Health savings account (HSA/FSA) provider HealthEquity had a three-month breach that compromised 4.3 million member accounts. The breach originated with an undisclosed third-party vendor, in a pattern that has become familiar. According to HealthEquity’s filing with the Maine attorney general (though HQ’d in Utah), the breach occurred in that vendor’s “unstructured data repository” at HealthEquity, outside of their core systems, after the hacker stole the password out of a vendor user account. Unfortunately for HealthEquity, the hack that started in March wasn’t discovered until 26 June, giving the hacker free rein in that database for three months. What’s surprising is that the breach wasn’t worse.
HealthEquity is a third-party administrator for companies of FSA/HRA, Commuter, COBRA, and Lifestyle plans.
The Maine AG filing states that information stolen may include customer names, addresses, phone numbers, their Social Security number, information about the person’s employer, benefit type, diagnoses, prescription details, the person’s dependent (if any), and some payment card information. With HealthEquity claiming 15 million+ members, the breach affects a substantial 29% of its membership. Actions they are taking are to notify members and provide them with credit monitoring services through Equifax with a reference guide. HealthEquity notification page, TechCrunch, HealthcareITNews
CrowdStrike’s antivirus software update that went waaaay sideways continues its fallout. As most know, it happened when they pushed an update and patch to Falcon, a cloud-based anti-cyber attack product that uses AI to detect intrusions. Well, Falcon’s AI wings were fractured on that 19 July push where testing was apparently lacking. BSOD became their new thing. What made the news was the devastating effect on 8.5 million Windows devices, only about 1%–on Delta Air Lines’ aircraft scheduling and the shutdown of many systems such as 911 and police within cities and states, but apparently a curtain was drawn around the healthcare bed. EHRs were affected at major systems such as Kaiser Permanente, Providence, Henry Ford Health, Nationwide Children’s Hospital, the Dana-Farber Cancer Institute, Mass General Brigham, RWJBarnabas Health, Penn Medicine, and Seattle Children’s Hospital, causing postponements of medical procedures. At Providence, it totaled 15,000 of the organization’s servers, as well as about 40,000 of its 150,000 computers. It was the equivalent of a cyberattack without being a cyberattack. According to industry analyst Parametrix, US Fortune 500 companies (excluding Microsoft) lost a total of $5.4 billion. MedCityNews
With this kind of devastation, it’s no surprise that these companies and the government are rethinking their approach to cloud computing. They’re very concerned about the oligopoly of three providers: Google, Microsoft, and Amazon. Microsoft has 40% of the cybersecurity market with CrowdStrike 15% concentrated in larger organizations.“We’re reaching the point where over-centralization makes us less ‘healable,’ and less resilient,” Robert Thomas, owner of cybersecurity company 180A Consulting said. “We’re losing our resiliency as a nation.” Systems are still not back up and neither is the CrowdStrike stock. Rumors do persist that they were hacked. Epoch Times Microsoft also published a recovery tool for IT administrators to expedite the repair process. FierceHealthcare
The House Committee on Veterans’ Affairs Subcommittee on Technology Modernization hearing on 22 July had some further flak-gathering from committee members. Most of the criticism concentrated on the joint MHS/VA rollout at Lovell Federal Health Care Center and the amount of work it required to get the Oracle Cerner EHR to work mostly right. While VA and Oracle leaders insist that Lovell went better than anyone expected, the resources used at Lovell cannot be duplicated at the remaining VA facilities. VA is already facing a $15 billion shortfall for FY 2024 and 2025. The Lovell center had a persistent problem in processing prescriptions, with 60% going unfilled. In member Sheila Cherfilus-McCormick (D-Fla.) words, “I think we are far from ready to endorse further go-live activities. The two departments threw more resources at this go-live than will ever be available at any future VA facility.” Healthcare Dive Earlier coverage TTA 24 July
The UK women’s health app Flo is now a unicorn. Their Series C of $200m (£156m), funded solely (and unusually) by General Atlantic, put them at a valuation of over $1 billion. Their total funding is $275 million. Two General Atlantic executives will be joining Flo’s board, Tanzeen Syed, managing director, and Jessie Cai, principal. Flo helps users track ovulation and menstrual periods, enabling calendaring of fertility, and monitoring of over 70 symptoms. It also assists with pregnancy health guidance. The raise will be used to expand into new user segments including perimenopause and menopause. Its current base is 70 million monthly active users (MAUs) and close to 5 million paid subscribers. Flo is marketed in 66 countries, including the US, India, Indonesia, and Nigeria, with centers in Lithuania and the Netherlands. Release, UK Tech News
Funding/M&A wrap:
Clarapath, a medical robotics developer based in White Plains, NY, scored $36 million in a Series B-1 funding round from Northwell Ventures with participation from new investors Ochsner Ventures, CU Healthcare Innovation Fund, and Mayo Clinic. Clarapath automates pathology lab work. Its SectionStar platform sections biopsy tissue with improved accuracy. It is pre-revenue with a total of $75 million in funding. Axios, Mobihealthnews
CoachCare, a remote patient monitoring/virtual health monitoring developer for practices and health systems, added $48 million in an unlettered venture round funding led by Integrity Growth Partners with participation from Topmark Funding. The platform combines software and connected devices with outreach for RPM, chronic care management, and other virtual care for about 150,000 patients. Funding to date is $49 million. It has acquired four companies in the past year: NVOLVE, CareSpan Health, Alertive (formerly part of Carbon Health), and WebCareHealth. Release, Mobihealthnews
Another virtual care company, AvaSure, is acquiring Ouva’s smart hospital room solutions. Ouva has been partnering with AvaSure to supply AI-enhanced care automation technology. The acquisition will expand the ambient AI capabilities of AvaSure’s Intelligent Virtual Care Platform and double in-house AI engineering resources. AvaSure’s primary market is hospitals. Ouva will continue as a separate company with its pediatric and wayfinding business. Cost is not disclosed. Release, HIStalk 7/31
Most Recent Comments