pricing platform used by 160 healthcare organizations. 2021-22 seed and Series A raises totaled $25 million. Price transparency is a 2024 hot button issue from government to enterprises to payers. Release, FierceHealthcare  
  • CardioSignal raised another $10 million in a Series A from three investors, bringing total funding to $23 million. Based in Finland and Palo Alto, CardioSignal uses a smartphone’s accelerometer and gyroscope sensors to analyze precordial micro-vibrations caused by cardiac motion. The initial analysis is completed in one minute and after a transfer to their cloud site for additional analysis, is returned in about one minute. Release, Mobihealthnews

23andMe hacking may have affected 6.9 million+ users–not 14,000–in massive PII breach

What was 14,000 may affect up to 6.9 million users. Genetic testing and information company 23andMe is now admitting that the October data breach that affected 0.1% of their 14 million customer base, or 14,000 users per their SEC filing last Friday, may have exposed the records and personally identifiable information (PII) of 6.9 million users, about half their customer database. In later replies to industry publications TechCrunch and WIRED, a 23andMe spokesperson admitted that hackers accessed the PII of about 5.5 million people who opted-in to 23andMe’s DNA Relatives feature. Add into that an additional 1.4 million “had their Family Tree profile information accessed”. an enhancement to DNA Relatives. The DNA Relatives breach stole individual and family names, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports, and self-reported location. Family Tree information exposed display names, relationship labels, birth year, self-reported location, and whether the user decided to share their information.

(Editor’s note: The size of the breach is enough to revive this vintage picture of WWF/WWE wrestler Hulk Hogan in his ‘Hulkamania Running Wild’ persona.)

23andMe has attributed the massive breach to credential stuffing–the reuse of leaked login credentials from other websites and services. But many users have gone public with the information that their logins were unique to 23andMe. 23andMe’s credibility on this issue took a beating from none other than the US National Security Agency (NSA) cybersecurity director Rob Joyce. He wrote on his personal X account that “They disclose the credential stuffing attacks, but they don’t say how the accounts were targeted for stuffing. This was unique and not an account that could be scraped from the web or other sites.” In fact, Mr. Joyce creates a unique email for each account. The cause for the wider breach may lie in data sharing with a partner, MyHeritage, in adding functionality to Family Tree. It seems clear that credential stuffing wasn’t the only technique used to break into the 23andMe user data.

23andMe, as well as Ancestry.com and MyHeritage, now require or strongly recommend two-factor authentication for access to personal accounts. About time. They have also changed terms of service to “encourage a prompt resolution of any disputes”.

What is distressing is that the hacks on the retail side of 23andMe are only the tip of the iceberg–that the really valuable part of their genetic data goes to pharmaceutical companies. Cyberthieves know that motherlode is incredibly valuable to bad actors like the Chinese and the Chinese Communist Party, both key markets for stolen health data. (Developing)

Another turkey: potential 9M patients affected by medical transcription vendor data breach

Vendors are hot, hot, hot…with hackers. In another notable vendor data incident, Perry Johnson & Associates (PJ&A), a Henderson Nevada-based provider of transcription services for hospitals and physician practices, reported a data security incident to the US Health & Human Services (HHS) Office of Civil Rights (OCR) on 3 November. The breach occurred in the network and files were copied 27 March-2 May, when it was detected. 8.95 million individuals were affected, with over 4 million individuals in NYC and Syracuse at Northwell Health, the largest health provider in New York State, and Crouse Health. Northwell hasn’t had much luck with transcription providers, having been affected by Nuance Communications’ hack earlier this year by one of their vendors–the Progress Software MOVEit file transfer protocol (FTP) theft traced back to ransomwareistes CLOP [TTA 3 Aug].

Personal health information stolen for all included name, date of birth, address, medical record number, hospital account number, admission diagnosis, and date(s) and time(s) of service. While the records didn’t contain financial information, some patients may have had breaches of their Social Security numbers, insurance information and clinical information from medical transcription files, such as laboratory and diagnostic testing results, medications, the name of the treatment facility, and the name of healthcare providers.

PJ&A notified affected providers on 29 September and affected patients on 31 October. In addition to the 4 million+ in New York, 1.2 million individuals were served by Cook County Health in Illinois. The rest have not been identified. TechCrunch, News4NY, PJ&A notice 

Mid-week roundup: Colorado terms Friday Health Plans; Cano 3 continue to savage board; Amazon Pharmacy layoffs; hacking attacks: QuickBlox, Barts Health; Phreesia buys MediFind; financing pops for K Health, Amino

Colorado liquidates, terminates insolvent insurtech Friday Health Plans. The Colorado Division of Insurance (DOI) had placed it into receivership in June after the company declared it would close, unable to find funds to operate its plans. On Monday, the DOI moved to liquidate its operations and terminate the plan effective 31 August. Their 30,000 policyholders on individual Affordable Care Act (ACA) exchange plans will be scrambling to find new coverage. In the receivership move, DOI had hoped that Friday had enough funds to keep the state plan solvent through end of year, but they did not. According to the Colorado Sun, Friday still owed unpaid Federal taxes as well as roughly $2 million in fee payments to the state’s insurance exchange, Connect for Health Colorado, which left the DOI without much hope. Friday had previously just about shut down its headquarters in Alamosa. This leaves not only 30,000 individuals scrambling, but also out eight months and perhaps thousands of dollars in deductibles as these plans tended to be high deductible. Colorado DOI opened a special enrollment period (SEP) for Friday policyholders and insurance brokers starting immediately through 31 October.  Providers are protected somewhat through the state’s Colorado Insurance Guaranty Association but many stopped taking Friday-covered patients last month. Friday’s crash-and-burn is the worst example of an insurtech’s demise to date and not promising for policyholders in other states such as Texas, Georgia, Oklahoma, and Nevada. Healthcare Dive

The Cano 3 attack in the continuation war with the Cano Health board. In the latest episode of this telenovela, resigned directors Barry Sternlicht, Elliot Cooperstone, and Lewis Gold, who among them have about 35% of the company’s shares, are still supporting interim CEO Mark Kent but pressing hard to oust three of the directors reelected at the last shareholder meeting, including Marlow Hernandez, the founder and former CEO. What’s new is that they have declared war on Sol Trujillo as chairman and Angel Morales as chair of the audit committee as allies of Dr. Hernandez. In addition to divesting five directors and the interim chief legal officer plus ending their high monthly equity awards, they support divesting non-core assets. Mark Kent will have to be Clark Kent ducking into the phone booth to succeed in this. Press release  Mr. Sternlicht cannot be in a good mood, as Starwood Capital Group is in default on a $212.5 million mortgage on an Atlanta office property, Tower Place 100, in the continuing souring of the commercial real estate market. Fortune

Amazon Pharmacy has laid off 80 employees, mostly pharmacy technicians and team leaders, in continuing cutbacks there. This is the former PillPack. One would think that it would be expanding based on the growing medical needs of One Medical and Amazon Clinic. About the latter which was to roll out nationally today but was questioned on data privacy grounds, as of today there is no update announcement. To date, Amazon has released an amazing 27,000 workers. Semafor, Becker’s

Cybersecurity also racked up some hacks in the past week or so:

  • A popular software framework used in telehealth and financial applications, QuickBlox, was found to have several critical security flaws. The QuickBlox SDK (Software Development Kit) and API (Application Programming Interface) that are used for developing chat and video applications had a vulnerability that led researchers to take over multiple accounts and compromise the user database and extract PHI. The vulnerability also permitted a hacker to impersonate a physician or patient and alter health records. This was reported by Team82 and Check Point Research (CPR) teams but have since been fixed. Blow-by-blow with screenshots in Cybersecuritynews and overview in Becker’s.
  • Barts Health NHS Trust was hacked by BlackCat, a/k/a ALPHV. What was stolen was about 70 terabytes of data, which BlackCat claims as the largest breach in UK medical history. ALPHV listed the stolen data, including employee identification documents, including passports and driver licenses, and internal emails labeled “confidential”, around 30 June. Barts runs five London-based hospitals and serves more than 2.5 million patients. The Barts Health hack adds to NHS misery with an earlier attack on a University of Manchester NHS dataset with information on 1.1 million patients across 200 hospitals. The same CLOP Russian ransomware gang that got Johns Hopkins [TTA 19 July] also got Ofcom, the UK’s communications regulator.  TechCrunch

Yes, there is good news in M&A and funding:

Phreesia is buying MediFind. No purchase price or management transition was disclosed. Phreesia is a patient intake platform that grew from a tablet used in practices for scheduling and patient check-in to a fully featured platform for workflow, claims, outreach and patient education. MediFind uses machine learning and analytics to connect patients with leading experts, clinical trials, health systems, and healthcare technologies. Phreesia is one of the few 2019 vintage IPOs to not crater–it’s trading on the NYSE at above $32 though as recently as end of 2021 its share price was double. Phreesia release.

K Health gained an unlettered venture round of $59 million from Cedars-Sinai, its new partner, plus current investors, including Valor Equity Partners, Mangrove Capital Partners, and Pico Venture Partners. This brings funding for this Israeli company to $330 million through a Series E. K Health’s platform uses a chat function that pre-screens patients with symptoms, uses AI to suggest possible diagnoses based on that person’s medical history, age, and gender, and will connect with a doctor or nurse if needed–which sounds somewhat like Babylon Health and Zipnosis. The chat can be used for primary care, some pediatric areas, urgent and chronic care management. K Health claims that 10 million individuals have interacted with K Health’s AI, and 3.1 million patients in 48 states have chatted with a doctor or nurse. FierceHealthcare

Amino, a navigation platform, received $42 million in credit financing from Oxford Finance. This was the final part of its $80 million venture raise in May. Amino connects physical and mental healthcare providers and benefits programs with members at self-insured employers and health plans, managed by third-party administrators, brokers, and human resources. Members access recommendations for providers and relevant benefits. Amino’s total funding is $125 million, mostly in venture rounds. Its last letter round was a Series C in 2017. It’s a busy sector with similar companies like Accolade, Rightway, and Transcarent.  Mobihealthnews

Ransomware roundup: TimisoaraHackerTeam (THT) attacks cancer centers; KillNet’s ‘Sudanese’ member; 101K ChatGPT accounts infostolen; LockBit attacker arrested on Federal charges

TimisoaraHackerTeam (THT) attacked an unnamed US cancer center with malware in June, demanding a ransom of 10 bitcoins ($300,176). The Central European, possibly Romanian-based group (named after a Romanian town), was uncovered in 2018 and was last tracked to an April 2021 attack on a French hospital. The malware vectors in using legitimate software from Microsoft Bitlocker and Jetico’s BestCrypt. Reports state that it targeted Fortinet’s FortiOS SSL-VPN to exploit CVE-2022-42475, a heap-based buffer overflow vulnerability that allows remote attackers to execute code or commands using specially crafted requests. THT may be linked to other malefactors such as DeepBlueMagic and China-based APT41 based on software used and style in notes. DeepBlueMagic disabled an Israeli medical center, Hillel Yaffe, in October 2021. 

The cancer center and Heimdal Security were able to reclaim the hacked records through the use of decryption software as they were only partially encrypted, avoiding the ransomware payment. HHS’ Office of Critical Infrastructure Protection has issued its notification with details on the attack here (PDF). SC Magazine, Healthcare Dive

KillNet, the Russia-based agglomeration of anti-Western hacktivist groups, has a possible new member in the interestingly named Anonymous Sudan. Their modus operandi is to use distributed denial of service (DDoS) attacks in response to the anti-Islamic views or actions of Western, to date 24 Australian, organizations, but the DDoS claims are smokescreens that not only tie up cyberdefense resources and generally spread panic and disinformation, but also gain publicity for the group. Cyber researchers CyberCX noted that their DDoS attacks have been intense, but unusual in that Sudan (the country) apparently has not instigated the attacks nor have the attacks been monetized. SC Magazine

Surprise, surprise–infostealers using malware to get into ChatGPT accounts. Once into the accounts, the malware infects browsers to collect saved credentials, bank card details, crypto wallet information, cookies, browsing history, and other information. Most of the affected devices are in Asia-Pacific. The malware is for sale on the dark web, with most of the 101,134 accounts tallied by Group-IB were breached by Raccoon/RecordBreaker (78,348), while the remainder were hit by Vidar (12,984) and RedLine (6,773). ChatGPT is being downloaded individually and often introduced into enterprise systems from personal devices without the usual IT security and vetting. LLM models for now are unsecured and for hackers, it’s ‘happy time’.  SC Magazine

But sometimes the bad actors get caught and dragged back to New Jersey. The FBI finally caught up to Russian national Ruslan Magomedovich Astamirov, who is accused of being part of the ransomware gang dubbed LockNet. The two counts filed in the Federal District of New Jersey center on conspiracy to commit fraud and related activity in connection with computers, plus the ever-popular conspiracy to commit wire fraud for the usual extortion of money and property between 2020 and 2023. The attacks were on businesses based in West Palm Beach, France, Tokyo, and Virginia, and received about $90 million in ransom payments. Astamirov sent emails and owned IP addresses, including Amazon and Microsoft accounts used in the fraud. NJ was chosen as the location for the Court since there was one LockBit victim in Essex County. SC Magazine, Criminal Complaint filed against Astamirov (PDF)

Healthcare cyberattack latest: NextGen EHR ransomwared by AlphV/BlackCat, back to normal – 93% of healthcare orgs had 1-5 ransomware incidents

Cyberattacks on healthcare continue their drip-drip-drip. The latest is on an EHR/practice management platform used by small to enterprise-sized specialty practices, NextGen Healthcare. The hacker group associated with the AlphV/BlackCat ransomware moved into the system on 17 January. For a short time, they reportedly exhibited NextGen information on their extortion site but later took it down. NextGen reported a short-term disruption to operations. A NextGen spokesperson stated that “We immediately contained the threat, secured our network, and have returned to normal operations,” the spokesperson said. “Our forensic review is ongoing and, to date, we have not uncovered any evidence of access to or exfiltration of client data. The privacy and security of our client information is of the utmost importance to us.”  NextGen has also stated to this Editor that no patient data was affected.

NextGen is used by about 2,500 practices in the US, UK, India, and Canada, including over 20 specialties.

The group behind AlphV/BlackCat ransomware has an infamous history. Reputedly, the gang has been kicking around since 2012 and was the same group of charmers that attacked the Colonial Pipeline in 2021, using the Darkside ransomware in May 2021 that dried out gas stations across the US East Coast. Their next ransomware edition, BlackMatter, targeted agriculture during fall 2021. Healthcare IT News, The Record/Recorded Future News

More severe attacks affecting 93% of healthcare organizations. While NextGen contained the attack quickly, both the Censinet/Ponemon Institute and Fortified Health Security’s 2023 Horizon Report tracked 2022 healthcare data breaches and concluded that while the number of incidents didn’t change much, their severity ramped up. More according to SC Media in these reports: 

  • Over a dozen of the biggest incidents in 2022 each impacted well over 1 million records
  • Nearly half of the respondents experienced a ransomware attack in the last two years
  • 93% faced between one to five ransomware-related incidents
  • Outages lasted upwards of 35 days

The common ground with NextGen is danger to patient safety, because electronic record damage can translate quickly into unavailable patient care.

Updated PharmaCare Services, a pharmacy management company based in Texas, is listed as a victim on BlackCat’s extortion site. They were exhibited with NextGen and remained when NextGen’s listing was challenged and then taken down. PharmaCare is staying mum on any ransomware disruptions, according to GovInfoSecurity.

One ray of hope is improved medical device security, included in the ‘omnibus’ budget package approved in late 2022. FDA will be required to enforce new standards for premarket device submissions. One is a software bill of materials, adequate evidence to demonstrate the product can be updated and patched, and a description of security testing and controls. This was before Congress in the Protecting and Transforming Cyber Health Care (PATCH) Act which didn’t go far, but elements of which found their way into the omnibus. A needed change for medical devices and long expected by manufacturers. SC Media

News roundup: DDoS attacks may be ‘smokescreen’, DEA slams Truepill with ‘show cause’, telehealth claims stabilize at 5.4%, Epic squashes patent troll, Cerner meeting exits KC, MedOrbis, Kahun partner on AI intake

Readers won’t get out of 2022 without one last cybercrime…article. DDoS attacks–distributed denial of service–escalated worldwide with Russia’s invasion of Ukraine in February. (Ukraine and military aid is a hot topic this week with President Zelenskyy’s visit to the US and Congress speech.) Xavier Bellekens, CEO of Lupovis, a cybersecurity company and a cyberpsychologist (!), postulates that DDoS attacks, as nasty as they are, may be a smokescreen for far more nefarious and damaging attacks. While IT goes into crisis mode over the DDoS, other attacks and information gathering on systems preparing for future attacks are taking place. Russian cyber groups focus on large organizations and move down the line into the most vulnerable, using both manual and automated approaches. Worth reading given the vulnerability and IT short staffing in healthcare organizations. Cybernews

The fallout from Cerebral and Schedule 2 telehealth misprescribing expands. The Drug Enforcement Agency (DEA) issued a ‘Show Cause’ to online pharmacy Truepill for inappropriate filling of ADHD Schedule 2 medications, including Adderall. A ‘Show Cause’ order is an administrative action to determine whether a DEA Certificate of Registration should be revoked, which could put Truepill out of business. The red flag for the DEA: 60% of  Truepill’s prescriptions–72,000–filled between September 2020 and September 2022 were for controlled substances, including generic Adderall. Truepill was Cerebral’s primary mail order provider, though they also used CVS and Walmart. The company stopped filling Cerebral’s ADHD prescriptions in May 2022.

In the order, the DEA cites that “Truepill dispensed controlled substances pursuant to prescriptions that were not issued for a legitimate medical purpose in the usual course of professional practice. An investigation into Truepill’s operations revealed that the pharmacy filled prescriptions that were: unlawful by exceeding the 90-day supply limits; and/or written by prescribers who did not possess the proper state licensing.”

The company stated in an emailed statement that they were fully cooperating with the investigation. If it does move to a hearing, Truepill’s chances of a successful defense are statistically low.

Truepill also fills prescriptions for Hims & Hers, GoodRx and Mark Cuban Cost Plus Drug Company. It was valued in its 2021 funding round at $1.6 billion. Companies in telemental health and prescribing of Schedule 2 ADHD medications, such as Cerebral and Done Health, are under enhanced scrutiny over their business practices [TTA 1 June]. Mobihealthnews, DEA press release, HISTalk, Digital Health Business & Technology

Telehealth medical claims stabilize. FAIR Health’s latest reports for August and September report that the percent of medical claims coded as telehealth are back up to 5.4%. June and July dropped slightly to 5.2% and 5.3% respectively. Also steady are that the vast majority of claims are for mental health services. In September, they were 66% of diagnoses far ahead of ‘acute respiratory diseases and infections’ at 3.1%. In procedure codes, psychotherapy accounts for over 43%.

A patent troll Epically bites the dust. Back in the early to mid-2010s [TTA’s index here], patent trolls (technically non-practicing entities which have no active business) presented a significant threat to early and growth-stage health tech companies. One, MMR Global (which apparently no longer exists), was notorious for buying up EHR and PHR-related patents and then filing patent infringement lawsuits against both small and large healthcare organizations with similar patents–and their users–that were generally monetarily settled. But NPEs are still active. One in south Florida, Decapolis Systems, used the same techniques as MMR Global had, suing in this case multiple Epic customers for patent infringement. Epic not only defended its customers but also sued Decapolis in the US District Court, Southern District of Florida. The court found that both Decapolis patents were invalid, ending what Epic termed ‘vexatious patent litigation’. Decapolis had successfully sued 24 other entities, including other EHRs, which settled. Owned by an inventor, this company will have to find another line of honest business. Epic release, Thomson Coburg

Oracle’s message to Kansas City: no more Cerner meetings for you. And maybe more. Cerner’s site for its annual customer/partner conference since 2007 has been in Kansas City, attracting about 14,000 visitors. Not only will it be integrated into Oracle CloudWorld in Las Vegas, 18-21 September, it’s been retitled Oracle Health with no mention of Cerner. The loss to local KC business is substantial–estimated to be in the $18 million range. While it’s logical to integrate it into the massive CloudWorld conference, it’s also another message to KC after Oracle’s sudden real estate downsizing that Cerner’s presence there will shrink…and shrink..as it’s absorbed into Oracle Health, and further confirmation that the Cerner name is gradually being sunsetted. KansasCity.com, HISTalk

A new (to this Editor) specialty care telehealth company, MediOrbis, is partnering with Kahun for an AI-enabled digital intake tool. This is a chatbot capable of conducting an initial medical assessment. Based on the patient’s answers and Kahun’s database of about 30 million evidence-based medical knowledge insights, it provides a summary for the physician before the telehealth visit and highlights areas of concern. Mobihealthnews  MediOrbis also has partnered with remote care/engagement Independa to add its capabilities to Independa’s HealthHub on their LG TVs.

Thursday news roundup: IBM Watson Health sale closed, now Merative; OneMedical inviting buyers–maybe; worst healthcare data breaches rounded up

It’s a post-Independence Day and early summer holiday relatively quiet week….

It’s Merative, not IBM Watson Health anymore. Francisco Partners‘ buy from IBM of Watson Health closed last Thursday (30 June) but didn’t make the news until after the holiday. The announcement of the new brand, Merative, was splashed on HLTH’s website today (not HIMSS) with the usual language about how their data connects and transforms health through pioneering “cloud, real-world data and industry-leading AI” through health systems, hospitals, health plans, life sciences, and government. Speaking of data points:

  • HQ now in Ann Arbor, MI
  • New CEO Gerry McCarthy from CEO of eSolutions, a former Francisco Partners portfolio company that exited to Waystar in October 2020
  • The former general manager, Paul Roma, will be a Senior Advisor to Francisco Partners
  • Merative will have six product families: Health Insights; MarketScan; Clinical Development; Social Program Management and Phytel; Micromedex, and Merge Imaging 
  • Other investors include True Wind Capital and Sixth Street

Since 2015, IBM had built up Watson Health through four acquisitions and over $4 billion in investment. They sold it for perhaps $1 billion to get it off their books. Once upon a time they were the leader, now they’re up against Oracle and a dozen other competitors like IQVIA that sell connectedness and ‘actionable insights’ across and in chunks of their business (example, life sciences). Given the track record of the controlling private equity partner, Merative needs to become profitable quickly. Merative will not be a long term investment for them. FierceHealthcare. Our prior coverage: 7 Jan, 22 Jan, 25 Feb (Who needs Watson Health?)

Also apparently up for sale to the right buyer is One Medical. The clinic group flirted with but ultimately sent packing CVS Health. One Medical offers concierge in-person and telehealth primary care in seven metros and has over 700,000 members. They bought Medicare value-based primary care provider group Iora Health a year ago [TTA 11 June] but since then their stock (trading under 1Life Healthcare) and valuation has cracked by 75%. Not mentioned in the Bloomberg article is whether Iora is included in the possible deal.

And for those who like their Hackermania on the Wild Side, there’s a massive list over at Wired that racks up the Greatest Hits. It’s only halfway through 2022, but the data breaching and ransomware perps have multiplied. From Russia/Ukraine to extortion gangs like Conti and Lapsus$ to cryptocurrency theft and China, the Old Reliable Healthcare continues to star. Our recent list is here but topping out the Wired list are Shields Health Care Group, Baptist Health System, Resolute Health Hospital, Kaiser Permanente, and Yuma Regional Medical Center. Also Becker’s.

Thursday legal news roundup: Oscar Health accused of IPO securities fraud; Venezuelan cardiologist moonlights as cybercriminal, faces slammer; Change Healthcare sues former employee now at Olive AI

To use a cliché, what a difference a year makes. In March 2021, insurtech Oscar Health successfully raised $1,4 billion in its IPO with shares at $39. Heady times didn’t last long, with shares tumbling to $5.67 as of this writing. Now the shareholder lawsuits have begun, with the complaint stating that negative effects of COVID-19 on Oscar’s business were not disclosed, specifically the growing cost of the pandemic on testing and treatment costs they would cover, and “Oscar would be negatively impacted by an unfavorable prior year Risk Adjustment Data Validation (RADV) result relating to 2019 and 2020 [and] that Oscar was on track to be negatively impacted by significant SEP membership growth”. The lack of forward-looking disclosure at an IPO is a violation of the Securities Act. The initial lawsuit has been filed in the US District Court for the Southern District Court of New York by shareholder Lorin Carpenter. Multiple law firms have invited shareholders to join in the suit — example from PR Newswire. Also named in the suit are Oscar Health co-founders CEO Mario Schlosser and Vice Chairman Joshua Kushner, plus several investment banks.

Oscar started the year with a Q1 loss of $0.36 per share versus an estimate of a loss of $0.40, but this is less than half of last year’s loss of $0.98 per share. They are also exiting the Arkansas and Colorado markets in 2023. Healthcare Dive

Cardiologist, master cybercriminal, a new Dr. Mabuse? Accused of the creation, use, and sale of ransomware is one Venezuelan doctor and practicing cardiologist, Moises Luis Zagala Gonzalez, a dual citizen of Venezuela and France. The charges by the Department of Justice (DOJ) in the Eastern District of New York also detail his “extensive support of, and profit sharing arrangements with, the cybercriminals who used his ransomware programs.” SaaS can’t hold a candle to the RaaS–ransomware-as-a-service–operation he created to sell what he dubbed ‘Thanos,’ allegedly named after a fictional cartoon villain responsible for destroying half of all life in the universe. Turns out that Iranian state-sponsored hackers and fellow ransomware designers really liked it too. If convicted, he faces 10 years in Club Fed–five years for attempted computer intrusion, and five years for conspiracy to commit computer intrusions. Designing criminal software really does test the limits of moonlighting. DOJ release, TechCrunch

Change Healthcare sues former employee at competitor Olive AI. While their merger with UnitedHealthcare is tied up in the US District Court in DC [TTA 23 Mar], Change Healthcare is not letting any courtroom grass grow under their feet. They are suing a former employee, Michael Feeney, with violating the non-compete clauses of his employment contract. The suit was filed in Tennessee Chancery Court, its HQ state. Mr. Feeney has countersued in his state of residence, stating that the non-compete violates Massachusetts law. He was VP, strategy and operations at Change handling physician revenue cycle management. At Olive AI, he is currently SVP, provider market operations. Information is a bit scarce on this and the free article this Editor has found reads machine-translated. If you have access to the Nashville Post or Modern Healthcare it’s probably more decipherable.

As to the lawsuit affecting non-competes due to the tight labor market–don’t count on it. It’s a conflict between the state the company is in enforcing non-competes, versus a state which restricts (or negates) them that is the former employee’s state of residence and work. What wins out will be the interesting part and affect many of us in the US.

Two healthcare data breaches of note: International Committee of the Red Cross and Jefferson Health

Healthcare data breaches have become so commonplace that this Editor now leaves it to others to report. They all share the same characteristics–international hackers inserting ransomware in compromised systems and demanding billions in bitcoin, disgruntled employees erasing or taking home files, burglaries, inside jobs of various stripes. A steady drumbeat despite many efforts to secure against outside attacks and continously monitor systems, still there are plenty of legacy devices floating around hospitals and clinics using outdated computer software and initial setup passwords.

But this one hits a new high of heartlessness. The International Committee of the Red Cross (ICRC), headquartered in Geneva, reported that on 18 January that servers hosting the personal information of more than 500,000 displaced people receiving aid services from the Red Cross and Red Crescent Movement program had been hacked. The servers were located in Switzerland and were directly targeted. The 515,000 records were of people in the ‘Restoring Family Links’ program which aids missing people and their families, unaccompanied or separated children, detainees, and other people as a result of armed conflict, natural disasters, or migration. The information consisted of names, locations, and contacts.  In addition, log in information of 2,000 workers was also breached. Pray tell, where’s the monetary value in this? Or is there something more nefarious? These systems and their information have been taken offline, hampering this international program. ICRC ‘What We Know’, Becker’s Health IT, Healthcare IT News

A more ‘garden variety’ breach of 9,000 patients’ protected health information (PHI) took place in November at Philadelphia’s Jefferson Health. This was an insurance portal breach that accessed patient billing information with the intent of rerouting the payments from the hospital to themselves. The hacker in the process gained access to patient billing information, names, dates of treatment, treatment codes and costs, but not the jackpot of SSI and other financial information. The article does not disclose whether payments were successfully redirected.  Becker’s Health IT

Weekend reading: 1/3 of global healthcare orgs ransomwared, 50%+ mobile privacy problems–BMJ study, med device insecurity

Weekend reading to make you feel insecure, indeed. Healthcare continues to be one of the most vulnerable sectors to hacking, breaches, ransomware. (It likely was one of the top 5 on the list handed to Mr. Putin in Geneva a week ago.) It doesn’t help that many organizations from providers to payers, legacy devices to apps, figuratively have a ‘Welcome Hackers’ neon sign on their doors, virtual and otherwise.

Three articles from the always interesting Healthcare Dive, two by Rebecca Pifer and the third by veteran Greg Slobodkin, will give our Readers a quick and unsettling overview:

  • According to cybersecurity company Sophos in their 16-page report, 2020 was an annus horribilis for healthcare organizations and ransomware, with 34 percent suffering a ransomware attack, 65 percent confirming the attacks encrypted their data, but only 69 percent reported that the encrypted data was restored after the ransom was paid. Costs were upward of $1 million. Their conclusion: assume you will be hit, and at least three backups. Dive 24 June
  • The BMJ found that lax or no privacy policies were a key problem with over half of mobile health apps. 23 percent of user data transmissions occurred on insecure communication protocols and 28.1 percent of apps provided no privacy policies. There’s a lot to unpack in the BMJ study by the Macquarie University (Sydney) team. Our long-time Readers will recall our articles about insecure smartphone apps dating back to 2013 with Charles Lowe’s article here as an example. Dive 16 June
  • Old medical devices, continuing vulnerability that can’t be fixed. Yes, fully functioning and legacy medical devices, often costing beaucoup bucks, are shockingly running on Windows 98 (!), Windows XP, outdated software, and manufacturers’ passwords. It’s hard to believe that Dive is writing about this as it’s been an issue this Editor’s written about since (drumroll) 2013 when TTA picked up on BBC and other reports of ‘murderous defibrillators and pacemakers’. If too far back, try 2015 with Kevin Fu’s and Ponemon’s warnings then to ‘wash their hands’ of these systems even if they’re still working. Chris Gates quoted in the article: “You can’t always bolt-on security after the fact, especially with a legacy piece of equipment — I’ve literally handed checks back to clients and told them there’s no fixing this.” Dive 23 June

What to do?

  • If you are a healthcare organization, think security first. Other organizations in finance and BPO do, locking down to excruciating points. And yes, you’ll have to pay a premium for the best IT security people, up your budgets, and lower your bureaucracy to attract them. Payers are extremely vulnerable with their wealth of PHI and PII, yet tend to skimp here.
  • Consider bringing in all your IT teams to your home country and not offshoring. Much of the hacking occurs overseas where it’s tougher to secure servers and the cloud reliably and fully.
  • Pay for regular and full probes and audits done by outside experts.
  • If you supply a mobile app–design with security and privacy first, from the phone or device to the cloud or server, including data sharing. There are companies that can assist you with this. One example is Blue Cedar, but there are others.
  • If you supply hardware and software for medical devices, think updates, patches, and tracking every bit you sell to make sure your customers do what they need to do. Even if your customer is a past one.

(Side message to NHS Digital–don’t rush your GPDPR upload to the summer holidays. Make it fourth quarter. Your GPs will thank you.)

Suggestions from our Readers wanted! While your Editor has been covering security issues since early days here, she is not an expert, programmer, or developer, nor has stayed at a Holiday Inn Express lately.