HHS

amid-paralyzing-ransomware-attack,-feds-probe-unitedhealth’s-hipaa-compliance

Amid paralyzing ransomware attack, feds probe UnitedHealth’s HIPAA compliance

Change Healthcare, cyberattack, health, HHS, HIPAA, Policy, ransomware, Science, unitedhealth / /

most significant and consequential incident —

UnitedHealth said it will cooperate with the probe as it works to restore services.

Multistory glass-and-brick building with UnitedHealthcare logo on exterior.

As health systems around the US are still grappling with an unprecedented ransomware attack on the country’s largest health care payment processor, the US Department of Health and Human Services is opening an investigation into whether that processor and its parent company, UnitedHealthcare Group, complied with federal rules to protect private patient data.

The attack targeted Change Healthcare, a unit of UnitedHealthcare Group (UHG) that provides financial services to tens of thousands of health care providers around the country, including doctors, dentists, hospitals, and pharmacies. According to an antitrust lawsuit brought against UHG by the Department of Justice in 2022, 50 percent of all medical claims in the US pass through Change Healthcare’s electronic data interchange clearinghouse. (The DOJ lost its case to prevent UHG’s acquisition of Change Healthcare and last year abandoned plans for an appeal.)

As Ars reported previously, the attack was disclosed on February 21 by UHG’s subsidiary, Optum, which now runs Change Healthcare. On February 29, UHG accused the notorious Russian-speaking ransomware gang known both as AlphV and BlackCat of being responsible. According to The Washington Post, the attack involved stealing patient data, encrypting company files, and demanding money to unlock them. The result is a paralysis of claims processing and payments, causing hospitals to run out of cash for payroll and services and preventing patients from getting care and prescriptions. Additionally, the attack is believed to have exposed the health data of millions of US patients.

Earlier this month, Rick Pollack, the president and CEO of the American Hospital Association, called the ransomware attack on Change Healthcare “the most significant and consequential incident of its kind against the US health care system in history.”

Now, three weeks into the attack, many health systems are still struggling. On Tuesday, members of the Biden administration met with UHG CEO Andrew Witty and other health industry leaders at the White House to demand they do more to stabilize the situation for health care providers and services and provide financial assistance. Some improvements may be in sight; on Wednesday, UHG posted an update saying that “all major pharmacy and payment systems are up and more than 99 percent of pre-incident claim volume is flowing.”

HIPAA compliance

Still, the data breach leaves big questions about the extent of the damage to patient privacy, and the adequacy of protections moving forward. In an additional development Wednesday, the health department’s Office for Civil Rights (OCR) announced that it is opening an investigation into UHG and Change Healthcare over the incident. It noted that such an investigation was warranted “given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers.”

In a “Dear Colleague” letter dated Wednesday, the OCR explained that the investigation “will focus on whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA Rules.” HIPAA is the Health Insurance Portability and Accountability Act, which establishes privacy and security requirements for protected health information, as well as breach notification requirements.

In a statement to the press, UHG said it would cooperate with the investigation. “Our immediate focus is to restore our systems, protect data and support those whose data may have been impacted,” the statement read. “We are working with law enforcement to investigate the extent of impacted data.”

The Post notes that the federal government does have a history of investigating and penalizing health care organizations for failing to implement adequate safeguards to prevent data breaches. For instance, health insurance provider Anthem paid a $16 million settlement in 2020 over a 2015 data breach that exposed the private data of almost 79 million people. The exposed data included names, Social Security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information. The OCR investigation into the breach discovered that the attack began with spear phishing emails that at least one employee of an Anthem subsidiary fell for, opening the door to further intrusions that went undetected between December 2, 2014, and January 27, 2015.

“Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information,” OCR Director Roger Severino said at the time. “We know that large health care entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR.”

Amid paralyzing ransomware attack, feds probe UnitedHealth’s HIPAA compliance Read More »

elizabeth-holmes-barred-from-federal-health-programs-for-90-years

Elizabeth Holmes barred from federal health programs for 90 years

Elizabeth Holmes, exclusion, federal health program, fraud, health, HHS, Science / /

Excluded —

The former Theranos CEO is barred from receiving payments from federal health program.

Theranos CEO and founder Elizabeth Holmes.

Theranos CEO and founder Elizabeth Holmes.

Elizabeth Holmes—the disgraced and incarcerated founder of the infamous blood-testing startup Theranos—is barred from participating in federal health programs for nine decades, according to an announcement from the health department Friday.

The exclusion means that Holmes is barred from receiving payments from federal health programs for services or products, which significantly restricts her ability to work in the health care sector. It also prevents her from participating in Medicare, Medicaid, and other federal health care programs. With a 90-year term, the exclusion is lifelong for Holmes, who is currently 39.

The exclusion was announced by Inspector General Christi Grimm of the Department of Health and Human Services’ Office of Inspector General.

Holmes is serving an 11-year, three-month sentence for defrauding investors of her blood-testing startup, Theranos, which she founded in 2003. At the time, Holmes claimed to have developed proprietary technology that could perform hundreds of medical tests using just a small drop of blood from a finger prick. The remarkable claim helped her drive the company’s valuation to a stunning $9 billion in 2014, and set up lucrative partnerships. But, in reality, the technology never worked. The company collapsed in 2018, and she was convicted of fraud in 2022.

In today’s announcement, the health department noted that the statutory minimum on exclusions for convictions like Holmes’ is just five years. But other factors are considered when determining the term, including how long the fraud took place, the length of the prison sentence, and the amount of restitution ordered. In addition to her 11-year prison sentence, Holmes was ordered to pay approximately $452,047,200 in restitution, the HHS-OIG noted.

“Accurate and dependable diagnostic testing technology is imperative to our public health infrastructure. False statements related to the reliability of these medical products can endanger the health of patients and sow distrust in our health care system,” Grimm said. “As technology evolves, so do our efforts to safeguard the health and safety of patients, and HHS-OIG will continue to use its exclusion authority to protect the public from bad actors.”

HHS-OIG also excluded former Theranos President Ramesh Balwani from federal health programs for 90 years. Balwani was also convicted of fraud and is serving a nearly 13-year sentence.

Elizabeth Holmes barred from federal health programs for 90 years Read More »

cvs,-rite-aid,-walgreens-hand-out-medical-records-to-cops-without-warrants

CVS, Rite Aid, Walgreens hand out medical records to cops without warrants

Amazon, cops, cvs, health, health privacy, HHS, HIPAA, law enforcement, Medical records, pharmacy, Policy, prescription drugs, rite aid, Science, Walgreens, warrant / /

prescription for privacy —

Lawmakers want HHS to revise health privacy law to require warrants.

CVS, Rite Aid, Walgreens hand out medical records to cops without warrants

All of the big pharmacy chains in the US hand over sensitive medical records to law enforcement without a warrant—and some will do so without even running the requests by a legal professional, according to a congressional investigation.

The revelation raises grave medical privacy concerns, particularly in a post-Dobbs era in which many states are working to criminalize reproductive health care. Even if people in states with restrictive laws cross state lines for care, pharmacists in massive chains, such as CVS, can access records across borders.

Lawmakers noted the pharmacies’ policies for releasing medical records in a letter dated Tuesday to the Department of Health and Human Services (HHS) Secretary Xavier Becerra. The letter—signed by Sen. Ron Wyden (D-Ore.), Rep. Pramila Jayapal (D-Wash.), and Rep. Sara Jacobs (D-Calif.)—said their investigation pulled information from briefings with eight big prescription drug suppliers.

They include the seven largest pharmacy chains in the country: CVS Health, Walgreens Boots Alliance, Cigna, Optum Rx, Walmart Stores, Inc., The Kroger Company, and Rite Aid Corporation. The lawmakers also spoke with Amazon Pharmacy.

All eight of the pharmacies said they do not require law enforcement to have a warrant prior to sharing private and sensitive medical records, which can include the prescription drugs a person used or uses and their medical conditions. Instead, all the pharmacies hand over such information with nothing more than a subpoena, which can be issued by government agencies and does not require review or approval by a judge.

Three pharmacies—CVS Health, The Kroger Company, and Rite Aid Corporation—told lawmakers they didn’t even require their pharmacy staff to consult legal professionals before responding to law enforcement requests at pharmacy counters. According to the lawmakers, CVS, Kroger, and Rite Aid said that “their pharmacy staff face extreme pressure to immediately respond to law enforcement demands and, as such, the companies instruct their staff to process those requests in store.”

The rest of the pharmacies—Amazon, Cigna, Optum Rx, Walmart, and Walgreens Boots Alliance—at least require that law enforcement requests be reviewed by legal professionals before pharmacists respond. But, only Amazon said it had a policy of notifying customers of law enforcement demands for pharmacy records unless there were legal prohibitions to doing so, such as a gag order.

HIPAA and transparency

The lawmakers note that the pharmacies aren’t violating regulations under the Health Insurance Portability and Accountability Act (HIPAA). The pharmacies pointed to language in HIPAA regulations that allow health care providers, including pharmacists, to provide medical records if required by law, with subpoenas being a sufficient legal process for such a request. However, the lawmakers note that the HHS has discretion in determining the legal standard here—that is, it has the power to strengthen the regulation to require a warrant, which the lawmakers say it should do.

“We urge HHS to consider further strengthening its HIPAA regulations to more closely align them with Americans’ reasonable expectations of privacy and Constitutional principles,” the three lawmakers wrote.

They also pushed for pharmacies to do better, encouraging them to follow the lead of tech companies. “Pharmacies can and should insist on a warrant, and invite law enforcement agencies that insist on demanding patient medical records with solely a subpoena to go to court to enforce that demand. The requirement for a warrant is exactly the approach taken by tech companies to protect customer privacy.” The trio noted that Google, Microsoft, and Yahoo have since 2010 required law enforcement to have a warrant to obtain customers’ emails.

Also noting tech companies’ lead, the lawmakers encouraged pharmacies to publish annual transparency reports. In the course of the investigation, only CVS Health said it planned to do so.

“Americans deserve to have their private medical information protected at the pharmacy counter and a full picture of pharmacies’ privacy practices, so they can make informed choices about where to get their prescriptions filled,” the lawmakers wrote.

For now, HIPAA regulations grant patients the right to know who is accessing their health records. But, to do so, patients have to specifically request that information—and almost no one does that. “Last year, CVS Health, the largest pharmacy in the nation by total prescription revenue, only received a single-digit number of such consumer requests,” the lawmakers noted.

“The average American is likely unaware that this is even a problem,” the lawmakers said.

CVS, Rite Aid, Walgreens hand out medical records to cops without warrants Read More »