Class action legal action by pharmacists, providers ramps up against Change Healthcare/UnitedHealth Group

More litigants in a legal pile-on in Minnesota. The National Community Pharmacists Association (NCPA), with 19,000 pharmacy members, and around 40 providers have filed suit against UnitedHealth Group, Optum, and Change Healthcare in the US District Court for the District of Minnesota. The 140-page document charges that UHG/Optum/Change had substandard network security in their clearinghouse operations, leading to the Blackcat/ALPHV breach, and that the plaintiffs might have chosen another clearinghouse and revenue cycle management platform had they known this. The pharmacists and providers all suffered monetary damages from the outage that are still unresolved.

From the press statement, NCPA CEO B. Douglas Hoey: “NCPA was against UnitedHealth’s acquisition of Change from the start. This breach proves that bigger is not better and that consolidation often leads to inefficiencies. Companies are so big they cannot protect every entry point and cannot respond quickly due to internal bureaucracy. The fact issues remain unresolved is a testament to this point. This breach has cost our members a significant amount of money and time and it is still not resolved months later.” He also pointed to the pharmacies’ losses remaining unpaid, financial losses, and taking losses for vulnerable patients with high-cost prescriptions.

According to Healthcare Dive, the multiple lawsuits against UHG must be centrally filed in Minnesota, as ordered by a Federal judicial panel, since UHG is headquartered there. Nothing will move quickly, as class action suits typically take two or more years to be heard and then appealed.

Change started its HHS-OCR mandated process of notifications around 20 June with hospitals, insurers, and other customers. Individuals and practices were not scheduled to be notified until late July but no date has been announced. The Change website also contains a very carefully worded ‘HIPAA Substitute Notice’ that reads like a consumer data breach notification. TTA 21 June

News roundup: UHG’s cyberattack hit now $2.3B, Senate bill on cyberattacks intro’d, VA’s AI tech sprint awards, AliveCor’s new CPT codes

UHG reported earnings, profit reduced by $1 billion due to Change Healthcare cyberattack costs. On Tuesday 16 July UnitedHealth Group reported Q2 (ending 30 June) earnings of $98.9 billion, up $6 billion or 7% versus Q2 last year. Profit though didn’t move the same way, instead taking a hit at $7.9 billion, down from last year’s $8.1 billion. Despite strong performances in the UnitedHealthcare and Optum units, the drag from the Change Healthcare cyberattack is now estimated at an additional $1 billion from last quarter’s guesstimate, now at $2.3 billion. Also affecting the profit bottom line is inflating healthcare costs that are reflected in rising medical loss ratios (MLRs). Change is also obliged to do the patient notification which will start by the end of this month [TTA 21 June], having already started notifications of hospitals, providers, insurers, and other customers. Release, Healthcare Dive

But hey, now the Senate has a bill to coordinate agencies with the purpose of reducing those darn cyberattacks. The Healthcare Cybersecurity Act, sponsored by Senators Jacky Rosen (D-Nev.), Todd Young (R-Ind.), and Angus King (I-Me.), would direct the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) to collaborate on improving cybersecurity. One important change would be creating an HHS liaison within CISA to coordinate incident response specifically for healthcare entities. An earlier version introduced by Sen. Rosen in 2022, S. 3904 (117th Congress), never made it into committee.  Sen. Jacky Rosen release, Healthcare Finance   But aren’t there other agencies involved in cyberattacks and ransomware like the FBI and the Department of Justice? And international agencies like the NCA and Europol since so many come from the darker parts of Europe and Asia? (The devil’s in the details…)

The Department of Veterans Affairs (VA) is taking a modest dip into the AI ocean. The award late last week of pilots for an AI-assisted healthcare dictation tool went to Abridge AI and Nuance Communications. The non-competitive, fixed-price contracts are as a result of the two companies winning the first track of the VA’s AI Tech Sprint which launched last October. The tools are designed to generate transcriptions from ambient recordings of patient encounters within specialty care, mental health care, and primary care settings, as well as integrating into the Oracle Cerner EHR. The notice does not specify start or end date. There is also a second sprint around developing an AI system to process documents generated in patient-provider encounters and other complex medical documents for continuity of care and sharing information with VA providers. FedScoop

AliveCor received CPT codes applicable to the company’s Kardia 12L ECG System. The Category III Current Procedural Terminology (CPT) codes are assigned by the American Medical Association (AMA).  The 12-lead system a few weeks ago gained FDA clearance for the combination of the Kardia 12L ECG System (left), a single cable with five electrodes that acquires 8 high-quality diagnostic bandwidth leads, with their KAI 12L AI-assisted diagnostic technology for clinician use only. The three new codes will be effective 1 January 2025 and will be published in the 2025 CPT Code book. Release

Follow up roundup: Amwell to reverse stock split to avoid delisting (updated), Amazon Clinic folded into One Medical, Amedisys divesting to close UHG deal, latest on Steward Health’s antics and $7M spying, Masimo’s shareholder fight (latest)

Amwell will reverse stock split to fix their pending delisting on the NYSE. The board of directors approved on 28 June a 1 for 20 reverse split. This will remedy their non-compliance with NYSE regulations requiring an average closing price of above $1.00 over a consecutive 30 trading-day period [TTA 5 Apr]. Shareholders approved the move at their meeting on 18 June. The NYSE notice was given on 2 April and the reverse split will happen at the market open on 11 July, well within the six-month window. Amwell Class A shares closed yesterday at $0.27 so that condensing 20 shares will bring the share price around $5.40. Amwell’s 2024 is forecast with revenue in the range of $259 to $269 million and adjusted EBITDA in the (less) red between ($160) million to ($155) million, with no breakeven in sight until 2026. Their Q1 posted a $73.4 million net loss. Amwell has also released 10% of staff since the palmier days of 2023. Amwell, like Teladoc, continues to struggle in a stand-alone urgent care model that is now obsolete. Release, Healthcare Dive

Update 11 July: Amwell shares opened today at $6.52, and as of midday were trading at $7.51. So short term, the reverse split is working to plump up the shares.

Amazon says goodbye to Amazon Clinic by folding it into One Medical. This should come as no surprise to Readers who noted the  May departure of Clinic’s general manager Nworah Ayogu, MD to VC Thrive Capital with no replacement or search. Amazon’s announcement on 27 June was typically upbeat in renaming the service as One Medical’s Pay-per-visit telehealth. The improvements they claim are:

  • Pay-per-visit telehealth for 30+ common but minor conditions, like pink eye, the flu, or a sinus infection
  • A One Medical monthly or annual membership plan that includes on-demand virtual care and same or next-day appointments at 150+ One Medical primary care offices
  • More affordable–messaging/asynchronous visits are now $29, formerly $35, and video visits at $49, formerly $75. 

The catch–existing Clinic members have to log into One Medical to access their records and the service. Amazon is also propping up One Medical through Prime membership, offering a better deal at $99/year and non-Prime individuals for $199 per year. Amazon does not disclose users, growth, or revenue for either Clinic or One Medical. Healthcare Dive

The long-delayed UnitedHealth-Amedisys home health deal moves closer to closing. Amedisys and UHG’s home health operation under Optum will be divesting some of their locations to VitalCaring Group to avoid Department of Justice anti-trust concerns. The divestiture is contingent on the acquisition closing, now projected in second half of this year. The number of locations was not disclosed though earlier speculation had estimated it at 100. UHG’s offer to acquire Amedisys was made in June 2023 for $3.3 billion in an all-cash deal. It would be additive to its earlier $5.4 billion buy of LHC Group, now part of Optum. With the divestiture, analysts do not see any impediments to a closing, though it had faced opposition in Oregon in March and DOJ opposition since it was announced. This Editor remains sanguine about a successful closing. After UHG won versus DOJ in the Change Healthcare acquisition, “DOJ has a long memory, a Paul Bunyan-sized ax to grind, and doesn’t like losing.” Expect a few more impediments tossed in their direction over the next months. FierceHealthcare , Zack’s Research

The latest episodes in the continuing soap opera of Steward Health involve both Optum and James Bond moves on their critics. Optum had offered back in March to buy their practice groups under Stewardship Health, which stalled with first the Massachusetts Health Policy Commission (HPC), then their bankruptcy. That offer is now off, leaving Steward in the lurch. It was critical to $75 million of Steward’s debtor-in-possession (DIP) financing as recently as 13 June [TTA 14 June]. The deal would have been problematic anyway for Optum as they are under DOJ scrutiny not only for Amedisys but also because Optum controls or has arrangements with 10% of US physicians, 90,000 to date. Healthcare Dive They also settled recently with DOJ for $20 million on Optum Rx’s filling orders from a mail-order pharmacy in Carlsbad, California between 2013 and 2015 for Schedule II drugs: opioids, benzodiazepines, and muscle relaxants. Healthcare Dive

Adding to Steward’s piles of misery are the latest revelations that Steward financed a $7 million spy operation on their critics. This loony aspect to the Steward endgame involved contracting with UK investigators on surveilling a critical former executive, a British financial analyst, and a Maltese politician to find compromising actions between 2018 and 2023. The investigations were allegedly authorized and prioritized by Steward’s top executives while Steward struggled to pay bills for its hospitals and practices. Payments to the investigators were routed through Steward’s Malta operation against their critics in Malta and elsewhere. Steward at the time was embroiled in a dispute around their management of hospitals in Malta, which was eventually investigated and terminated by a Maltese court last year.

One example: the UK firm Audere “collected embarrassing personal information and photographs of a former Steward employee after Steward feared he would leak financial information to its auditor.” Another was the investigation and harassment of a British financial analyst, Fraser Perring, critical of Steward’s actions in its dealings with Medical Properties Trust (MPT). He was followed, his home CCTV was disabled, his home was broken into, family members and his partner were followed. Perring was also being smeared on Twitter through an account set up by Audere. There is much more on this in OCCRP’s report, published (paywalled) in the Boston Globe and Times of Malta. OCCRP’s full report and findings are here. FierceHealthcare

Electronics, audio, and medical device company Masimo continues to fight a hostile activist investor, Politan Capital Management. In December 2023, Masimo notched a significant win via the International Trade Commission versus Apple’s Series 6 and later Watches that forced Apple to disable its pulse oximetry (SpO2) sensors and software that violated Masimo’s smartwatch patents [TTA 28 Dec 2023]. Politan descended on Masimo in April accusing CEO and chairman Joe Kiani and others of mismanagement, including the 2022 acquisition of Sound United’s audio brands. It won two seats on the Masimo board of directors at the last shareholders’ meeting and is demanding two more seats at this year’s meeting on 25 July which would give it effective control.

The latest in the proxy fight is that the chief operating officer, Bilal Muhsin, will depart after 24 years at Masimo if Joe Kiani is forced out. The brief conditional resignation was sent to Masimo’s lead independent director, Craig Reynolds. Mentioned in the resignation was that he would refuse to work with Quentin Koffey, a Masimo director and chief investment officer of Politan Capital. More letters like this may be coming as reportedly Masimo management has urged employees to sign similar letters. Strata-gee, MedTech Dive  

Politan was the investment group that upended Centene Corporation and ousted most of Centene’s board plus 25-year CEO Michael Neidorff in 2022 shortly before his death on 7 April 2022 [TTA 18 Dec 2021]

Update: 300 engineers in Masimo’s healthcare division expressed specific support for Joe Kiani against Politan and Quentin Koffey in an open letter. “We wish to convey our deepest concern if Quentin Koffey and Politan Capital take control and Joe Kiani is removed. We are committed to Masimo because of the vision and innovation he pushes and drives us to deliver. The prospect of losing our founder and CEO threatens to derail the progress we have made and jeopardize the future of Masimo.” They also expressed that they may leave. “We, the undersigned from Masimo Healthcare Engineering, wanted you to be aware that we may not continue with the company if Joe Kiani is replaced by Quentin Koffey and Politan Capital.” This follows on other letters written by international regional managers and presidents in June also stating their support and warning that they may leave if Kiani leaves. The annual shareholder meeting is scheduled for 25 July.   MedTech Dive

However, Masimo is also embattled on other fronts: earlier in June, DOJ and FDA announced their investigation of problems with their Rad-G and Rad-97 SpO2 devices leading to a recall and the SEC is investigating potential accounting irregularities and internal control deficiencies. MedTechDive

Week-end short takes: Change Healthcare/UHG breach notification starting (updated); fundings for Pomelo Care, Marigold Health, Humata Health

Change Healthcare finally starting notifications, but not yet to consumers. A press statement today from Change/UnitedHealth Group confirmed that the long process of notifications has started with hospitals, insurers, and other customers. Individuals and practices will not be notified until late July. Change confirmed that the Blackcat/ALPHV cyberattack exposed names, addresses, health insurance information, and personal information like Social Security numbers, but at the individual level investigation isn’t finalized. At this point, they have reviewed over 90% of impacted files and have not seen signs that doctors’ charts or full medical histories were taken. Technically, UHG has made the 21 June deadline stated in the Hassan/Blackburn Senate letter [TTA 19 June] but not within the 60-day HHS-OCR window, which opens them up to an HHS fine. After paying a cyberransom of $22 million in bitcoin and uncounted (to us) millions in rebuilding systems, HHS’ fine may look like the lesser cost of doing business. The Change website also contains a very carefully worded ‘HIPAA Substitute Notice’ that reads like a consumer data breach notification. AP via Yahoo! News UK   One wonders if there’s a fair amount of ‘buyer’s regret’ going on at UHG in fighting so hard to buy Change. Due diligence would have helped over that year-plus.

Update: The Centers for Medicare & Medicaid Services (CMS) announced earlier this week that the provider financial assistance program will be ending 12 July as billing activities have largely resumed. It has advanced over $2.55 billion in payments to Medicare Part A providers and $717.2 million to Part B providers. FierceHealthcare

Fundings this week:

Virtual maternity support platform Pomelo Care scored $46 million in Series B funding. Lead investors are Andreessen Horowitz (a16z) and First Round Capital with participation from Stripes, BoxGroup, Operator Partners, and SV Angel. Pomelo’s markets for virtual fertility, pregnancy and newborn care from preconception through a baby’s first year services are employers, health plans and providers. The company claims 3 million covered lives across 46 states through their commercial and Medicaid health plan partners. Release, Mobihealthnews

Telemental health provider Marigold Health now has an $11 million Series A. Marigold is structured as an anonymous social network where people with mental health and substance use conditions provide peer-based support. Lead investors for the Series A are Rock Health and Innospark Ventures. Additional participants are the Commonwealth Care Alliance (CCA), Wavemaker360, Stand Together Ventures Lab, Epsilon Health Investors, Koa Labs, VNS Health Plan and KdT Ventures. Their substance use disorder (SUD) programs are currently available to 25,000 members in Delaware, Rhode Island, and Massachusetts. The new funding will be used for expansion to at least four additional states by the end of 2025. Release (Marketwatch), Mobihealthnews

Humata Health, which has developed AI-based technology to automate prior authorizations for payers and providers, closed an unlettered $25 million funding round. Lead investors are Blue Venture Fund (representing the majority of BCBS plans) and LRVHealth (representing nearly 30 health systems and payers), with participation from Optum Ventures, .406 Ventures, Highmark Ventures, and VentureforGood. The funding will be used to broaden its generative AI technologies, expand their provider base, and begin to partner with payers and delegated entities. Humata bought the base prior authorization technology from Olive AI out of its bankruptcy [TTA 31 Oct 2023]. Its founding chairman and CEO is Jeremy Friese, MD, who had been Olive AI’s president for their payer business after selling Verata Health, also in the prior authorization automation area, to Olive.  Release, FierceHealthcare

News roundup: VA extends Oracle Cerner for 11 months; Amwell founders swap jobs; Alphabet’s Verily pivots to Lightpath with GLP-1, retiring Onduo; UnitedHealth hasn’t notified on Change breach

To no one’s surprise, the Department of Veterans Affairs (VA) extended its contract with Oracle Cerner for another 11 months. This is per the new contract relationship that started last year, resetting from the original five-year contract that started in 2018 to five one-year terms, with mandatory annual reviews and renewals [TTA 18 May 2023]. Technically, the contract expired in May but VA extended it for one month as discussions continued over the next one-year term. This second option period expiring May 2025, according to the VA release, is focused on the following for the EHR modernization (EHRM):

  • Supporting the existing six facilities with the Oracle Cerner EHR
  • Achieving the goals of the reset and driving towards future deployments
  • Increased accountability across a variety of key areas, including minimizing outages and incidents, resolving clinician requests, improving interoperability with other health care systems, and increasing interoperability with other applications to ensure an integrated health care experience
  • Supporting value-added services, such as system improvements and optimizations
  • Achieving better predictability in hosting, deployment, and sustainment
  • Fiscal responsibility 

The plan is to resume site deployments in FY 2025, likely in year 2025, after reset goals are met. Seema Verma, Oracle Health’s new executive vice president and general manager, said that “VA’s intent to resume deployments in the next fiscal year is a significant milestone that reflects the hard work our collective teams have done to improve the system today, as well as confidence in our shared ability to continually evolve the EHR over time to meet the needs of both practitioners and patients.” NextGov/FCW, FierceHealthcare, Healthcare Dive, Oracle release

Is there much choice for the VA in the matter? Not really. VistA can be updated but remains non-interoperable with the Military Health System’s (MHS) Cerner-Leidos EHR. But can Oracle Cerner be fixed up and debugged to work for VA’s vastly different needs and smoothly deployed within the contract duration? That jury is still out in the view of the VA and Congress.

The Brothers Schoenberg swap positions at Amwell. Roy Schoenberg, MD, MPH, will transition immediately from his role as president and co-CEO to move to executive vice chairman of Amwell’s board of directors. Ido Schoenberg, MD, will become the sole CEO. The brothers co-founded the company in 2006. Ido’s quote closing the release is interesting in demonstrating the shift from investment without profits to getting on the path to profitability:  “This transition represents a natural evolution for our company as we shift from a period of intense R&D investment to an operational focus aimed at achieving greater efficiencies, optimizing cash flow and delivering profitable growth while maintaining our dedication to enabling our clients’ aspirations.” Roy is credited with developing Converge which is their next-generation integrated platform. If Teladoc is finding it difficult to transition from the stand-alone, transactional, urgent care service they and Amwell pioneered, into an evolved market that has incorporated virtual capabilities into multiple types of care models, whither Amwell’s future? More thoughts in TTA 2 May, 9 April

Alphabet (Google)’s once-visionary Verily now jumps on the GLP-1 bandwagon with Lightpath. Verily’s latest pivot to the highly trendy weight loss area is termed as a metabolic solution as part of a “personalized chronic care solution for health plans and members”.  Lightpath will start as Lightpath Metabolic, a four-part program that includes Metabolic Intensive (diabetes management), Weight Loss Intensive, Metabolic Improvement, and Metabolic Achievement. The Verily platform integrates data from health records, connected devices, and other care points to deliver “personalized pathways, suggestions, and nudges to health plan members” virtually along with health coaches and an advanced licensed clinical team. The current virtual chronic care management platform, Onduo, will be retired by 2025.

Once upon a time (2021, sigh), Verily was Google’s skunk works for advanced health tech with Google Health being the marketing and merchandising arm for clinical and consumer products. Google Health was broken up in August 2021 and Verily faded into the Alphabet background with the occasional joint venture and clinical pilots, with Onduo being their most marketable product. Google seems to have little direction for Verily other than to keep it alive. And given the competition plus a greater understanding of the long term effects of the GLP-1 drugs in the weight loss area, the GLP bandwagon is up for a shaky ride in the next year. Release, FierceHealthcare

And very strangely, UnitedHealth Group hasn’t notified Health and Human Services’ Office of Civil Rights (HHS-OCR) about the ransomware data breach at Change Healthcare, nor the individuals affected. The notification to OCR is required under HIPAA to be within 60 days of the date of the incident. UHG is over the deadline by two months, calculating from 21 February. CEO Andrew Witty wilted before double-barreled Senate and House hearings in May and UHG lost a fight to put the notifications for the breach onto providers [TTA 5 June]. Senators Margaret Wood Hassan (D-NH) and Marsha Blackburn (R-TN) sent a joint letter on 7 June to Andrew Witty, CEO of UnitedHealth Group, urging him to send a breach notification letter that notifies OCR, state regulators, Congress, the media, and health care providers that it intends to complete all breach notifications on behalf of all HIPAA-covered entities, individuals and businesses affected, by 21 June. That’s Friday. UHG continues to maintain that they still do not know the extent of the breach. The Medical Group Management Association (MGMA) also sent a letter to Mr. Witty on 12 JuneDon’t hold your breath for UHG sending millions of letters. Becker’s, HealthExec

News roundup: UHG CEO’s Bad Day at Capitol Hill; Kaiser’s 13.4M data breach; Walgreens’ stock beatup; Cigna writes off VillageMD; Oracle Cerner shrinks 50%; Owlet BabySat gets Wheel; fundings for Midi, Trovo, Alaffia, Klineo

It was a Bad Day at Boot (Capitol) Hill for UnitedHealth Group’s CEO Andrew Witty. On May Day, he was the Man In The Arena facing two Congressional grillings–the first from the Senate Finance Committee in the morning, and the second in the afternoon from the House Energy and Commerce Committee’s Subcommittee on Oversight and Investigations. The precipitating event was the Optum/Change Healthcare data breach and system hacking by ALPHV/BlackCat, a disruption which is as of today not fully resolved.  Millions of patients may have had data stolen and exposed–a number that has yet to be determined, but an outcome for which UHG, while paying the ransomwaristes, has prepared. Already, the VA has notified 15 million veterans and families of that possibility.

This Editor will be linking below to multiple articles and Mr. Witty’s prepared testimony. Interested Readers can also refer to YouTube for extensive links to video testimony. Highlights:

  • Both houses criticized the slow response and amount of financial assistance given to providers after the shutdown of Change’s systems prevented (and still is preventing) timely claims processing and payment. While ‘near normal’ volumes of medical claims and 86% restoration of payment processing sounds good, that leaves a lot of wiggle room on over two months of totally disrupted processing and payment. The billion or so cited sounds impressive but much of this is in loans. Most practices and groups simply do not have the financial cushion or billing skillset to bridge this disruption, to pay back loans, or to bookkeep this.
  • Also criticized at this late date was UHG being unable to determine how many individuals had PHI exposed in the breach.
  • As to cause, the description of UHG finding that surprise, surprise, Change’s systems were way out of date, stored on physical servers versus the cloud, and used Citrix remote access without multi-factor authentication (MFA) was utterly savaged. According to Mr. Witty, ALPHV after days of knocking around got in on the one server that did not have MFA authentication.

The blunt fact is that UHG had close to two years (January 2021-Oct 2022) before the buy closed. Due diligence consisting of a full audit had to have been done on Change’s IT systems. They processed what UHG wanted to buy. In this Editor’s estimation, Job #1! for UHG should have been ensuring that Change’s systems were hardened, then upgrading to what Mr. Witty called UnitedHealth’s standards. This Editor will go further. A minimum requirement for the sale should have been security hardening. There was time before the closing.

Senator Thom Tillis, R-North Carolina, had the best riposte. He brought a copy of “Hacking for Dummies” to the hearing, highlighting MFA. I doubt he was much moved by UHG now bringing in cybersecurity company Mandiant to both investigate and harden their systems, nor by UHG having to pay ransom, without knowing whose data was compromised.

  • Beyond the breach, UHG was called ‘monopolistic’ by both Republican and Democrat Members. There were calls to break up UHG as not ‘too big to fail’. UHG has grown by acquisition and consolidation of services. As this Editor has speculated, this is likely coming to an end with the new, much more stringent Merger Guidelines. This sentiment paints a large, unmissable target on UHG’s back for aiming FTC’s and DOJ’s missiles. (DOJ also has a huge score to settle with UHG dating back to the failure to block the Change sale.)

By the end of the day, Mr. Witty looked quite the worse for wear–tie and collar askew, slightly sweaty, versus the perfect poses of the various Members. Becker’s, FierceHealthcare, Axios, HealthcareDive    Mr. Witty’s Senate testimony statement, House testimony statement

Speaking of data breaches, Kaiser Permanente reported a big one to Health and Human Services (HHS). This relates to ad tracker information shared with third-party advertisers such as Google, Microsoft, and X. Kaiser used it in secured areas of their website and mobile apps. Information disclosed could be name and IP. Kaiser reported it on 12 April but only disclosed on 25 April that 13.4 million records may have been affected. The ad trackers have since been removed. TechCrunch, FierceHealthcare 

Walgreens stock not recovering. April was WBA’s worst month in five years and May is no better, with the stock muddling around $17.50. The month slid around 18%. Their 52-week high was $33. As of now, CEO Tim Wentworth’s actions such as closing locations and writing down VillageMD haven’t convinced Mr. Market of WBA’s worth, but in fairness it’s early in his tenure. In the Insult to Injury Department, it was revealed that the IRS is seeking to claw back $2.7 billion in unpaid 2014-2017 taxes. Crain’s Chicago Business

Cigna is also writing down its interest in VillageMD. Almost forgotten is that in late 2022, Cigna invested $2.5 billion into VillageMD. They have now written down $1.8 billion of that ‘low teens’ ownership. The planned tie was connecting Village Medical into Evernorth, Cigna’s medical services area. It was also supposed to provide Cigna with an annual return on investment, but one assumes it did not. The writeoff threw Cigna’s Q1 into the red with a net loss of almost $300 million versus a prior year profit of $1.3 billion, despite a strong quarter that grew revenue 23% versus prior year to $57.3 billion. Healthcare Dive

Oracle Health has been successful–in shrinking Cerner by close to half. Records of employment at Cerner’s Kansas City-based operation have declined from 11,900 people in 2022 (Kansas City Area Development Council) to a current 6,400 (internal documents). Cerner itself reported 12,778 local full-time-equivalent employees in 2022. Oracle had multiple layoffs of Cerner affecting Kansas City workers and has consolidated multiple office buildings and campuses. Becker’s

In more cheerful news:

Baby monitor Owlet announced a strategic partnership with Wheel for Owlet’s BabySat. BabySat is Owlet’s FDA-cleared prescription vital signs monitor for infants 1-18 months. Wheel clinicians can now prescribe BabySat which enables parents to order BabySat from Owlet and other suppliers. With Wheel, BabySat also integrates with durable medical equipment (DME) suppliers who accept and can bill for the product through many insurance providers for partial or full reimbursement. Wheel is a virtual care platform and physician/nurse-practitioner online network available direct to consumer and to enterprises. Owlet release

And rounding up funding:

MidiHealth closed a $60M Series B funding. This was led by Emerson Collective with participation from Memorial Hermann, SemperVirens, Felicis, Icon Ventures, Black Angel Group, Gingerbread Capital, Able Partners, G9, and Operator Collective for a total of $99 million in funding. Midi provides virtual support for women going through peri- and full menopause. The fresh funding will help them expand national insurance coverage, hire and upskill an additional 150 clinicians by end of year, diversify service lines, and scale to care for 1 million+ women per year by 2029. Release

Trovo Health launched with $15 million in seed funding, led by Oak HC/FT. The NYC-based AI-powered provider task assistance platform will use the funding to build its technology platform, clinical operations, and leadership team. Mobihealthnews 

In the same roundup, NYC-based Alaffia Health scored a $10 million Series A round. This was led by FirstMark Capital with participation from Aperture Venture Capital. Alaffia creates generative AI solutions for payment integrity in health insurance claims operations, with the aim of eliminating insurance fraud, waste, and abuse for health plans, third-party administrators, self-insured employers, stop-loss carriers, and government agencies. Their total raise to date is $17.6 million. Paris-based Klineo also raised €2 million for its oncology clinical trials search platforms, assisted by AI, for the use of doctors and patients. BPIFrance and business angels participated in the round.

Midweek news roundup: Optum exiting telehealth, laying off; Advocate Health selling MobileHelp; VA notifying 15M veterans re Change PHI breach, Oracle moving to Nashville–maybe? (updated)

Optum Virtual Care closing, staff layoffs in progress. Optum Everycare CEO Jennifer Phalen on an 18 April internal conference call announced that the unit would close. According to sources, some employees would have layoff dates in July. No further details were available on other layoffs or plans for integrating Virtual Care’s capabilities into other Optum units, except for generalities. “We are com­mit­ted to pro­vid­ing pa­tients with a ro­bust net­work of providers for vir­tu­al ur­gent, pri­ma­ry and spe­cial­ty care op­tions,” and “We con­tin­u­al­ly re­view the ca­pa­bil­i­ties and ser­vices we of­fer to meet the grow­ing and evolv­ing needs of our busi­ness­es and the peo­ple we serve.” a spokesper­son for Unit­ed­Health said to End­points, a biopharma publication from the University of Kansas which broke the story.

For Optum, this is the second shoe drop about layoffs and closures in less than two weeks. Reports from social media and layoff-specific boards indicated that thousands were being laid off, from their plans to urgent care and providers [TTA 23 Apr]. These were not confirmed by Optum nor by UnitedHealth Group. It’s not known if this unit’s closure was included in the total. 

The larger picture is that it is symptomatic of the sudden growth, then equally sudden consolidation, of general telehealth. Optum opened the unit in April 2021 as the pandemic entered year 2. Utilizing existing capabilities, UHG claimed it facilitated more than 33 million telehealth visits in 2020, up from 1.2 million in 2019. The number looks sky high but in that time of practices closing it was a free-for-all in telehealth–and ‘facilitating’ is a nebulous catchword that could mean a practice using Facetime, telephones, or an EHR/population health platform module. Commercial claims for telehealth have remained at 4 to 5% since (FAIR Health, Jan 2024). Even during the pandemic’s first year, telehealth claims hit a peak of 13 percent in April 2020 that dropped fast to 6% by August 2020. Well over 60% are for behavioral telehealth claims.

A leading indicator: Last June, Optum Everycare’s CEO from their 2021 start, Kristi Henderson, a former Optum SVP for digital transformation, departed to become CEO of Confluent Health, a national network of occupational and physical therapy clinics. It was about as far away as one could get from telehealth, digital transformation, and Amazon Care, her former employer that expired in 2022.

Apparently, UHG and Optum see no further need for a virtual care specialty unit, instead integrating it into plans and other Optum services. According to MedCityNews, industry analysts aren’t surprised. Both Amwell and Teladoc have had well-known struggles. The latest: Walmart, after investing millions into their unit that included full clinics and a virtual care service, also made news on 30 April that it is closing both. Also greatly on UHG’s mind: cleanup after the Change debacle, making Mr. Market happy, and the looming antitrust action by DOJBecker’s, Healthcare IT News, 

In another sign that healthcare investors are selling off ancillary businesses, Advocate Health is selling PERS provider MobileHelp. It “no longer fit the strategic priorities of Advocate Health” according to their 22 April audit report (see document pages 10 and 13) and was authorized last December.

Advocate, through its investment arm Advocate Aurora Enterprises, acquired both MobileHelp, one of the earliest mobile PERS, and sister company Clear Arch Health, a remote patient monitoring provider, in April 2022. Cost was not disclosed at that time but later was reported to be $290.7 million. The plan at the time was to combine both MobileHelp and Clear Arch with a senior care/home health provider earlier acquired by Advocate for $187 million, Senior Helpers. That company was sold in March to Chicago-based private equity firm Waud Capital Partners for an undisclosed amount. The MobileHelp sale is expected to close later this year. Buyer and price are not disclosed. The expected loss on the MobileHelp sale was figured into FY 2023 as part of an asset impairment write-down of $150 million, which Advocate said was “related to the expected loss on the sale of MobileHelp.” The PERS and RPM business is a largely consolidated ‘cash cow’ type of business that (Editor’s prediction) will be snapped up by another player like Connect America, Alert One, or a smaller player like ModivCare. Milwaukee Business Journal, Becker’s, Crain’s Chicago Business (requires subscription)

VA admits that some veterans may be affected by Change Healthcare data breach, PII/PHI disclosure. While Department of Veterans Affairs Secretary Denis McDonough at this time believes that “there’s no confirmation yet” that veteran data was exposed, the scope of the Change Healthcare breach has led VA to formally alert via email 15 million veterans and their families of the possibility. The email also included information “about the two years of free credit monitoring and identity theft protection” that Change Healthcare is offering to those affected by the attack. The VA maintains that the attack resulted in only a temporary delay in filling 40,000 prescriptions but did not cause “any adverse impact on patient care or outcomes,” according to a department spokesman. NextGov/FCW 26 April, 23 April 

In related news, HHS as of 19 April had not received any notification from Change Healthcare nor UHG. They are required to file a breach report as providers and also as covered entities. They have 60 days from the breach occurrence on 21 February to report, which is coming right up. Becker’s

If Larry said it, it must be true…assemble the moving boxes. At an Oracle conference in Nashville last week, Oracle chairman Larry Ellison said to Bill Frist of investment firm Frist Cressey Ventures that he planned to move the company to that city as “It’s the center of the industry we’re most concerned about, which is the healthcare industry.” It’s their second public Larry and Billy meetup in the last few months, the last in November at the Frist Cressey Ventures Forum where Ellison had previously touted Nashville. Ellison is investing in and building a 70-acre, $1.35 billion campus on Nashville’s riverfront. Oracle is currently HQ’d in Austin, Texas having moved in 2020 from Redwood City, California but with extensive facilities remaining in the state. Texas and Tennessee have one thing in common–a superior business climate. Both are long on lifestyle, though Austin is not as temperate (read, hot) as Nashville. What Nashville has that Austin doesn’t is being a healthcare hub. At least in Ellison’s view, healthcare is where it’s at and so is Nashville. So as long as he’s running Oracle from his manse on Lanai, Oracle does what Larry says. Healthcare Dive, Healthcare IT News, The Tennessean

More fun facts about Larry Ellison and Nashville: David Ellison, his son, is founder of Skydance Media, a major Hollywood production company (Mission: Impossible and others) and negotiating a zillion-dollar merger with Paramount Pictures. David’s wife is a singer trying to make it in Music City and they have a home there. Kind of like the age-old trend of moving the HQ near where the CEO’s living. On moving the HQ to Nashville from Austin, this would affect perhaps 2,500 workers based there currently. Most of Oracle’s workers are dispersed and work remotely. 6,400 of former Cerner-ites are still in Missouri and 7,000 remain in California. Big hat tip to HIStalk—scroll down and see more about Larry and Billy’s talk, which also covered cybersecurity, the NHS (which uses Cerner), and automating hospitals and the hospital-payer interface.

Breaking: UnitedHealth admits to paying ransomwareistes on Change stolen patient data (updated)

Admitted, finally, to CNBC on Monday. UnitedHealth told CNBC in a statement. “A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure.” UHG’s release alludes to this but without specifics as to what entity was paid (ALPHV? RansomHub?) nor the amount. It vaguely states that it reviewed 22 screenshots “some containing PHI and PII, posted for about a week on the dark web by a malicious threat actor” and that “it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals”. This seems to point to the most recent RansomHub offer of 4TB of Change Healthcare PHI/PII for sale, not the original breach, but UHG’s information is inconclusive for the reader. Also Becker’s.

However, the admission that Change files were breached and a ransom was paid is substantial and points to multiple leaks of the PHI and PII on multiple sites. Despite no identification and notification of customers yet, UHG is offering a support hotline to individuals concerned about the cyberattack, offering free credit monitoring and identity theft protections for two years plus “emotional support.”

Another fun fact that DataBreaches.net points to in its short article is that the Wall Street Journal (also cited by TechCrunch) said that its research indicated that the original breach came from stolen remote access credentials. It took only a week for ALPHV’s hackers to explore the system before deploying the cyberransom and hacking software through Change’s systems. Updated: the WSJ pins the original breach to 12 February but the hackers didn’t ‘detonate’ the ransomware till 21 February. Also multi-factor authentication is standard operating procedure for remote access, but MFA wasn’t enabled on this.  Developing and will be updated. Our article posted on Monday here with links to our prior articles.

Who really has the 4TB of Change Healthcare data 4 sale? And in great timing, Optum lays off a rumored 20K–say wot?

The data is for sale! And the top does not go down, but the price definitely goes up! That old antique auto auction cry is paraphrased here because the 4TB of patient data hacked from Change’s systems is up for sale, since Change/Optum didn’t buy it. Interested parties should stroll over to the dark web and see RansomHub’s listing for details.

Unlike some news sources that got confused, this apparently is the same 4TB that BlackCat/ALPHV affiliate ‘notchy’ stole (technically, exfiltrated) posted about on a dark web site shortly after the attack [TTA 7 Mar]. According to those early reports, ‘notchy’ was dissatisfied that he didn’t get a cut of the $22 million ransom that Optum supposedly paid the BlackCat/ALPHV group.

For their $22 million ransom, which Change has not, repeat NOT, confirmed, ALPHV gave Change a decryptor key. But, they didn’t have the good manners to 1) return the stolen data to Change or delete it, which included highly sensitive data from multiple Change customers including active military PII (from Tricare), patient PII, payment and claims data, and much more, and 2) pay a cut to the affiliate. And then ALPHV shut down and ran out of town.

Here’s the latest updates from DataBreaches. net

Over a month later, an outfit called RansomHub posted, again on the dark web, that it has the 4TB of data. 

As reported here on 10 April, there was an announcement on the RansomHub website, not signed by ‘notchy’, that if Change wasn’t interested in paying for the data, it would be up for sale. There was some confusion, based on a WIRED report, that this was a second breach. The RansomHub information seemed to point to only ‘notchy’s’ data.

DataBreaches followed up with RansomHub to 1) verify they had the data, asking if 2) was it ‘notchy’s data’, and 3) how did RansomHub obtain it if not ‘notchy’? RansomHub also leaked some screenshots of  2011-2013 Medicare claims data. This old data raises even more questions on why this data was even available online and not stored offline…unless…. RansomHub’s 15 April posting included this statement, “The more we go through the data the more we are shocked of the amount of financial, medical, and personal information we find and it will be more devastating than the first attack itself.” 

By 16 April, DataBreaches reported that the listing read:

Change HealthCare – OPTUM Group – United HealthCare Group – FOR SALE

The data in now for sale. Anyone interested in the purchase should contact RansomHub. 

But does RansomHub actually have it? Are they ‘notchy’, in it with ‘notchy’, brokering ‘notchy’, or is it a second 4TB breach? Stay tuned.

Thousands at Optum won’t care one way or another. Reports since last Thursday have been that first hundreds, then thousands, then up to 20,000, have been laid off. These are based on social media postings on LinkedIn and boards like The Layoff where anyone can post. Optum has not confirmed any layoffs to industry media such as FierceHealthcare and Becker’s Hospital Review / Becker’s ASC Review which published reports starting last Friday. Federal and state WARN notices, which usually confirm mass layoffs by state, have been oddly empty. 

Across the reports, Optum has laid off staff from their California care division (400), home health provider Landmark Health (500), urgent care MedExpress (all as of 18 July), Genoa (OptumRx-unknown). Notices range from immediate, to two weeks into May, and forward. Types of jobs eliminated have been at all levels of regional and corporate, affecting engineers, care management, clinical, case directors, data operations, and integration managers. This LinkedIn post claims up to 20,000. Optum’s silence has let the rumor mill run overtime.

CMS has lowered Medicare Advantage reimbursement, but other insurers factored this in earlier this year. The major whack was the Change Healthcare cyberattack. Though the public posture of UnitedHealth Group is that most of the systems are back or being worked around, the financial truth is that the Change disaster will cost them $1.6 billion in 2024 as announced last week. It does lead one to wonder about how mighty UHG, on an acquisition tear for years through today, always doing well and pleasing Mr. Market, got quite so overstaffed. How would it be overstaffed by thousands or the rumored 20,000 who are suddenly, dramatically unnecessary? That may boost the stock, but it gives the Feds yet another ax to grind, what with the House savaging an absent UHG on the cyberattack handling and their payments to providers [TTA 18 April], DOJ taking a hard cold look into UHG’s business practices, specifically around antitrust between the payer group and Optum [TTA 6 Mar], and approvals for the Amedisys buy stalling.

Here’s a view at variance, not about the layoffs but about how UHG is really doing. STAT’s analysis of UHG’s financial report is that the Change losses barely dent the overall picture and won’t affect 2024 earnings. Q1’s loss was mostly the Brazil writedown. It also confirmed that CEO Andrew Witty had a certain gall to say in prepared remarks that the Change situation would have been so much worse had they not been owned by UHG. Mr. Witty will have some ‘splainin’ to do before the House and the Senate, 30 April and 1 May, respectively.

News roundup: Congress hammers absent UHG on Change cyberattack–and more; 10% unhinged at Hinge Health; Steward Health nears insolvency; Two Chairs $72M Series C

UnitedHealth Group facing direct Congressional criticism–and didn’t show up to answer it. The House Energy and Commerce Committee held a hearing yesterday on the BlackCat/ALPHV cyberattack on UHG/Optum’s Change Healthcare systems. Representatives of the American Hospital Association, which we noted led the earliest efforts to assess the situation, help health systems, and then lobby Health and Human Services to assist providers, the College of Healthcare Information Management Executives, and the Healthcare Sector Coordinating Council testified to a restive group of House representatives. Though reports have said that UHG had previously briefed the committee and CEO Andrew Witty will appear before the Senate Finance Committee on 30 April, both Republicans and Democrats didn’t spare the criticism. Other issues, such as healthcare provider consolidation, cybersecurity coordination, and vertical integration through acquisitions as represented by UHG and Change, entered into the hearing. And it went pretty far. Rep. Buddy Carter (R-GA): “The FTC has failed the American people by allowing vertical integration to happen, and it needs to be busted up.” Rep. Anna Eshoo (D-CA): “The attack shows how UnitedHealth’s anti-competitive practices present a national security risk because its operations now extend through every point of our healthcare system,” and called it “outrageous”. 

The current administration’s proposed $800 million investment in hospital cybersecurity protections was typed as “woefully insufficient.” 

Returning to the main issues, Larry Bucshon, MD (R-IN) stated that both the government and private companies were slow in assisting providers. John Riggi, AHA’s national adviser for cybersecurity and risk testified that “The federal government did not step in for weeks. Needed flexibilities under Medicare were not immediately available. It took 18 days for CMS to begin allowing providers to apply for advancing accelerated payments.” On how it affected providers, 94% of respondents in an AHA provider survey felt a financial impact from the attack, over half reported a “significant or serious” impact, and 74% of hospitals reported a direct effect on patient care. Payers are resisting advanced payments. UHG was even accused of exploiting the cyberattack to purchase additional practices by Rep. John Joyce, MD (R-PA). Becker’s, Chief Healthcare Executive, STAT

This Editor has previously noted that UHG is taking a $1.6 billion charge for the cyberattack and is separately facing a DOJ investigation on multiple antitrust issues between the payer group and Optum, including their Amedisys buy [TTA 6 Mar]. UHG is also facing multiple class-action lawsuits from practices currently and expected from patients affected by the theft of PHI and PII [TTA 28 Mar]. It’ll be a busy spring and summer for UHG’s legal department.

Hinge Health cuts 10% of staff. Reasons given were the standard tropes of ‘long-term sustainable business’, ‘accelerate our path to profitability, speed up decision making, and better focus our investments’ plus ‘realign our organization’. Their employee group is estimated at 1,700 on LinkedIn, making this about 170 staff released in various functions including engineers. The company is preparing for an IPO, which may not be this year, since they claim to have $400 million in cash on the books. Hinge’s last raise was an October 2021 $400 million Series E led by Tiger Global and Coatue Management for a total funding of $826.1 million over 10 raises (Crunchbase). At that time, their valuation was a bubbly $6.2 billion. Their virtual musculoskeletal rehabilitative therapy for back and joint pain care has since then expanded to rehab for pelvic pain, bowel, and bladder control. TechCrunch  As predicted in our Rock Health Q1 review, Hinge is a perfect example of companies “pursuing IPO and M&A exit pathways concurrently to keep options open” by presenting their financials as if they were already public companies. 

Steward Health Care nears bankruptcy court. And the Optum buy of Stewardship Health practices won’t save it in time. Steward’s lenders are giving the health network until the end of April–two weeks away–to prove it can repay its considerable debts. Its recovery plan which included the Stewardship sale has been criticized as unworkable given the volume of debt and the regulatory implications of selling their hospital assets. The Optum acquisition is required to undergo a 30-day review by Massachusetts’ Health Policy Commission (HPC)–and while it was announced at the end of March, it had not started by mid-April. Given UHG’s other problems and scrutiny of practice purchases by the DOJ and FTC, Optum may walk away or wait. No purchase price had been announced but it would be a drop in a bottomless well anyway. The mounting problems of Steward Health Care are detailed in Healthcare Dive’s analysis.

And to end on a more optimistic note, Two Chairs, a telemental health provider out of San Francisco, scored a $72 million Series C. Lead investors are Amplo and Fifth Down Capital with debt financing from Bridge Bank. The new raise, majority equity, brings Two Chairs’ total funding to $103 million. Their hybrid virtual and in-person therapy model is available at present in California, Florida, and Washington and markets to consumers, payers (Aetna nationally, Kaiser Permanente in Washington and Northern California), providers, and employers. The company states it will use the fresh funding to expand its markets and improve its technology platform. Currently, they have more than 500 clinicians on staff, most of whom are full-time. Their differentiator in the crowded telemental health category is their emphasis on measurement-based care, aided by a “matching consult,” facilitated by a proprietary 300-variable algorithm that creates the right therapist-client match (the ‘two chairs’ of the company’s name), which studies indicate is the most important factor in determining a good outcome.  Release, FierceHealthcare, MedCityNews

Mid-week short takes: UnitedHealth’s $1.2B Q1 loss from Change attack, another Walgreens layoff, Dexcom-MD Revolution partner, Kontakt.io $47.5 raise, GeBBS Healthcare may sell for $1B

UnitedHealth Group rang up Q1 revenue of $99.8 billion, with adjusted earnings from operations $8.5 billion, but had a net loss of $1.22 billion (WSJ). (Ed. note–Becker’s has $1.4 million) The loss was created not only from the cyberattack on Change Healthcare’s systems ($0.74/share) but also a $7 billion charge due to the sale of UHG’s Brazil operations.

  • Q1 revenue was up $7.9 billion versus same quarter 2023.
  • Their year 2024 forecast of the damage done by the ALPHV cyberattack on Change is $1.6 billion ($1.15 to $1.35 per share).
  • Optum’s Q1 revenues of $61 billion grew by $7 billion over prior year, led by Optum Health and Optum Rx due to continued strong expansion in the number of people served

Someone at HIStalk did some counting and noted that the Optum Solution Status dashboard for Change Healthcare shows 109 of 137 applications remain down, not much different than when we eyeballed it on 3 April. CNBC, UHG release, HIStalk, Becker’s, MSN/WSJ

Walgreens continues to cut staff–this go-around, it’s corporate support center employees both in Chicago and working remotely. No total was provided by the Walgreens spokesperson contacted by Crain’s Chicago Business. This adds to 900 corporate staff laid off in several waves earlier this year and last fall, VillageMD staff due to 140 closures, and 646 distribution center staff laid off last month. Walgreens stock is down 33% this year. 

In cheerier news, Dexcom is partnering with remote patient monitoring (RPM) provider MD Revolution to add its continuous glucose monitoring (CGM) system to MD Revolution’s RPM platform. MDR is a startup company marketing its RPM platform to large practices, health systems, and healthcare organizations. Current raises date back to 2015 totaling under $60 million mostly from venture round funding (Crunchbase). Release

Inpatient data analytics company Kontakt.io raised a Series C investment of $47.5 million, led by Growth Equity at Goldman Sachs Asset Management (Goldman Sachs). This adds to a modest $21.5 million from various investors from 2013 to 2022 (Crunchbase). Kontakt provides patient flow analytics to health systems to optimize patient, staff, and resource flows, improving safety, coordination, and service delivery. It uses a combination of RTLS property tracking, cloud, and AI to provide real-time location data and orchestrate staff, equipment, and clinical spaces around a patient’s care journey. The additional funds will be used for sales expansion and AI development. HIStalk, Release 

GeBBS Healthcare Solutions on the block, may fetch $1 billion. The LA-based business process outsourcing (BPO)/revenue cycle management (RCM) company, currently owned by ChrysCapital of New Delhi, is on the market for a reported $800 million to $1 billion. This would be a tidy payday for ChrysCapital which back in 2018 acquired an 80% stake in GeBBS for $140 million with a valuation then of $175 million. ChrysCapital is India’s largest home-grown PE investor. Economic Times-India Times, HIStalk

News roundup: Now Clover Health faces delisting; BlackCat/ALPHV affiliate with 4TB of data puts it up for sale; $58M for Biolinq’s ‘smallest blood glucose biosensor’

Clover Health takes another pass at Nasdaq delisting. Once again, Clover’s Class A shares (CLOV) have been trading with an average closing price of below $1.00 over a consecutive 30 trading-day period, which violates Nasdaq’s continued listing minimum price criteria for the Nasdaq Global Select Market. This was announced in their most recent 8-K filed with the SEC 2 April. Clover has until 30 September to remedy the situation. An additional 180-day period may be elected if Clover transfers to the Nasdaq Capital Market. FierceHealthcare, Becker’s

The delisting is a rerun of their situation last year at this time. Clover considered a reverse stock split to be approved by shareholders but the share price improved on its own and the action was not necessary. This year, it may be. Clover is currently trading at $0.7365. Last August, it hit a high of $1.55 before sliding to below $1.00. An example of a SPAC through Social Capital Hedosophia Holdings, it hit a high of over $15 on 8 January 2021 before cracking that year based on revelations that Clover did not reveal a Department of Justice investigation starting the prior year, which prompted an SEC investigation [TTA 9 Feb 2021], triggering seven shareholder lawsuits that were not settled until December 2023. Clover Health exited the advanced value-based primary care program, ACO REACH, at the end of the 2023 performance year after two years to focus on their Medicare Advantage and Clover Assistant businesses [TTA 6 Dec 2023]. Financially, Clover closed 2023 with revenue of $2.033 billion (down from 2022’s $3.5 billion), net loss of $213.4 million, and an adjusted EBITDA loss of $44.7 million, with the losses improved over 2022. Clover release 

As predicted, 4TB of Change Healthcare data is up for sale. In a typical ransomwareiste move, the affiliate making nasty comments about BlackCat/ALPHV and claiming it had 4TB of data now has put the specs out on a dark web site called Ransomhub. The post first accuses ALPHV of stealing the $22 million ransom paid by UnitedHealth Group and not sharing it with the affiliate. It then claims it has highly sensitive data from multiple Change customers including active military PII (from Tricare), patient PII, payment and claims data, and much more. If Change/UHG isn’t interested, it will be up for sale to the highest bidder. Readers will recall the claims of ‘notchy’ early in the Change Healthcare attack [TTA 7 Mar] though UHG has not confirmed any payment to ALPHV. The demand for payment for the 4TB of data that ‘notchy’ claimed to possess was hardly unexpected. DataBreaches.net

A non-invasive “smallest ever” transdermal biosensor in development may turn the CGM business upside down. Biolinq’s latest round of $58 million will fund a pivotal clinical trial and FDA submission of its intradermal glucose sensor. The funding was led by Alpha Wave Ventures, with participation from Niterra’s corporate venture capital fund jointly operated with Pegasus Tech Ventures and existing investors RiverVest Venture Partners, AXA IM Alts, Global Health Investment Corporation, and four others, for a total since 2014 of $254 million. Crunchbase Current blood glucose sensors penetrate the skin with tiny needles. The Biolinq biosensor uses electrochemical sensors to measure glucose levels from the intradermal space just beneath the surface of the skin, on top of the capillary layer avoiding scarring. To access the intradermal layer, the sensors must be “200 times smaller than a human hair filament” according to Biolinq CEO Rich Yang. It also can combine blood glucose information with relative levels of activity in one device to eventually measure other analytes. The device as currently designed displays key information directly on the sensor–yellow light for high blood glucose, blue for normal. Release, MedCityNews

Short takes: PocketHealth, Brightside fundings; VA OIG reports hit Oracle Cerner; Change cyberattack/legal updates; UHG-Amedisys reviewed in Oregon; Optum to buy Steward Health practices

It’s a relatively quiet week before the Easter holiday, with a few fundings, more drama at the VA around Oracle Cerner, updating Change Healthcare’s comeback, and the continuing scrutiny around UnitedHealth’s acquisitions:

PocketHealth garners a US$33 million Series B. The Toronto-based company markets an AI-assisted platform to health systems and providers that allows patients to access their medical imaging and reports as well as for providers to easily share imaging information. The funding was an all-equity round by Round13 Capital with participation from Deloitte Ventures, Samsung Next, and existing investors Questa Capital and Radical Ventures to bring total funding since 2020 to $55.5 million. The fresh funding will be used to grow further within the US and Canada and develop new platform functions. Patients have access to three platforms:  Report Reader to explain medical terms in the patient’s report, Follow-Up Navigator for follow-up imaging recommendations, and MyCare Navigator to equip patients with relevant, personalized questions to ask their doctor. The platform is available in 775 hospitals and imaging centers across North America and is used by more than 1.5 million patients.  PocketHealth release, Mobihealthnews

Brightside Health moves to a Series C of $33 million. This round for the telemental health company was led by S32, along with Kennedy Lewis, Time BioVentures, and Anne Wojcicki (Redwood Pacific) with existing investors ACME, Mousse Partners, and Triventures. Total funding since 2018 is $114 million. Brightside provides telemental health through payers in 50 states such as CareOregon, Blue Cross and Blue Shield of Texas, and Centene. The new funding will be used to expand into the usual new markets and offerings. Trip Hofer, who was former CEO of Optum Behavioral Health Solutions and now with .406 Ventures, will join the Brightside board of directors. Their most recent moves are expansion into Medicare and Medicaid programs for psychiatry, therapy, and their Crisis Care program for individuals with elevated suicide risk. Release

The Department of Veterans Affairs Office of Inspector General (OIG) released three reports last Thursday (20-21 March) that were sharply critical of the new Oracle Cerner EHR. While Oracle Cerner Millenium operates in only five VA locations, not including the joint MHS/Genesis Lovell FHCC, each one has been problematic from training to implementation–and are on hold. The OIG reports available here on the Electronic Health Records Modernization (EHRM) are scathing on the EHR’s scheduling and pharmacy features leading to patient safety and staff usability issues.

  • At VA Central Ohio Healthcare System (facility) in Columbus and elsewhere, this led to inaccurate medication and allergy information transmission from new EHR sites to legacy EHR sites that staff and pharmacists had to work around to provide adequate safety checks.
  • Also at VA Central Ohio, the Cerner EHR system error in 2022 led to a patient’s missed appointment since it was not routed to a queue to prompt rescheduling efforts. Subsequently, a nurse practitioner never evaluated the medication refill request, nor did a psychologist evaluate mental status and critical clinical information. The veteran patient died by accidental overdose approximately seven weeks after that missed appointment.
  • Regarding future implementations, the OIG was specific on what had to be fixed on both: “These concerns include the need for additional staffing and overtime to meet or exceed pre-deployment appointment levels, displaced appointment queue functionality, challenges related to providers and schedulers sharing information, inaccurate patient information, difficulties changing appointment type, and the inability to automatically mail appointment reminder letters. At facilities currently relying on the EHR, these issues have resulted in inconsistent workarounds and additional work, increasing the risk for scheduling errors.” 

Healthcare IT News, Healthcare Dive, EHR Intelligence, TTA 22 Feb

Change Healthcare’s systems are gradually returning. Since our last update on 14 March, UnitedHealth Group confirmed that 99% of pharmacy network services were up and running–and that they have fronted $2 billion to providers. Separately, they launched workaround software for medical claims preparation.

  • On 15 March, the electronic payments platform was restored.
  • On 20 March, UHG restored Amazon Web Services. It was backed up from Assurance, a claims and remittance management program, and claims clearinghouse Relay Exchange.
  • Relay Exchange went back online by 24 March to begin processing $14 billion in medical claims.

But on the legal and Federal fronts, UHG will be keeping its legal department busy. Starting the week of 11 March, the first class action lawsuit was filed by a women’s health practice in Albany, MS–Advanced Obstetrics & Gynecology PC. Another class action suit was filed on 18 March by Gibbs Law Group on behalf of providers to be named. Patients who have had compromised PII and PHI will be next from the 4 or 6 terabytes of payer information held by ‘notchy’ and other affiliates from the BlackCat/ALPHV masterminded attack as this is confirmed. Expect these to multiply like weeds in May. HIPAA Journal  And the American Hospital Association, Senators and House Representatives are jumping all over Health and Human Services (HHS) to ensure that payments are made to Medicare, Medicaid, and Medicare Advantage plans–as well as calls for investigating UnitedHealth. Becker’s, FierceHealthcare

As expected, UHG’s acquisition of Amedisys home health is running into more opposition at the state level. In this case, it’s the Oregon Health Authority (OHA) that will be conducting a full review. The Department of Justice (DOJ) has been investigating the acquisition on antitrust grounds almost since it was announced in June 2023. Shareholders approved the $3.3 billion buy the following September, but it has not closed. UHG’s plan is to merge it into Optum’s home health providers Contessa Health and LHG Group, creating a home health juggernaut. As noted earlier this month when DOJ announced a further antitrust probe of UHG around the UnitedHealth plan relationships with Optum services, “DOJ has a long memory, a Paul Bunyan-sized ax to grind, and doesn’t like losing. One wonders if now UHG has buyer’s remorse after fighting for two years to buy Change.” (And winning versus DOJ!) Fierce Healthcare

Yet UHG goes on buying providers, DOJ scrutiny or not. Optum is bidding for Steward Health Care’s Stewardship Health practices over nine states. For-profit Steward, headquartered in Dallas, needs to raise funds as it is in debt overall and facing major problems in Massachusetts, with several hospitals at risk of closure. In any case, the company wants to exit the state. A purchase price was not announced. The transaction is under review by Massachusetts’ Health Policy Commission (HPC) over the next 30 days. The Stewardship transaction would add to OptumCare’s total of 90,000 physicians–10% of US physicians, a number that is raising red flags on the state and Federal levels. FierceHealthcare, WBUR

Updates on Change cyberattack: UHG’s timeline for system restorations, key updates around claims and payments in next weeks (updated)

As of 8 March-updated 14 March

UnitedHealth Group released a timeline on restoring Change Healthcare systems.

Prescribing is currently back online, with payments not up until next Friday and the claims network starting testing and brought up through the week of 18 March. Highlights below are from the release. Details in 7 March press release.

  • Electronic prescribing is now fully functional with claim submission and payment transmission available as of 7 March. At the end of the release, there is additional information applicable to pharmacy claims and payments, as well as Optum Rx PBM.
    • Update: UHG announced on 13 March that the pharmacy network and payment systems were operational and 99% of pre-incident claim volume is restored. There are some pharmacies remaining offline. Reuters
  • Electronic payment functionality will be available for connection beginning 15 March (next Friday)
  • Testing and reestablishing connectivity to the claims network and software on Monday 18 March restoring service through that week.

Bottom line: the two critical functions of payments and claims will not be fully restored for a month (the cyberattack began on 21 February. Testing of the claims network is not full functionality. Reading between the lines, don’t bet on the week of 18 March for a complete restoration.

Editor’s note: Claims drive payments. There is a massive backlog. Providers could be out of pocket for months or working through reconciliations with UHG, if they participate in temporary funding.

Buried in the release: “we strongly recommend our provider and payer clients use the applicable workarounds we have established—in particular, using our new iEDI claim submission system in the interest of system redundancy given the current environment.”

The rest of the release recaps UHG’s temporary funding proposal, which the American Hospital Association had previously criticized as having ‘shockingly onerous’ terms that were “not even a band-aid on the payment problems” [TTA 5 March]. It has been improved with UHG advancing payments weekly and removing fees and interest. Repayment also seems sensible if the reconciliations are done correctly; “providers will receive an invoice once standard payment operations resume and will have 30 days to return the funds.” Registration is of course required.

UHG is also urging other payers to follow their lead in addressing payments with their providers.

At this point, you can’t expect UHG to disclose why Change Healthcare’s hundreds of systems were so vulnerable–nor whether they paid ransom to BlackCat, as reported. This Editor also wonders how much information on claims and payments, going back before 21 February, was lost. 

Other funding updates:

UHG will suspend until 31 March:

  • Prior authorizations for most outpatient services except for Durable Medical Equipment, cosmetic procedures, and Part B step therapies. This applies to Medicare Advantage (MA), including Dual Special Needs Plans (D-SNP).
  • Drug formulary exception review processes for Medicare Part D pharmacy benefits

UHG will work with state Medicaid agencies on actions they wish to implement.

Becker’s, Healthcare Dive

Reality Bites Again: UHG being probed by DOJ on antitrust, One Medical layoffs “not related” to Amazon, the psychological effects of cyberattacks

When It Rains, It Really Pours for UnitedHealth Group. On the heels of their Optum/Change Healthcare ransomware disaster are recent reports that the US Department of Justice is investigating UHG over multiple antitrust concerns. According to the Wall Street Journal, DOJ is examining certain relationships between the company’s UnitedHealthcare insurance unit and its Optum services unit, specifically around Optum’s ownership of physician groups. UHG has been aggressively buying and buying interests in practice groups for several years, announcing quite publicly that their goal was to own or control 5% of US physicians. In 2022 and 2023, they bought CareMount, Kelsey-Seybold, Atrius Health, Healthcare Associates of Texas, and Crystal Run Healthcare (Becker’s). Local reporting by the Examiner News in Westchester, NY, brought much of this history to light. In that area, it started with local practice group CareMount and their 25% layoff after being folded into Optum Tri-State with ProHealth in Long Island and NYC and Riverside Health–a layoff pattern that accelerated in the practice groups in 2023.

DOJ lost out on their challenge to the Change Healthcare acquisition in November 2022, deciding not to appeal the Federal District Court decision in 2023 [TTA 23 Mar 2023]. But DOJ never sleeps; they are examining with a microscope UHG’s $3.3 billion bid for home health provider Amedisys that started in August 2023 and has not moved forward. DOJ has a long memory, a Paul Bunyan-sized ax to grind, and doesn’t like losing. One wonders if now UHG has buyer’s remorse after fighting for two years to buy Change.

In the Alternate Reality Department, One Medical CEO Trent Green insisted that their reorganization and layoffs were unrelated to their acquisition by Amazon. Those of us who are a little less credulous know that with 98% of acquisitions, staff are laid off. Overlapping areas wind up being pinkslipped, no matter their individuals’ quality or even difference in business: finance, HR, legal, marketing, IT, operations, compliance, sales, account managers…the list is almost endless. According to the Washington Post article (also Becker’s), One Medical cuts, estimated at up to 400, also included front desk staff, office managers, health coaches, behavioral health specialists and a pediatrician–people who aren’t employed by other Amazon units. One Medical’s corporate offices in New York, Minneapolis, and St. Petersburg, Florida are closing, and its San Francisco office space is reduced to one floor. TTA 14 Feb

One Medical has never been profitable, as this Editor noted when the acquisition was announced as part of the “race to transform healthcare models”. This wasn’t going to last long with Amazon, which has been aggressively been cutting and dumping in other units such as Audible, Prime, and Halo. Marketing Amazon-style with deeply discounted memberships to Prime members also has its limitations. One Medical has a scant 200 mostly urban offices, which means that members outside those areas only have access to virtual visits. It had previously cultivated a patient population of young, mostly healthy and lower-cost urbanites, who as they grow older and have families might stick with the practice–or find it not compatible with or targeted to their needs in middle age. Management has changed: Green replaced Amir Dan Rubin, MD, as CEO last September. CFO Bjorn Thaler will move to a new position focused on growth initiatives. A layer of regional general managers will report to an Amazon head of operations, and legal, finance, and technology teams will report to Amazon’s healthcare business structure. Inbound calls now go to Mission Control, a central call center, and even those humans will be in future supplemented by an AI-enabled chatbot.

Iora Health, One Medical’s specialized (acquired) unit in Medicare Advantage and Medicare Shared Savings Programs including the advanced ACO REACH model, in October was rebranded as One Medical Senior, with an intention for all One Medical offices to serve age 65+–but with current patients, many with multiple chronic conditions, now reporting cutbacks in callbacks, appointment length, physician load, and services provided such as transportation. One clinic had 20 staff cut back to five with patients pushed out to virtual visits–hardly appropriate for a high needs, older, less technologically savvy patient population in value-based care, quality-measured models. Editor’s note: having had some experience in ACO and VBC World, Amazon may as well get out of ACOs because practices in these primary care models require specialized and dedicated management, reporting, and population nurturing. They don’t mainstream well.  I have also read that ironically, Iora was profitable for OneMedical, which is 1) why they bought it and 2) ran it separately.

In this Editor’s view, human costs are a factor shown to be absent from Amazon’s business calculations for success–which doesn’t quite square with the mission of healthcare for healthier patients and better outcomes.

Speaking of the reality of human cost, let’s spare a thought for those dealing with the effects of a cyberattack or data breach. They are the IT staff, pharmacists, software specialists, front line clinicians, billing specialists, doctors, therapists, business managers, coders…the list goes on. They share their feelings of frustration, helplessness, distress, aloneness, and financial fear on Reddit, Twitter/X and other forums. Few think of them taking the brunt of patient frustration and their state of mind day after day as Change/Optum’s disaster goes on and on. Writer Molly Gamble of Becker’s has the final and most sympathetically descriptive say in her brief but important article about When ransomware strikes, who to call?  A full read is recommended.

Helplessness or loss of control, especially at a collective level, can be psychologically and emotionally taxing. Recognizing a threat but not knowing what to do about it can increase one’s stress, anxiety and fear. The lack of a known end point of a cyberattack like Change is experiencing can intensify psychological distress. Some independent therapists, for instance, have noted they have halted their insurance billing for a week due to the downtime and expressed fear about going longer without income. 

These mental effects, while lesser-discussed, are exactly what cyberthreats intend to bring on. Cyberterrorists want to create mental and physical harm, and research has found that the psychological effects of cyber threats can rival those of traditional terrorism.

Week 2: Change Healthcare’s BlackCat hack may last “for the next couple of weeks”, UHG provides temp funding to providers, AHA slams it as a ‘band aid”–but did Optum already pay BlackCat a $22M ransom? (updated)

The BlackCat/ALPHV ransomware attack on Change Healthcare’s systems continues. At this point, the Optum systems website doesn’t show anything other than a chronological trail of updates and a long list in very small gray type of Change Healthcare systems affected–no more individual checks on working systems and red Xs on the ones that weren’t. 

  • UnitedHealth Group is setting up a program to loan funds, the “Temporary Funding Assistance Program,” to providers who cannot receive payments while Change systems are down. While without fees or interest, the loans will have to be repaid.
  • In a Tuesday 27 Feb conference call with hospital cybersecurity officers reported by STAT, UHG Chief Operating Officer Dirk McMahon said that the program will continue “for the next couple of weeks as this continues to go on.” This is more of a timeline than UHG has otherwise disclosed.
  • The American Hospital Association (AHA) on Monday slammed the “Temporary Funding Assistance Program” as “not even a band-aid on the payment problems” that hospitals are experiencing. The program is, in their view 1) “available to an exceedingly small number of hospitals and health systems” and with “shockingly onerous” and “one-sided contractual terms” and conditions for payback and verification through access to claims payment data. For their members, “their financial future becomes more unpredictable the longer Change Healthcare is unavailable. UnitedHealth Group, which is a Fortune 5 company that brought in more than $370 billion in revenue and $22 billion in profit in 2023, can — and should — be doing more to address the far-reaching consequences that result from Change Healthcare’s inability to provide these essential hospital revenue cycle functions nearly two weeks after the attack.” 4 March letter to UHG   AHA maintains an update page for members and other providers.
  • US Senator Chuck Schumer wrote 1 March to the Center for Medicare and Medicare Services (CMS) requesting that CMS accelerate payments to hospitals, pharmacies and other providers. Also Becker’s
  • AHA wrote 4 March to all four Congressional leaders detailing the effect on providers, UHG’s assistance program’s inadequacies, and requesting assistance from HHS including requesting “Medicare Administrative Contractors to prioritize and expedite review and approval of hospital requests for Medicare advanced payments.”  

Update: According to First Health Advisory, a cybersecurity firm in healthcare, some large providers are losing $100 million daily because of the interruptions to Change/Optum’s payer systems. CNN, Becker’s

And BlackCat went All Quiet on the Ransomware Front. Bleeping Computer confirmed that BlackCat turned off their servers and took their negotiation website offline over the weekend. “The Tox messaging platform used by the BlackCat ransomware operator contained a message that does does not provide any details about what the gang plans next: “Все выключено, решаем,” which translates to “Everything is off, we decide.”” It has now been changed to “GG”.

This may or may not be related to another development–an affiliate of BlackCat/ALPHV claiming that they were scammed of a $22 million ransomware payment from Optum. These affiliates actually carry out the attacks on cybervictims using encryptors from the main entity. Dmitry Smilyanets of threat intelligence company Recorded Future picked up a message posted by “notchy” that said Change/Optum paid $22 million on 1 March to “prevent leakage and decryption key.” ALPHV suspended their account after receiving the payment and never paid them. This affiliate also claims they still have 4 terabytes of data from Change that goes deep into Tricare, Medicare, MetLife, CVS, and many other payers. As proof on the ransom, “notchy” provided a cryptocurrency payment address with a total of nine transactions. In the ultimate irony, “notchy” warned other affiliates to stop dealing with ALPHV. Cutting off affiliate ties and walking away with the cash, preliminary to another rebrand of BlackCat/ALPHV, formerly DarkSide and Black Matter? Also The Registerand DataBreaches.net–which commented that while Optum may have gotten a decryptor, what about All That Data?