80 posts categorized "Health Care/EHR" Feed

3 Strategies To Defend GOP Health Bill: Euphemisms, False Statements and Deleted Comments

[Editor's Note: today's guest post is by the reporters as ProPublica. Affordable health care and coverage are important to many, if not most, Americans. It is reprinted with permission.]

by Charles Ornstein, ProPublica

Earlier this month, a day after the House of Representatives passed a bill to repeal and replace major parts of the Affordable Care Act, Ashleigh Morley visited her congressman's Facebook page to voice her dismay.

"Your vote yesterday was unthinkably irresponsible and does not begin to account for the thousands of constituents in your district who rely upon many of the services and provisions provided for them by the ACA," Morley wrote on the page affiliated with the campaign of Representative Peter King (Republican, New York). "You never had my vote and this confirms why."

The next day, Morley said, her comment was deleted and she was blocked from commenting on or reacting to King's posts. The same thing has happened to others critical of King's positions on health care and other matters. King has deleted negative feedback and blocked critics from his Facebook page, several of his constituents say, sharing screenshots of comments that are no longer there.

"Having my voice and opinions shut down by the person who represents me -- especially when my voice and opinion wasn't vulgar and obscene -- is frustrating, it's disheartening, and I think it points to perhaps a larger problem with our representatives and maybe their priorities," Morley said in an interview.

King's office did not respond to requests for comment.

As Republican members of Congress seek to roll back the Affordable Care Act, commonly called Obamacare, and replace it with the American Health Care Act, they have adopted various strategies to influence and cope with public opinion, which polls show mostly opposes their plan. ProPublica, with our partners at Kaiser Health News, Stat and Vox, has been fact-checking members of Congress in this debate and we've found misstatements on both sides, though more by Republicans than Democrats. The Washington Post's Fact Checker has similarly found misstatements by both sides.

Today, we're back with more examples of how legislators are interacting with constituents about repealing Obamacare, whether online or in traditional correspondence. Their more controversial tactics seem to fall into three main categories: providing incorrect information, using euphemisms for the impact of their actions, and deleting comments critical of them. (Share your correspondence with members of Congress with us.)

Incorrect Information

Representative Vicky Hartzler (Republican, Missouri) sent a note to constituents this month explaining her vote in favor of the Republican bill. First, she outlined why she believes the ACA is not sustainable -- namely, higher premiums and few choices. Then she said it was important to have a smooth transition from one system to another.

"This is why I supported the AHCA to follow through on our promise to have an immediate replacement ready to go should the ACA be repealed," she wrote. "The AHCA keeps the ACA for the next three years then phases in a new approach to give people, states, and insurance markets plenty of time to make adjustments."

Except that's not true.

"There are quite a number of changes in the AHCA that take effect within the next three years," wrote ACA expert Timothy Jost, an emeritus professor at Washington and Lee University School of Law, in an email to ProPublica.

The current law's penalties on individuals who do not purchase insurance and on employers who do not offer it would be repealed retroactively to 2016, which could remove the incentive for some employers to offer coverage to their workers. Moreover, beginning in 2018, older people could be charged premiums up to five times more than younger people -- up from three times under current law. The way in which premium tax credits would be calculated would change as well, benefiting younger people at the expense of older ones, Jost said.

"It is certainly not correct to say that everything stays the same for the next three years," he wrote.

In an email, Hartzler spokesman Casey Harper replied, "I can see how this sentence in the letter could be misconstrued. It's very important to the Congresswoman that we give clear, accurate information to her constituents. Thanks for pointing that out."

Other lawmakers have similarly shared incorrect information after voting to repeal the ACA. Representative Diane Black (Republican, Tennessee) wrote in a May 19 email to a constituent that "in 16 of our counties, there are no plans available at all. This system is crumbling before our eyes and we cannot wait another year to act."

Black was referring to the possibility that, in 16 Tennessee counties around Knoxville, there might not have been any insurance options in the ACA marketplace next year. However, 10 days earlier, before she sent her email, BlueCross BlueShield of Tennessee announced that it was willing to provide coverage in those counties and would work with the state Department of Commerce and Insurance "to set the right conditions that would allow our return."

"We stand by our statement of the facts, and Congressman Black is working hard to repeal and replace Obamacare with a system that actually works for Tennessee families and individuals," her deputy chief of staff Dean Thompson said in an email.

On the Democratic side, the Washington Post Fact Checker has called out representatives for saying the AHCA would consider rape or sexual assault as pre-existing conditions. The bill would not do that, although critics counter that any resulting mental health issues or sexually transmitted diseases could be considered existing illnesses.

Euphemisms

A number of lawmakers have posted information taken from talking points put out by the House Republican Conference that try to frame the changes in the Republican bill as kinder and gentler than most experts expect them to be.

An answer to one frequently asked question pushes back against criticism that the Republican bill would gut Medicaid, the federal-state health insurance program for the poor, and appears on the websites of Representative Garret Graves (Republican, Louisiana) and others.

"Our plan responsibly unwinds Obamacare's Medicaid expansion," the answer says. "We freeze enrollment and allow natural turnover in the Medicaid program as beneficiaries see their life circumstances change. This strategy is both fiscally responsible and fair, ensuring we don't pull the rug out on anyone while also ending the Obamacare expansion that unfairly prioritizes able-bodied working adults over the most vulnerable."

That is highly misleading, experts say.

The Affordable Care Act allowed states to expand Medicaid eligibility to anyone who earned less than 138 percent of the federal poverty level, with the federal government picking up almost the entire tab. Thirty-one states and the District of Columbia opted to do so. As a result, the program now covers more than 74 million beneficiaries, nearly 17 million more than it did at the end of 2013.

The GOP health care bill would pare that back. Beginning in 2020, it would reduce the share the federal government pays for new enrollees in the Medicaid expansion to the rate it pays for other enrollees in the state, which is considerably less. Also in 2020, the legislation would cap the spending growth rate per Medicaid beneficiary. As a result, a Congressional Budget Office review released Wednesday estimates that millions of Americans would become uninsured.

Sara Rosenbaum, a professor of health law and policy at the Milken Institute School of Public Health at George Washington University, said the GOP's characterization of its Medicaid plan is wrong on many levels. People naturally cycle on and off Medicaid, she said, often because of temporary events, not changing life circumstances -- seasonal workers, for instance, may see their wages rise in summer months before falling back.

"A terrible blow to millions of poor people is recast as an easing off of benefits that really aren't all that important, in a humane way," she said.

Moreover, the GOP bill actually would speed up the "natural turnover" in the Medicaid program, said Diane Rowland, executive vice president of the Kaiser Family Foundation, a health care think tank. Under the ACA, states were only permitted to recheck enrollees' eligibility for Medicaid once a year because cumbersome paperwork requirements have been shown to cause people to lose their coverage. The American Health Care Act would require these checks every six months -- and even give states more money to conduct them.

Rowland also took issue with the GOP talking point that the expansion "unfairly prioritizes able-bodied working adults over the most vulnerable." At a House Energy and Commerce Committee hearing earlier this year, GOP representatives maintained that the Medicaid expansion may be creating longer waits for home- and community-based programs for sick and disabled Medicaid patients needing long-term care, "putting care for some of the most vulnerable Americans at risk."

Research from the Kaiser Family Foundation, however, showed that there was no relationship between waiting lists and states that expanded Medicaid. Such waiting lists pre-dated the expansion and they were worse in states that did not expand Medicaid than in states that did.

"This is a complete misrepresentation of the facts," Rosenbaum said.

Graves' office said the information on his site came from the House Republican Conference. Emails to the conference's press office were not returned.

The GOP talking points also play up a new Patient and State Stability Fund included in the AHCA, which is intended to defray the costs of covering people with expensive health conditions. "All told, $130 billion dollars would be made available to states to finance innovative programs to address their unique patient populations," the information says. "This new stability fund ensures these programs have the necessary funding to protect patients while also giving states the ability to design insurance markets that will lower costs and increase choice."

The fund was modeled after a program in Maine, called an invisible high-risk pool, which advocates say has kept premiums in check in the state. But Senator Susan Collins (Republican, Maine) says the House bill's stability fund wasn't allocated enough money to keep premiums stable.

"In order to do the Maine model 2014 which I've heard many House people say that is what they're aiming for -- it would take $15 billion in the first year and that is not in the House bill," Collins told Politico. "There is actually $3 billion specifically designated for high-risk pools in the first year."

Deleting Comments

Morley, 28, a branded content editor who lives in Seaford, New York, said she moved into Representative King's Long Island district shortly before the 2016 election. She said she did not vote for him and, like many others across the country, said the election results galvanized her into becoming more politically active.

Earlier this year, Morley found an online conversation among King's constituents who said their critical comments were being deleted from his Facebook page. Because she doesn't agree with King's stances, she said she wanted to reserve her comment for an issue she felt strongly about.

A day after the House voted to repeal the ACA, Morley posted her thoughts. "I kind of felt that that was when I wanted to use my one comment, my one strike as it would be," she said.

By noon the next day, it had been deleted and she had been blocked.

"I even wrote in my comment that you can block me but I'm still going to call your office," Morley said in an interview.

Some negative comments about King remain on his Facebook page. But King's critics say his deletions fit a broader pattern. He has declined to hold an in-person town hall meeting this year, saying, "to me all they do is just turn into a screaming session," according to CNN. He held a telephonic town hall meeting but only answered a small fraction of the questions submitted. And he met with Liuba Grechen Shirley, the founder of a local Democratic group in his district, but only after her group held a protest in front of his office that drew around 400 people.

"He's not losing his health care," Grechen Shirley said. "It doesn't affect him. It's a death sentence for many and he doesn't even care enough to meet with his constituents."

King's deleted comments even caught the eye of Andy Slavitt, who until January was the acting administrator of the Centers for Medicare and Medicaid Services. Slavitt has been traveling the country pushing back against attempts to gut the ACA.

.@RepPeteKing, are you silencing your constituents who send you questions? Assume ppl in district will respond if this is happening.

-- Andy Slavitt (@ASlavitt) May 12, 2017

Since the election, other activists across the country who oppose the president's agenda have posted online that they have been blocked from following their elected officials on Twitter or commenting on their Facebook pages because of critical statements they've made about the AHCA and other issues.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


America's Other Drug Problem

[Editor's Note: today's guest blog post, by reporters at ProPublica, explores the waste problem in the health care industry, and the accompanying pollution. It is reprinted with permission.]

by Marshall Allen, ProPublica

Every week in Des Moines, Iowa, the employees of a small nonprofit collect bins of unexpired prescription drugs tossed out by nursing homes after residents died, moved out or no longer needed them. The drugs are given to patients who couldn't otherwise afford them.

But travel 1,000 miles east to Long Island, New York, and you'll find nursing homes flushing similar leftover drugs down the toilet, alarming state environmental regulators worried they'll further contaminate the water supply.

In Baltimore, Maryland, a massive incinerator burns up tons of the drugs each year -- for a fee -- from nursing homes across the Eastern seaboard.

If you want to know why the nation's health care costs are among the highest in the world, a good place to start is with what we throw away. Across the country, nursing homes routinely toss large quantities of perfectly good prescription medication: tablets for diabetes, syringes of blood thinners, pricey pills for psychosis and seizures.

At a time when anger over soaring drug costs has perhaps never been more intense, redistributing discarded drugs seems like a no-brainer. Yet it's estimated that American taxpayers, through Medicare, spend hundreds of millions of dollars each year on drugs for nursing home patients -- much of which literally go down the tubes.

"It would not surprise me if as much as 20 percent of the medications we receive we end up having to destroy," said Mark Coggins, who oversees the pharmacy services for Diversicare, a chain of more than 70 nursing homes in 10 states. "It's very discouraging throwing away all those drugs when you know it can benefit somebody."

No one tracks this waste nationwide, but estimates show it's substantial. Colorado officials have said the state's 220 long-term care facilities throw away a whopping 17.5 tons of potentially reusable drugs every year, with a price tag of about $10 million. The Environmental Protection Agency estimated in 2015 that about 740 tons of drugs are wasted by nursing homes each year.

This is, of course, part of a bigger problem. The National Academy of Medicine estimated in 2012 that the United States squanders more than a quarter of what it spends on health care 2014 about $765 billion a year.

ProPublica is investigating the types of waste in health care that academics and politicians typically overlook. Our first installment examined the tens of millions worth of equipment and brand new supplies that hospitals jettison.

Today we look at the wasteful, and potentially harmful, ways nursing homes dispose of leftover meds -- and how some states, like Iowa, have found a solution.

On a recent Wednesday in Des Moines, Ami Bradwell, a certified pharmacy technician, popped open the lids of several 31-gallon bins full of prescription drugs. In each were hundreds of what are known as "bingo cards" filled with rows of pills in sealed bubbles.

"Metformin -- for diabetics," Bradwell said, holding up a card of large white pills. "It's not crazy expensive, but it's in high demand."

She held up an entire box of the anti-nausea drug Ondansetron. It goes for about $5 a pill, according to the website drugs.com. "Expensive."

Another card had three large pills stuffed in each chamber, a find Bradwell called "a 'jackpot' card. You can't live without it because it's a seizure medication."

Image from SafeNetRx Drug Donation Repository Bradwell works for the nonprofit SafeNetRx. Each week the group takes in dozens of bins full of such drugs, as well as boxes mailed in from across Iowa and several other states -- pharmaceutical trash that exists because, for convenience and cost, long-term care pharmacies often dispense nursing home patients' medications in bulk, a month's worth at a time.

Should a patient die, leave or stop taking the drug, what's left is typically tossed. The drugs have already been paid for, by Medicare in most cases, so there's little incentive to try to recycle them. In some states, such reuse is against the law.

Some of the cards Bradwell examined that day were missing only a few pills. One card had been thrown out even though it only lacked one of its 31 doses of oxybutynin, which reduces muscle spasms of the bladder. The remaining 30 are worth more than $13.

"There are literally millions of dollars of prescription medications thrown away every day in this country," said John Forbes, an Iowa pharmacist who dispenses SafeNetRx's recovered drugs to his low-income patients.

Although most states technically allow some leftover drugs to be recycled, Iowa is one of the few rescuing a significant percentage of the drugs from destruction. The state funds the program for about $600,000 a year, said SafeNetRx CEO Jon Rosmann, who calls it a "common sense" solution. In fiscal 2016 the program recovered and distributed drugs valued at about $3.4 million. This year it's on pace to top $5 million.

Forbes, who is also an Iowa state representative, said there are additional savings when low-income patients have access to the drugs they need. Patients who don't take their drugs "end up in the emergency room," he said, "which will wind up costing our health care system way more money."

At SafeNetRx, the drugs are sorted and organized in a 1,500-square-foot room lined with shelves stacked with bins of drugs. In the center, folding tables hold hundreds of bingo cards, sorted alphabetically by generic drug name, from the blood pressure drug acebutolol to the antipsychotic ziprasidone. None of the medications are controlled substances, though those may be included in the future.

Pharmacy officials say there may be a million dollars' worth of drugs in this small room. The 30 mg syringes of the blood thinner Enoxaparin are used by patients for weeks before and after heart surgery. They can go for $13 per dose.

One box contains scores of doses of Spiriva, inhalation capsules for chronic obstructive pulmonary disease that would sell for about $18 each. The antipsychotic Abilify runs about $46 per pill.

The biggest ticket items are the cancer drugs. They are typically donated directly from patients or their families. Those can run $8,000 or more per month.

The cancer drugs are passed on to people like Amber Judge, a patient advocate at Medical Oncology and Hematology Associates, a cancer clinic in Des Moines. Judge is accustomed to patients coming into her office in a panic. They've just learned they have cancer, only to find out they can't afford the drugs they need to battle the disease. That's when Judge opens one of the file drawers in her office, which are filled with tens of thousands of dollars' worth of the drugs recovered by SafeNetRx.

In one filing drawer she has about 30 boxes of Tasigna, which costs about $100 per pill. In another drawer she has a gallon-sized plastic bag with bottles of Stivarga, about $188 per pill.

The process is similar to patients receiving drug samples at a doctor's office. They leave her office with the drugs they need -- for free.

"I give them a month's supply if I have it," Judge said. "They're so thankful. They're incredulous."

In many places in the United States, however, these leftover drugs meet a very different end, one that is not only wasteful, but potentially harmful.

In recent years, scientists have detected something disturbing in the Long Island's aquifer: low levels of pharmaceuticals.

Though consumers have been warned not to flush their drugs down the toilet because sewer waste can contaminate groundwater, many still do it; more worrisome still, flushing remains a common practice at nursing homes in New York and across the country. The effects of such contamination on humans are unclear, but it has been shown to slow the metamorphosis of frogs and increase the feminization of fish.

Three years ago, New York's Department of Environmental Conservation started an annual program, funded by the state legislature, to scoop up unused medications before they were flushed. Even though the pickup service is free to facilities, only two dozen of 169 eligible Long Island nursing homes participated this February, turning over 660 pounds of drugs.

Those valuable medications didn't go into the water supply, but they didn't go to needy patients, either, though such recycling is now allowed in New York. Instead, they went to an incinerator company. Experts, including the EPA, have recommended incineration for getting rid of pharmaceuticals.

Destroying the unused drugs is always going to have environmental implications, said Carrie Meek Gallagher, region 1 director for the department. "It's always a trade-off of what's most harmful. For us, anything getting into the water is the worst solution."

The National Conference of State Legislatures said 39 states had passed laws that allowed the donation of drugs. But almost half of these states with laws lack programs to get the drugs safely from one appropriate user to another, and many of those that do have programs are focused on cancer drugs, the analysis showed.

There hasn't been a lot of public opposition to redistributing the drugs, even among drugmakers. Most concerns circle around logistics, although in Illinois trial attorneys have lobbied against a proposed program, saying it muddies liability issues.

Richard Cauchi, program director for health for the conference of state legislatures, said just passing laws doesn't guarantee success. A state agency or organization needs to oversee the program, encouraging participation and streamlining its administration so it's not a burden for pharmacies and nursing homes.

"It's a lot of work, and from a retail point of view, an expense," Cauchi said. "How do you accept these drugs? How do you confirm their safety? How do you know they meet the proper standards?"

Federal agencies are of little help, each pursuing their own, often contradictory, agendas.

The EPA discourages flushing drugs because they contaminate the water supply. But it doesn't have the authority to prohibit "sewering" the medications. Only local authorities can take that stance. It has, however, proposed reclassifying the unused drugs as hazardous waste, which would then prohibit flushing them.

The Food and Drug Administration says certain medications are so dangerous that they should be disposed of immediately, even if that means flushing them. It even provides a list of drugs recommended for flushing, mostly controlled substances like diazepam, better known as Valium, and the potent painkiller fentanyl.

The Drug Enforcement Administration wants to ensure controlled substances, like narcotic painkillers, aren't diverted to the illegal drug market. It has recommended that long-term pharmacies collect leftover drugs by placing boxes in nursing homes that must be emptied at least every three days, but that creates expense, hassle and potential liability.

Some advocates say the makers of the drugs should be responsible for disposing or recycling them. Scott Cassel, CEO of the Product Stewardship Institute, a nonprofit organization dedicated to reducing the environmental impact of consumer products, said the producers of batteries, electronics, paint and other products are required by law in some areas to pay for the safe disposal of their products. Similar laws require drug makers to pay for the destruction of leftover household drugs in two states and about a dozen counties, but no laws address nursing homes.

Coggins, who leads the pharmacy services for the Diversicare chain, said people in the nursing home industry would like to do something about the waste. But their options are dictated by laws and regulations, and there's been a lack of investment in cost-effective solutions like the one in Iowa.

About half the states where Diversicare operates allow the donation of unused drugs, but the programs required too much work sorting and inventorying the drugs without any reimbursement, he said. "It's like people have created legislation and it's a feel-good thing, but nobody's come back to see why it's not working."

Diversicare avoids flushing drugs whenever possible, Coggins said, but it still occurs sometimes. The organization has switched to a product called Rx Destroyer that chemically deactivates the medication so it can be put in the trash, he said, but even that is controversial because it goes into a landfill.

In many nursing homes, flushing is just part of the routine.

"Oh my goodness, it's so sad," said Jennifer Ramsey, a nurse who formerly worked as a house supervisor for a nursing home in South Haven, Mississippi. Once a month she and another nurse would gather all the unused blister packs of medication, she said, piles of them, probably worth tens of thousands of dollars. Then they would pop the pills one by one into the toilet.

"You would spend almost your whole eight-hour day doing it," Ramsey recalled.

Ramsey now works for the nonprofit Good Shepherd Pharmacy in Memphis. In Tennessee, the law requires nursing homes to destroy unused drugs on site. Good Shepherd's founder is pressing to change the law so the drugs can be saved and donated.

In March, state Rep. Cameron Sexton, a Republican whose wife is a pharmacist, introduced a bill that would allow unexpired medications to be donated in Tennessee. "Unfortunately, we don't have a process set up to do that so all these drugs have to be destroyed," he said.

Perhaps the most graphic way to see the waste firsthand is a visit to the Curtis Bay Medical Waste facility on the south side of Baltimore, home of the largest incinerator of its kind in the country.

Here Curtis Bay's fleet of trucks delivers load after load of unused, unexpired drugs from hundreds of nursing homes and other facilities and clinics up and down the East Coast. Drugs also come from medical waste companies like SteriCycle and Daniels Sharpsmart. In 2015, 204 tons of non-hazardous pharmaceutical waste came from the Daniels location in the Bronx, according to records filed in New York. Such waste includes not only drugs tossed by nursing homes, but also those from hospitals, doctors' offices and other facilities.

Inside Curtis Bay, the drugs are processed and destroyed in an area the size of several hockey rinks. A conveyor belt about 15 feet off the ground snakes through the facility loaded with hundreds of boxes of pharmaceutical and medical waste 2014 all leading to the two incineration chambers.

On a recent visit, the chamber was over 2,000 degrees, a heat that could be felt from 20 feet away.

From a platform above the incinerator's maw, you can watch as thousands of dollars of potentially lifesaving pills and medications tumble, box by box, into the steaming opening. Then they are shoveled into the blaze.

Experts say incineration is the least environmentally objectionable end-of-life option for unused drugs. But it's also the most expensive destruction method -- from 50 cents to a dollar per pound, paid for by the facilities themselves -- which is why many nursing homes resort to flushing.

Nursing homes save the disposal fees in Iowa, because they can donate them to SafeNetRx, where they benefit needy patients like Max Armstrong.

The 82-year-old suffers from multiple chronic conditions -- emphysema, congestive heart failure and more. The ailments were manageable until 2015, when he suffered blood clots in his leg and lung. Doctors put him on the generic blood thinner warfarin, but it "almost killed me," he said, so he switched to Xarelto, a newer brand name drug that costs about $700 a month.

The total tab for the Xarelto and the other 14 medications Armstrong must take each month would cost at least $1,200, according to his daughter. Armstrong, whose savings took a hit during the financial crisis, lives on $1,158 a month in Social Security.

It's "stupid" to throw away drugs that can keep so many other people healthy, Armstrong said. "There's a lot of people out there in this world who need help."

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


We Fact-Checked Lawmakers' Letters To Constituents on Health Care

[Editor's Note: today's guest post, by the reporters at ProPublica, explores the problem of "fake news" and whether elected officials contribute to the problem while discussing health care legislation. The article was originally published yesterday, and is reprinted with permission. Interested persons wanting to help ProPublica's ongoing fact-checking efforts can share with ProPublica messages you have received from your elected officials.]

by Charles Ornstein, ProPublica

When Louisiana resident Andrea Mongler wrote to her senator, Bill Cassidy, in support of the Affordable Care Act, she wasn't surprised to get an email back detailing the law's faults. Cassidy, a Republican who is also a physician, has been a vocal critic.

"Obamacare" he wrote in January, "does not lower costs or improve quality, but rather it raises taxes and allows a presidentially handpicked 'Health Choices Commissioner' to determine what coverage and treatments are available to you."

There's one problem with Cassidy's ominous-sounding assertion: It's false.

The Affordable Care Act, commonly called Obamacare, includes no "Health Choices Commissioner." Another bill introduced in Congress in 2009 did include such a position, but the bill died 2014 and besides, the job as outlined in that legislation didn't have the powers Cassidy ascribed to it.

As the debate to repeal the law heats up in Congress, constituents are flooding their representatives with notes of support or concern, and the lawmakers are responding, sometimes with form letters that are misleading. A review of more than 200 such letters by ProPublica and its partners at Kaiser Health News, Stat and Vox, found dozens of errors and mis-characterizations about the ACA and its proposed replacement. The legislators have cited wrong statistics, conflated health care terms and made statements that don't stand up to verification.

It's not clear if this is intentional or if the lawmakers and their staffs don't understand the current law or the proposals to alter it. Either way, the issue of what is wrong -- and right -- about the current system has become critical as the House prepares to vote on the GOP's replacement bill today.

"If you get something like that in writing from your U.S. senator, you should be able to just believe that," said Mongler, 34, a freelance writer and editor who is pursuing a master's degree in public health. "I hate that people are being fed falsehoods, and a lot of people are buying it and not questioning it. It's far beyond politics as usual."

Cassidy's staff did not respond to questions about his letter.

Political debates about complex policy issues are prone to hyperbole and health care is no exception. And to be sure, many of the assertions in the lawmakers' letters are at least partially based in fact.

Democrats, for instance, have been emphasizing to their constituents that millions of previously uninsured people now have medical coverage thanks to the law. They say insurance companies can no longer discriminate against millions of patients with pre-existing conditions. And they credit the law with allowing adults under age 26 to stay on their parents' health plans. All true.

For their part, Republicans criticize the law for not living up to its promises. They say former President Obama pledged that people could keep their health plans and doctors and premiums would go down. Neither has happened. They also say that insurers are dropping out of the market and that monthly premiums and deductibles (the amount people must pay before their coverage kicks in) have gone up. All true.

But elected officials in both parties have incorrectly cited statistics and left out important context. We decided to take a closer look after finding misleading statements in an email Senator Roy Blunt (R-Missouri) sent to his constituents. We solicited letters from the public and found a wealth of misinformation, from statements that were simply misleading to whoppers. More Republicans fudged than Democrats, though both had their moments.

An aide to Rep. Dana Rohrabacher (R-California) defended his hyperbole as "within the range of respected interpretations."

"Do most people pay that much attention to what their congressman says? Probably not," said Sherry Glied, dean of New York University's Robert F. Wagner Graduate School of Public Service, who served as an assistant Health and Human Services secretary from 2010 to 2012. "But I think misinformation or inaccurate information is a bad thing and not knowing what you're voting on is a really bad thing."

We reviewed the emails and letters sent by 51 senators and 134 members of the House within the past few months. Here are some of the most glaring errors and omissions:

Rep. Pat Tiberi (R-Ohio) incorrectly cited the number of Ohio counties that had only one insurer on the Affordable Care Act insurance exchange.

What he wrote: "In Ohio, almost one third of counties will have only one insurer participating in the exchange."

What's misleading: In fact, only 23 percent (less than one quarter) had only one option, according to an analysis by the Kaiser Family Foundation.

His response: A Tiberi spokesperson defended the statement. "The letter says 'almost' because only 9 more counties in Ohio need to start offering only 1 plan on the exchanges to be one third."

Why his response is misleading: Ohio has 88 counties. A 10 percent difference is not "almost."

Representative Kevin Yoder (R-Kansas) said that the quality of health care in the country has declined because of the ACA, offering no proof.

What he wrote: "Quality of care has decreased as doctors have been burdened with increased regulations on their profession."

Why it's misleading: Some data shows that health care has improved after the passage of the ACA. Patients are less likely to be readmitted to a hospital within 30 days after they have been discharged, for instance. Also, payments have been increasingly linked to patients' outcomes rather than just the quantity of services delivered. A 2016 report by the Commonwealth Fund, a health care nonprofit think tank, found that the quality care has improved in many communities following the ACA.

His response: None.

Representative Anna Eshoo (D-California) misstated the percentage of Medicaid spending that covers the cost of long-term care, such as nursing home stays.

What she wrote: "It's important to note that 60 percent of Medicaid goes to long-term care and with the evisceration of it in the bill, this critical coverage is severely compromised."

What's misleading: Medicaid does not spend 60 percent of its budget on long-term care. The figure is closer to a quarter, according to the Center on Budget and Policy Priorities, a liberal think tank. Medicaid does, however, cover more than 60 percent of all nursing home residents.

Her response: Eshoo's office said the statistic was based on a subset of enrollees who are dually enrolled in Medicaid and Medicare. For this smaller group, 62 percent of Medicaid expenditures were for long-term support services, according to the Kaiser Family Foundation.

What's misleading about the response: Eshoo's letter makes no reference to this population, but instead refers to the 75 million Americans on Medicaid.

Representative Chuck Fleischmann (R-Tennessee) pointed to the number of uninsured Americans as a failure of the ACA, without noting that the law had dramatically reduced the number of uninsured.

What he wrote: "According to the U.S. Census Bureau, approximately thirty-three million Americans are still living without health care coverage and many more have coverage that does not adequately meet their health care needs."

Why it's misleading: The actual number of uninsured in 2015 was about 29 million, a drop of 4 million from the prior year, the Census Bureau reported in September. Fleischmann's number was from the previous year.

Beyond that, reducing the number of uninsured by more than 12 million people from 2013 to 2015 has been seen as a success of Obamacare. And the Republican repeal-and-replace bill is projected to increase the number of uninsured.

His response: None.

Rep. Joseph P. Kennedy III (D-Massachusetts) overstated the number of young adults who were able to stay on their parents' health plan as a result of the law.

What he wrote: The ACA "allowed 6.1 million young adults to remain covered by their parents' insurance plans."

What's misleading: A 2016 report by the U.S. Department of Health and Human Services, released during the Obama administration, however, pegged the number at 2.3 million.

Kennedy may have gotten to 6.1 million by including 3.8 million young adults who gained health insurance coverage through insurance marketplaces from October 2013 through early 2016.

His response: A spokeswoman for Kennedy said the office had indeed added those two numbers together and would fix future letters.

Representative Blaine Luetkemeyer (R-Missouri.) said that 75 percent of health insurance marketplaces run by states have failed. They have not.

What he said: "Nearly 75 percent of state-run exchanges have already collapsed, forcing more than 800,000 Americans to find new coverage."

What's misleading: When the ACA first launched, 16 states and the District of Columbia opted to set up their own exchanges for residents to purchase insurance, instead of using the federal marketplace, known as Healthcare.gov.

Of the 16, four state exchanges, in Oregon, Hawaii, New Mexico and Nevada, failed, and Kentucky plans to close its exchange this year, according to a report by the House Energy and Commerce Committee. While the report casts doubt on the viability of other state exchanges, it is clear that 3/4 have not failed.

His response: None.

Representative Dana Rohrabacher (R-California) overstated that the ACA "distorted labor markets," prompting employers to shift workers from full-time jobs to part-time jobs.

What he said: "It has also, through the requirement that employees that work thirty hours or more be considered full time and thus be offered health insurance by their employer, distorted the labor market."

What's misleading: A number of studies have found little to back up that assertion. A 2016 study published by the journal Health Affairs examined data on hours worked, reason for working part time, age, education and health insurance status. "We found only limited evidence to support this speculation" that the law led to an increase in part-time employment, the authors wrote. Another study found much the same.

In addition, PolitiFact labeled as false a statement last June by President Donald Trump in which he said, "Because of Obamacare, you have so many part-time jobs."

His response: Rohrabacher spokesman Ken Grubbs said the congressman's statement was based on an article that said, "Are Republicans right that employers are capping workers' hours to avoid offering health insurance? The evidence suggests the answer is 'yes,' although the number of workers affected is fairly small."

We pointed out that "fairly small" was hardly akin to distorting the labor market. To which Grubbs replied, "The congressman's letter is well within the range of respected interpretations. That employers would react to Obamacare's impact in such way is so obvious, so nearly axiomatic, that it is pointless to get lost in the weeds," Grubbs said.

Representative Mike Bishop (R-Michigan) appears to have cited a speculative 2013 report by a GOP-led House committee as evidence of current and future premium increases under the ACA.

What he wrote: "Health insurance premiums are slated to increase significantly. Existing customers can expect an average increase of 73 percent, while the average change due to Obamacare for those purchasing a new plan will be a 96 percent increase in premiums. The average cost for a new customer in the individual market is expected to rise $1,812 per year."

What's misleading: The figures seem to have come from a report issued before the Obamacare insurance marketplaces launched and before 2014 premiums had been announced. The letter implies these figures are current. In fact, premium increases by and large have been moderate under Obamacare. The average monthly premium for a benchmark plan, upon which federal subsidies are calculated, increased about 2 percent from 2014 to 2015; 7 percent from 2015 to 2016; and 25 percent this year, for states that take part in the federal insurance marketplace.

His response: None

Representative Dan Newhouse (R-Washington) misstated the reasons why Medicaid costs per person were higher than expected in 2015.

What he wrote: "A Medicaid actuarial report from August 2016 found that the average cost per enrollee was 49 percent higher than estimated just a year prior 2014 in large part due to beneficiaries seeking care at more expensive hospital emergency rooms due to difficulty finding a doctor and long waits for appointments."

What's misleading: The report did not blame the higher costs on the difficulty patients had finding doctors. Among the reasons the report did cite: patients who were sicker than anticipated and required a raft of services after being previously uninsured. The report also noted that costs are expected to decrease in the future.

His response: None

Senator Dick Durbin (D-Ill.) wrongly stated that family premiums are declining under Obamacare.

What he wrote: "Families are seeing lower premiums on their insurance, seniors are saving money on prescription drug costs, and hospital readmission rates are dropping."

What's misleading: Durbin's second and third points are true. The first, however, is misleading. Family insurance premiums have increased in recent years, although with government subsidies, some low- and middle-income families may be paying less for their health coverage than they once did.

His response: Durbin's office said it based its statement on an analysis published in the journal Health Affairs that said that individual health insurance premiums dropped between 2013 and 2014, the year that Obamacare insurance marketplaces began. It also pointed to a Washington Post opinion piece that said that premiums under the law are lower than they would have been without the law.

Why his response is misleading: The Post piece his office cites states clearly, "Yes, insurance premiums are going up, both in the health care exchanges and in the employer-based insurance market."

Representative Susan Brooks (R-Ind.) told constituents that premiums nationwide were slated to jump from 2016 to 2017, but failed to mention that premiums for some plans in her home state actually decreased.

What she wrote: "Since the enactment of the ACA, deductibles are up, on average, 63 percent. To make matters worse, monthly premiums for the "bronze plan" rose 21 percent from 2016 to 2017. 2026 Families and individuals covered through their employer are forced to make the difficult choice: pay their premium each month or pay their bills."

What's misleading: Brooks accurately cited national data from the website HealthPocket, but her statement is misleading. Indiana was one of two states in which the premium for a benchmark health plan -- the plan used to calculate federal subsidies -- actually went down between 2016 and 2017. Moreover, more than 80 percent of marketplace consumers in Indiana receive subsidies that lowered their premium costs. The HealthPocket figures refer to people who do not qualify for those subsidies.

Her response: Brooks' office referred to a press release from Indiana's Department of Insurance, which took issue with an Indianapolis Star story about premiums going down. The release, from October, when Vice President Mike Pence was Indiana's governor, said that the average premiums would go up more than 18 percent over 2016 rates based on enrollment at that time. In addition, the release noted, 68,000 Indiana residents lost their health plans when their insurers withdrew from the market.

Why her response is misleading: For Indiana consumers who shopped around, which many did, there was an opportunity to find a cheaper plan.

Senator Ron Wyden (D-Ore.) incorrectly said that the Republican bill to repeal Obamacare would cut funding for seniors in nursing homes.

What he wrote: "It's terrible for seniors. Trumpcare forces older Americans to pay 5 times the amount younger Americans will -- an age tax -- and slashes Medicaid benefits for nursing home care that two out of three Americans in nursing homes rely on."

What's misleading: Wyden is correct that the GOP bill, known as the American Health Care Act, would allow insurance companies to charge older adults five times higher premiums than younger ones, compared to three times higher premiums under the existing law. However, it does not directly slash Medicaid benefits for nursing home residents. It proposes cutting Medicaid funding and giving states a greater say in setting their own priorities. States may, as a result, end up cutting services, jeopardizing nursing home care for poor seniors, advocates say, because it is one of the most expensive parts of the program.

His response: Taylor Harvey, a spokesman for Wyden, defended the statement, noting that the GOP health bill cuts Medicaid funding by $880 billion over 10 years and places a cap on spending. "Cuts to Medicaid would force states to nickel and dime nursing homes, restricting access to care for older Americans and making it a benefit in name only," he wrote.

Why his response is misleading: The GOP bill does not spell out how states make such cuts.

Representative Derek Kilmer (D-Washington) misleadingly said premiums would rise under the Obamacare replacement bill now being considered by the House.

What he wrote: "It's about the 24 million Americans expected to lose their insurance under the Trumpcare plan and for every person who will see their insurance premiums rise 2014 on average 10-15 percent."

Why it's misleading: First, the Congressional Budget Office did estimate that the GOP legislation would cover 24 million fewer Americans by 2026. But not all of those people would "lose their insurance." Some would choose to drop coverage because the bill would no longer make it mandatory to have health insurance, as is the case now.

Second, the budget office did say that in 2018 and 2019, premiums under the GOP bill would be 15-20 percent higher than they would have been under Obamacare because the share of unhealthy patients would increase as some of those who are healthy drop out. But it noted that after that, premiums would be lower than under the ACA.

His response: None.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


The Boston Keep ACA Rally on January 15 And Senator Warren's Remarks

Crowd gathering an hour before Boston healthcare rally. January 15,, 2017. click to view larger version On Sunday January 15, 2017 I attended the healthcare rally in Boston at iconic Faneuil Hall. It was one of a dozen rallies around the United States. Several people spoke, including Boston Mayor Marty Walsh, U.S. Senator Elizabeth Warren, activist Sarah Grow, Carla Leviano, and U.S. Senator Edward Markey. The attendance was great and far exceeded the capacity for the auditorium inside Faneuil Hall, where it was originally planned.

The event continued outside with what I estimated at least five thousand people standing in the cold 27 degrees Fahrenheit temperature. This blog post contains several photographs I took. The photo on the right shows the crowd gather more than hour before the official 1:00 pm start of the rally.

Carla Lievano, a single-mother whose family is on MassHealth, is worried about losing her health benefits if the Affordable Care Act is repealed. She said:

"I could lose my health benefits... I’m very low income. I don’t know how I would take care of [my daughter]..."

Senator Warren speaking at January 15, 2017 healthcare rally in Boston. Click to view larger version Grow shared the story of her mother's battle against cancer, and how the Affordable Care Act (ACA and a//k/a Obamacare) saved her mother's life. Her mother was able to find a replacement plan under the ACA. Below is the transcript of Senator Elizabeth Warren's remarks (courtesy of the Boston Globe):

"For eight years, Republicans in Congress have complained about health care in America, heaping most of the blame on President Obama. Meanwhile, they’ve hung out on the sidelines making doomsday predictions and cheering every stumble, but refusing to lift a finger to actually improve our health care system.

The GOP is about to control the White House, Senate, and House. So what’s the first thing on their agenda? Are they working to bring down premiums and deductibles? Are they making fixes to expand the network of doctors and the number of plans people can choose from? Nope. The number one priority for congressional Republicans is repealing the Affordable Care Act and breaking up our health care system while offering zero solutions.

Their strategy? Repeal and run.

Many Massachusetts families are watching this play out, worried about what will happen — including thousands from across the Commonwealth that I joined at Faneuil Hall on Sunday to rally in support of the ACA. Hospitals and insurers are watching too, concerned that repealing the ACA will create chaos in the health insurance market and send costs spiraling out of control.

Health care reform in Massachusetts wasn’t partisan. Democrats, Republicans, business leaders, hospitals, insurers, doctors, and consumers all came together behind a commitment that every single person in our Commonwealth deserves access to affordable, high-quality care. When Republican Governor Mitt Romney signed Massachusetts health reform into law in 2006, our state took huge strides toward offering universal health care coverage and financial security to millions of Bay State residents.

That law was a major step forward. Today, more than 97 percent of Bay Staters are covered — the highest rate of any state in the country.

But Massachusetts still has a lot to lose if the ACA is repealed. One big reason for our state’s health care success is that we took advantage of the new opportunities offered under the ACA. In addition to making care more accessible and efficient, our state expanded Medicaid, using federal funds to help even more people. And we combined federal and state dollars to help reduce the cost of insurance on the Health Connector.

When the ACA passed, Massachusetts already had in place some of the best consumer protections in the nation. But the ACA still made a big difference. It strengthened protections for people in Massachusetts with pre-existing conditions, allowed for free preventive care visits, and — for the first time in our state — banned setting lifetime caps on benefits.

If the ACA is repealed, our health care system would hang in the balance. Half a million people in the Commonwealth would risk losing their coverage. People who now have an iron-clad guarantee that they can’t be turned away due to their pre-existing conditions or discriminated against because of their gender could lose that security. Preventive health care, community health centers, and rural hospitals could lose crucial support. In short, the Massachusetts health care law is a big achievement and a national model, but it also depends on the ACA and a strong partnership with the federal government.

If the cost-sharing subsidies provided by the ACA are slashed to zero, Massachusetts will have a tough time keeping down the cost of plans on the Health Connector. The state can’t make funds appear out of thin air to help families on the Medicaid expansion if Republicans yank away support. And our ability to address the opioid crisis will be severely hampered if people lose access to health insurance or if the federal funding provided through the Medicaid waiver disappears. Even in states with strong health care systems — states like Massachusetts — the ACA is critical.

The current system isn’t perfect — not by a long shot. There are important steps Congress could take to lower deductibles and premiums, to expand the network of doctors people can see on their plans, and to increase the stability and predictability of the market. We should be working together to make health care better all across the country, just like we’ve tried to do here in Massachusetts.

This doesn’t need to be a partisan fight. But if congressional Republicans continue to pursue repeal of the ACA with nothing more than vague assurances that they might — someday — think up a replacement plan, the millions of Americans who believe in guaranteeing people’s access to affordable health care will fight back every step of the way.

Repeal and run is for cowards."

Want to read more? Try these hashtags on social networking sites: #repealandrun #ourfirststand #savehealthcare #CareNotChaos. Below are more photos from Sunday's event in Boston.

Protester sign at Boston healthcare rally
Protester sign. Boston healthcare rally. 1/15/17

Protester sign at Boston healthcare rally
Protester sign at Boston healthcare rally. 1/15/17

Boston Mayor Marty Walsh speaking at healthcare rally January 15, 2017
Mayor Marty Walsh speaking at healthcare rally. 1/15/17

View of crowd at Boston healthcare rally January 15, 2017
View from crowd at Boston healthcare rally. 1/15/17


Potential Security Issues Regarding the Internet of Things

Header potential IoT device security issues

[Editor's Note: today's blog post is by guest author Cassie Phillips, a technology blogger who developed a special interest in cybersecurity after her webcam was hacked. While she’s interested to see how the Internet of Things changes how we use technology, she is very concerned about all the risks it poses.]

By Cassie Phillips

Many people and organizations have raised concerns about the potential risks related to the Internet of Things (IoT). It turns out that they were right to be concerned. Last month the France-based hosting provider, OVH, fell victim to an enormous distributed denial-of-service (DDoS) attack on the Minecraft servers that OVH was hosting.

DDoS attacks are attempts to make a resource (usually a website) inaccessible to its users through an inundation of requests, aiming to overburden the system. In the past, DDoS attacks were carried out by computers, with or without their owner’s consent. Hot Hardware reported:

“OVH was the victim of a wide-scale DDoS attack that was carried via a network of over 152,000 IoT devices… Of those IoT devices participating in the DDoS attack, they were primarily comprised of CCTV cameras and DVRs.”

Before the attack on OVH, there was another DDoS attack on prominent internet security researcher Brian Krebs’ website. This attack was also carried out by IoT devices. Akamai Technologies Inc., a provider of security services worldwide for major companies, cut ties with Mr. Krebs because the DDoS attack on Krebs’ website was enormous. Josh Shaul, Akamai’s vice president, said it was the worst DDoS attack the company had ever seen.

These broad attacks prove that the IoT does pose a significant security risk. And DDoS attacks are by no means the only security risks that the IoT presents. Let’s look at what the IoT is, the risks it presents and, most importantly, how to ensure that any IoT devices you use are secure.

What Is the Internet of Things?
The IoT is the idea that any device can be designed to be able to connect to the internet and other devices. These devices include mobile phones, washing machines, refrigerators, coffee makers, televisions, home thermostats, motion sensors, headphones, Barbie dolls and baby monitors. There is no limit except the imagination.

There are even buildings, cars, and health-related implants (such as pacemakers) that can connect to the internet and to each other. All of these devices can exchange information and collect data, creating a huge pool of information and an enormous network.

What Risks Does the Internet of Things Pose?
As mentioned above, the IoT poses a few risks and concerns. There are four key risks associated with the IoT, with the first being reliability. IoT devices are not necessarily reliable. While this may not be a crisis if the device in question is a refrigerator, it is deadly if devices such as cars fail or are hacked.

The second major risk related to the IoT is privacy. Each device in a network of the IoT can collect and share data. As consumers, we don’t always know who gets this data and what it is used for. The data will almost certainly be used to track consumers’ behavior, allowing companies to target each consumer with tailor-made advertising. While this data probably won’t always be used for nefarious purposes, it can be used in a way that violates our right to privacy. According to Buzzfeed:

“ "We were sleeping in bed, and basically heard some music coming from the nursery, but then when we went into the room the music turned off,” said the anonymous mother. They tracked the IP address that had accessed their camera and discovered a website with “thousands and thousands of pictures of cameras just like their own.” Anyone could use the site to access hacked cameras and monitors located in at least 15 different countries."

This leads to the third major risk associated with the IoT, namely security. Again, each of the IoT devices collects and transmits data. If these devices are hacked, criminals will have access to vast amounts of consumers' private information. Depending on the device, criminals can learn our routines, find out what valuables we keep in our homes, gain access to information about any security measures we use, and even collect sensitive information such as financial payment information.

Another security risk is the potential for hacking medical devices and implants. According to a report by research and advisory firm, Forrester, ransomware in medical devices is the single biggest cybersecurity threat for this year. Security researchers have already managed to hack into hospitals’ networks, pacemakers and other medical devices. This will put people’s lives at risk.

The potential for cyberattacks is the fourth major risk associated with the IoT. Because all these devices are connected, they have the potential to spread malware across homes and entire companies. However, the greatest risk lies in criminals’ ability to use our IoT devices in massive cyberattacks, such as the DDoS attack on OVH. Widespread vulnerabilities are only a few missteps away, and that is a seriously concerning fact.

How to Protect Yourself When Using IoT Devices
Given the risks listed above, it’s vital that consumers learn to protect our devices, our homes, and ourselves. The following actions are all essential to your security when using IoT devices:

  • Carefully consider how much connectivity you need in your home and life. Then try to avoid any devices that unnecessarily connect to the internet. After all, you can always opt for a coffeemaker with a timer instead of one that connects to a mobile app on your phone.
  • If you do decide to buy an IoT device, be sure to find one with the best security features possible.
  • Read all the terms and conditions and privacy policies for any IoT device you intend to purchase. This will help you understand what data the device collects and what it does with the data.
  • When you buy an IoT device, change its default password immediately. This also applies to any IoT devices that you already own. Be sure to use strong passwords and manage them effectively.
  • Always keep the software on IoT devices up to date. Updates often contain essential bug fixes and security patches.
  • If your IoT device supports security software, install it. Don’t forget that your mobile phone and tablet count as IoT devices!
  • Use a reputable Virtual Private Network, such as one recommended by Secure Thoughts.
  • If your IoT device allows it, use encryption technology.
  • Switch off and unplug any IoT devices when you are not using them.
  • If your IoT device uses location data unnecessarily, turn it off if possible.
  • If your IoT device has a camera or monitor that you don’t think it needs, block the lens.

Conclusion
While it would be best if security features were built into the design of IoT devices, that’s not always the case. So it’s crucial that you implement the security ideas discussed above. Hopefully, we’ll start seeing a move toward creating an international standard for all IoT devices in the future.

Have you had any bad experiences with IoT devices? How do you think the technology is progressing? Share your thoughts in the comments section below.


FDA Releases Guidelines For Apps And Wearables For Fitness And Health

The U.S. Food and Drug Administration (FDA) released guidelines about mobile apps and wearable devices for health and fitness (Adobe PDF). The guidelines document stated that it is for clarity for industry and FDA staff, and include "nonbinding recommendations." The federal agency will not regulate mobile apps and wearables that promote general wellness or a healthy lifestyle, and are classified as "low risk." The guidelines do not apply to products (e.g., drugs, biologics, dietary supplements, foods, or cosmetics) regulated by other FDA Centers or to combination products.

The FDA's Center For Devices and Radiological Health (CDRH) defines general wellness products as:

"... products that meet the following two factors: (1) are intended for only general wellness use, as defined in this guidance, and (2) present a low risk to the safety of users and other persons. General wellness products may include exercise equipment, audio recordings, video games, software programs4 and other products that are commonly, though not exclusively, available from retail establishments (including online retailers and distributors that offer software to be directly downloaded), when consistent with the two factors above."

The guidelines provide further definitions:

"A general wellness product, for the purposes of this guidance, has (1) an intended use that relates to maintaining or encouraging a general state of health or a healthy activity, or (2) an intended use that relates the role of healthy lifestyle with helping to reduce the risk or impact of certain chronic diseases or conditions and where it is well understood and accepted that healthy lifestyle choices may play an important role in health outcomes for the disease or condition. If the product’s intended uses are not limited to the above general wellness intended uses, this guidance does not apply."

The guidelines provide a list of general wellness health outcomes: weight management, physical fitness (including recreational uses), relaxation or stress management, mental acuity, self-esteem, sleep management, and sexual function.

Typically, regulation is used to ensure that products actually do what their manufacturers and developers claim to do. The guidelines specified which claims are general wellness (e.g., the FDA will not regulate) and which claims are not (e.g., the FDA will continue to regulate). General wellness claims include claims to:

  1. Promote or maintain a healthy weight, encourage healthy eating, or assist
    with weight loss goals;
  2. Promote relaxation or manage stress;
  3. Increase, improve, or enhance the flow of qi “energy;”
  4. Improve mental acuity, instruction following, concentration, problem solving, multitasking, resource management, decision-making, pattern recognition or eye-hand coordination;
  5. Enhance learning capacity;
  6. Promote physical fitness (e.g., log, track, or trend exercise activity, measure aerobic fitness, develop or improve endurance, strength or coordination;
  7. Promote sleep management (e.g., track sleep trends);
  8. Promote self-esteem
  9. Address a specific body structure or function (e.g., increase or improve muscle size or body tone, enhance or improve sexual performance);
  10. Improve general mobility; and
  11. Enhance participation in recreational activities by monitoring the consequences (e.g., heart rate).

Some claims are categorized as "disease related." The new FDA guidelines list disease-related general wellness claims and how companies should reference those claims in product packaging and advertisements:

"A claim that a product will treat or diagnose obesity; a claim that a product will treat an eating disorder, such as anorexia; a claim that a product helps treat an anxiety disorder; a claim that a computer game will diagnose or treat autism; a claim that a product will treat muscle atrophy or erectile dysfunction; a claim to restore a structure or function impaired due to a disease or condition, e.g., a claim that a prosthetic device enables amputees to walk... disease-related general wellness claims should only be based on references where it is well understood that healthy lifestyle choices may reduce the risk or impact of a chronic disease or medical condition..."

Since the new FDA guidelines apply only to products categorized as "low risk," it is important to understand that definition:

"If the answer to any of the following questions is YES, the product is not low risk and is not covered by this guidance: 1) Is the product invasive? 2) Is the product implanted? 3) Does the product involve an intervention or technology that may pose a risk to the safety of users and other persons if specific regulatory controls are not applied, such as risks from lasers or radiation exposure? In assessing whether a product is low risk for purposes of this guidance, FDA recommends that you also consider whether CDRH actively regulates products of the same type as the product in question. For example, CDRH actively regulates external penile rigidity devices, which are devices intended to create or maintain sufficient penile rigidity for sexual intercourse, under 21 CFR 876.5020 as class II devices exempt from premarket notification with special controls..."

The guidelines listed examples of products that are low risk and those which are not. Products that are not low risk:

"Sunlamp products promoted for tanning purposes, due to risks to a user’s safety from the ultraviolet radiation, including, without limitation, an increased risk of skin cancer.

Implants promoted for improved self-image or enhanced sexual function. Implants pose risks to users such as rupture or adverse reaction to implant materials and risks associated with the implantation procedure.

A laser product that claims to improve confidence in user’s appearance by rejuvenating the skin. Although the claims of rejuvenating the skin and improving confidence in user’s appearance are general wellness claims, laser technology presents risks of skin and eye burns.

A neuro-stimulation product that claims to improve memory, due to the risks to a user’s safety from electrical stimulation.

A product that claims to enhance a user’s athletic performance by providing suggestions based on the results of relative lactic acid testing, when the product uses venipuncture to obtain the blood samples needed for testing. Such a product is not low risk because it is invasive (e.g., obtains blood samples by piercing the skin) and also because the product involves an intervention that may pose a risk to the safety of the user and other persons if specific regulatory controls are not applied (e.g., venipuncture may pose a risk of infection transmission)."

Companies and individuals can submit feedback to the FDA about these guidelines. See the guidelines document for instructions for submitting feedback. Fierce Healthcare reported:

"Epstein Becker Green health attorney Brad Thompson, who had previously commented to FierceHealthIT on the draft guidance, said in an email the final version "strikes the right balance between regulation and innovation... Over the intervening year and a half, I have talked to a lot of developers of wearable technologies and associated mobile apps and have used the draft guidance as a roadmap for how to assess FDA jurisdiction. I have found it to be extremely practical..."

A copy of the guidance document is also available here (Adobe PDF). What guidance or clarity does it provide for consumers? I guess not much regarding low risk apps and wearables. Consumers are on their own, so shop wisely and carefully. Whenever I read a document that describes itself as "nonbinding recommendations," that is worrisome.


Report: Significant Security Risks With Healthcare And Financial Services Mobile Apps

Arxan Technologies logo Arxan Technologies recently released its fifth annual report about the state of application security. This latest report also highlighted some differences between how information technology (I.T.) professionals and consumers view the security of healthcare and financial services mobile apps. Overall, Arxan found critical vulnerabilities:

"84 percent of the US FDA-approved apps tested did not adequately address at least two of the Open Web Application Security Project (OWASP) Mobile Top 10 Risks. Similarly, 80 percent of the apps tested that were formerly approved by the UK National Health Service (NHS) did not adequately address at least two of the OWASP Mobile Top 10 Risks... 95 percent of the FDA-approved apps, and 100 percent of the apps formerly approved by the NHS, lacked binary protection, which could result in privacy violations, theft of personal health information, and tampering... 100 percent of the mobile finance apps tested, which are commonly used for mobile banking and for electronic payments, were shown to be susceptible to code tampering and reverse-engineering..."

Some background about the U.S. Food and Drug Administration (FDA). The FDA revised its guidelines for mobile medical apps in September, 2015. The top of that document clearly stated, "Contains Nonbinding Regulations." The document also explained which apps the FDA regulates (link added):

"Many mobile apps are not medical devices (meaning such mobile apps do not meet the definition of a device under section 201(h) of the Federal Food, Drug, and Cosmetic Act (FD&C Act)), and FDA does not regulate them. Some mobile apps may meet the definition of a medical device but because they pose a lower risk to the public, FDA intends to exercise enforcement discretion over these devices (meaning it will not enforce requirements under the FD&C Act). The majority of mobile apps on the market at this time fit into these two categories. Consistent with the FDA’s existing oversight approach that considers functionality rather than platform, the FDA intends to apply its regulatory oversight to only those mobile apps that are medical devices and whose functionality could pose a risk to a patient’s safety if the mobile app were to not function as intended. This subset of mobile apps the FDA refers to as mobile medical apps."

The Arxan report found that consumers are concerned about app mobile security:

80 percent of mobile app users would change providers if they knew the apps they were using were not secure. 82 percent would change providers if they knew alternative apps offered by similar service providers were more secure."

Arxan commissioned a a third party which surveyed 1,083 persons in the United States, United Kingdom, Germany, and Japan during November, 2015. 268 survey participants were I.T. professionals and 815 participants were consumers. Also, Arxan hired Mi3 to test mobile apps during October and November, 2015. Those tests included 126 health and financial mobile apps covering both the Apple iOS and Android platforms, 19 mobile health apps approved by the FDA, and 15 mobile health apps approved3 by the UK NHS.

One difference in app security perceptions between the two groups: 82 percent of I.T. professionals believe "everything is being done to protect my apps" while only 57 percent of consumers hold that belief. To maintain privacy and protect sensitive personal information, Arxan advises consumers to:

  1. Buy apps only from reputable app stores,
  2. Don't "jail break" your mobile devices, and
  3. Demand that app developers disclose upfront the security methods and features in their apps.

The infographic below presents more results from the consolidated report. Three reports by Arxan Technologies are available: consolidated, healthcare, and financial services.

Arxan Technologies. 5th Annual State of App Security infographic
Infographic reprinted with permission.


iFit Data Breach Exposes The Sensitive Information of More Than Half A Million Users

Plenty of stationary, mobile, and wearable devices -- including their apps -- collect and store consumers' sensitive personal data, including health information. The Data Breaches blog reported a breach involving the popular mobile fitness app, iFit, affecting as many as 576,274 users. A researcher discovered the breach on December 10.

The iFit app includes customize-able workouts designed by fitness trainers. It is incorporated into wristbands, smart watches, and stationary exercise equipment such as NordicTrack. The stationary equipment includes treadmills, elliptical machines, stength-training machines, and exercise bikes used in homes and gyms. iFit also operates a wellness program with corporate partners for their employees.

The iFit Privacy policy provides a clear indication of the massive amount of data collected, archived, and reportedly exposed or stolen during this breach:

"... two types of information from users of our Site: "Personally Identifiable Information" which is information that can be used to locate you,contact you, or determine your specific identity (such as name, e-mail address, mailing address, phone number, user name, credit card information, etc.) and "Aggregate Information" which is information about your activities on the Site or in connection with the services that cannot be used to identify, locate, or contact you (such as frequency of visits to the Site, data entered when using the Site, gender, age, weight, height, food intake, activity level, interests, workout history and results, exercise equipment, Site pages most frequently accessed, browser type, links a User clicks, IP address, and other similar information)... When you register for an account (free or paid), we collect your name, a user name, a password, date of birth, current weight, target weight, height, gender, measurement system, activity level, fitness goal, intensity level, and the retail location where you purchased your iFit® equipment. When you use a credit card to pay for any of our services or products, we ask for your name, address, credit card and credit card-related information."

Besides archiving customers exercise types, date, time, geo-location, and exercise duration the app foten calculates calories burned. All of this data would be immensely valuable to insurance firms, health care organizations, and others. The data elements exposed or stolen open the breach victims to financial fraud, medical fraud, stalking, and spam.

For consumers the either want to keep their exercise activity private or expect fitness app developers to secure and protect sensitive information like health care organizations, the data breach presents a very troubling event. It is unclear if breach victims are limited to only the United States.

ICON Health and Fitness makes a lot of the exercise bikes, ellipticals, and strength-training equipment that use the iFit app.

At press time, a check of the iFit site and blog did not find any announcements of the breach. What are your opinions of the breach? Of the data collected? Of the company's post-breach response so far?


Update: FTC Complaint Against Weight-Loss Marketer For Allegedly Using "Gag Clauses"

Roca Labs Inc. logo After the U.S. Federal Trade Commission (FTC) filed a complaint against it for allegedly using gag clauses to silence negative online reviews by customers, Roca Labs, the weight-loss marketer, has responded. MediaPost's Daily Online Examiner reported:

"The company, which sells weight-loss products, argues in court papers filed earlier this month that the FTC lacks the power "to dictate the terms of private contracts between private parties." The company adds: "The FTC’s intention to ban all manner of anti disparagement clauses is overkill and appears to be a knee-jerk reaction to a particular practice of Roca Labs. ...The regulation of public comment through on-line reviews is a complicated and multi-faceted problem that must balance the rights of consumers and businesses in the ever-changing landscape of internet commerce." Roca filed its papers in response to the FTC's request for an injunction..."

Last Thursday, U.S. District Court Judge Mary Scriven in Florida issued an order granting the FTC's preliminary injunction to stop Roca labs from silencing customers' online reviews. Yelp and other review sites sided with the FTC in a friend-of-court brief.Some reviewers posted information about the FTC complaint on the Roca Labs page within the Yelp site.

For review sites to be trustworthy, they must include positive, negative, and neutral reviews of products and services. What are your opinions of gag clauses?


FTC Sues Weight-Loss Marketer For Alleged Use Of "Gag Clauses," Threats, And Lawsuits To Prevent Negative Reviews By Customers

Roca Labs Inc. logo The U.S. Federal Trade Commission (FTC) filed a complaint in Federal court against a weight-loss marketer alleging:

"...  that Roca Labs, Inc.; Roca Labs Nutraceutical USA, Inc.; and their principals have sued and threatened to sue consumers who shared their negative experiences online or complained to the Better Business Bureau, stating that the consumers violated the non-disparagement provisions of the “Terms and Conditions” they supposedly agreed to when they bought the products. The FTC alleges that these gag clause provisions, and the defendants’ related warnings, threats, and lawsuits, harm consumers by unfairly barring purchasers from sharing truthful, negative comments about the defendants and their products."

Roca labs Inc. is based in Sarasota, Florida. The complaint named both Don Juravin, President of Roca Labs Nutraceutical USA (RLNU) and owner of Roca Labs Inc. (RLI), and George C. Whiting, President, Secretary, treasurer, and Director at RLI, as a co-defendants. The websites operated by the defendants include RocaLabs.com, Mini-Gastric-Bypass.me, and GastricBypassNoSurgery.com.

I was curious what an alleged "gag clause" contains. The complaint listed one:

"You agree that regardless of your personal experience with RL, you will not disparage RL and/or any of its employees, products or services. This means that you will not speak, publish, cause to be published, print, review, blog, or otherwise write negatively about RL, or its products or employees in any way. This encompasses all forms of media, including and especially the internet. This paragraph is to protect RL and its current and future customers from the harm of libelous or slanderous content in any form, and thus, your acceptance of the [Terms] prohibits you from taking any action that negatively impacts RL, its reputation, products, services, management, or employees. We make it clear that RL and its Regimen may not be for everyone, and in that regard, the foregoing clause is meant to prevent “one person from ruining it for everyone.” Should any customer violate this provision, as determined by RL in its sole discretion, you will be provided with seventy-two (72) hours to retract the content in question. If the content remains, RL would be obliged to seek all legal remedies to protect its name, products, current customers, and future customers.

If you breach this Agreement, as determined by RL in its sole discretion, all discounts will be waived and you agree to pay the full price for your product. In addition, we retain all legal rights and remedies against the breaching customer for breach of contract and any other appropriate causes of action."

Wow! This is a stark reminder for consumers to read the terms and conditions policy at websites before purchasing online. And, it's always good to be aware of companies that allegedly uses monetary threats, lawsuits, and "gag clauses" to squash consumers from using their First Amendment rights. Some physicians have tried to squash patients' rights with a "mutual agreement to maintain privacy" document.

Download the complaint (Adobe PDF): FTC v. Roca Labs Inc. et. al.


Medical Informatics Engineering, Concentra, Employers, Data Sharing, And Privacy

Medical Informatics Engineering logo After receiving the breach notice from Medical Informatics Engineering (MIE) via postal mail, my wife and I wondered how MIE acquired her information. MIE's breach notice mentioned Concentra, a healthcare company we haven't and don't do business with. Today's blog post describes what we learned during our search for answers, and how consumers aren't in control of our sensitive personal information.

Background

The breach was massive. The Journal Gazette reported 3.1 million breach notices sent to affected consumers nationwide. The U.S. Department of Health & Human Services listed 3.9 million consumers affected.  Readers of this blog have reported breach notices received via postal mail in Alabama, California, Colorado, Florida, Georgia, Idaho, Indiana, Kansas, Kentucky, Maryland, Massachusetts, New Hampshire, Tennessee, Texas, and the District of Columbia. Concentra was one of many health care providers involved.

During our search for answers, my wife contacted her employer and a local clinic. Neither does business with No More Clipboard (MIE's cloud-based service) or with Concentra. On her behalf I contacted Concentra's nearest office in Wilmington, Massachusetts. The office's administrative person searched for information about my wife in Concentra's database. No record. The administrator referred me to regional human resources representative, who confirmed the breach and suggested that Concentra may have obtained my wife's information from data-sharing during a sales pitch with employers. We continued to look for firmer answers.

Select Medical logo The HR representative referred me to Edwin Bodensiek, the Vice President of Public Relations at Select Medical, the corporation that acquired Concentra in May, 2015. Select Medical's First Quarter 2015 10-Q Filing (Adobe PDF) explained:

"[Select Medical Holdings] announced on March 23, 2015 that MJ Acquisition Corporation, a joint venture that the Company has created with Welsh, Carson, Anderson & Stowe XII, L.P. (“WCAS”), has entered into a stock purchase agreement, dated as of March 22, 2015 (the “Purchase Agreement”), as buyer with Concentra Inc. (“Concentra”) and Humana Inc. (“Humana”) to acquire all of the issued and outstanding equity securities of Concentra from Humana. Concentra, a subsidiary of Humana, is a national health care company that delivers a wide range of medical services to employers and patients, including urgent care, occupational medicine, physical therapy, primary care, and wellness programs... For all of the outstanding stock of Concentra, MJ Acquisition Corporation has agreed to pay a purchase price of $1.055 billion..."

Humana had acquired Concentra in 2010. Now, Concentra is part of Select Medical. i contacted Mr. Bodensiek asking when, why, and how Concentra obtained my wife's sensitive personal information. My wife and I weren't sure we'd get any answers, and if so how long it would take.

What We Learned

After about a month, Mr. Bodensiek called with some answers. My wife had taken a temporary part-time job in February 2014 and that second employer used the Humana Wellness (e.g., Concentra) health care services. Mr. Bodensiek explained that the second employer sent an "eligibility file" to Concentra with data about its employees that were eligible for the employer-sponsored health care plan. That's when my wife's name, address, phone, and Social Security Number were transmitted to Concentra; and then to MIE, the electronic medical records vendor for Humana Wellness. Mr. Bodensiek described this as standard business practice.

My wife and I have health care coverage elsewhere, so she never had any intentions nor did not register for health care through this second employer. My wife's situation is not unique since five percent of the U.S. workforce works two or more jobs. (Vermont, South Dakota, Nebraska, Kansas, and Maine lead the nation with people working two or more jobs.) It's great that this second employer offered health care to its employees, but not so great that employees' sensitive information was shared regardless of whether or not the employees expressed an interest in coverage.

I'd like to publicly thank Mr. Bodensiek for his hard work and diligence. He didn't have to help, but he did. It gave us a good first impression of Select Medical. Hopefully, other breach victims have had success getting answers.

Implications And Consequences

Our experience highlights a business practice consumers should know: your employer may share your information with their health care provider whether you subscribe or not, and maybe without your knowledge. Maybe this sharing was for employees' convenience (e.g., faster, easier sign-up for health care), or for the employer's convenience (e.g., minimize processing effort and expense) by sending one, massive eligibility file. Regardless, the business practice has implications and consequences.

First, when an employer's administrative process sends to their health care vendor data about all employees (without an opt-out mechanism), then more data is shared than otherwise, and the process is arguably less private. Why? The health care provider receives and archives information about both subscribers and non-subscribers; patients and non-patients. A process based upon opt-in would be better and more private, since the data shared includes employees who want to sign up for their employer's health care plan. Simply, fewer employee records with sensitive data (e.g., name, address, phone, Social Security Number) are shared, and less data for the health care provider to archive and protect (and further share with a cloud vendor).

Regarding the MIE breach, eligibility-file-sourced data about my wife was archived by MIE. That means MIE archived eligibility-file data about many other employees. So, MIE's database includes data about health-care subscribers and non-subscribers; patients and non-patients. When data breaches happen, the stolen archived data about non-subscribers opens those non-subscribers to identity theft and fraud risks. How long will this data about non-subscribers be archived? When will data about non-subscribers be deleted? Select Media didn't say. I can only assume the archiving will continue as long as they decide, either solely or in combination with their employer clients.

Second, costs matter. The more data shared, the more records the health care provider and electronic records vendor must archive and protect. When data breaches happen, more data is lost and data breach costs (e.g., investigation, breach notification, identity protection services) are greater. A 2015 study by IBM found that the average total cost of a data breach was $3.8 million, up 23 percent from 2013. Given this high cost, you'd think that employers and health care providers would work together to minimize data sharing. Probably not as long as consumers bear the risks.

Third, if my wife had signed up for health care services with Concentra, then much more sensitive information would have been stolen in the MIE breach. One may argue who is to blame for the data security failure (e.g., breach), but at the end of the day: the employer hired Concentra, and Concentra hired MIE. There is enough blame to go around.

Fourth, the MIE breach highlights some of the places employees' sensitive information can be shared without their knowledge (or consent). If the MIE breach hadn't happened, would employees know their medical records were stored in the cloud? Would employees know about the eligibility-file sharing? One wonders. Employees deserve to know upfront.

Your sensitive personal information also moves when companies (e.g., health care providers, employers, cloud vendors) buy, sell, and merge with other companies. that includes your medical records. Since eligibility-file sourced data is archived, you don't have to be a health care plan subscriber or patient.

Fifth, for information to be private there must be control. The eligibility-file sharing suggests that employers have the control and not employees. Consumers like my wife have been taken steps to protect themselves and their sensitive information by locking down their credit reports with Security Freezes. That data protection is largely undone by eligibility-file sharing with health care providers. Not good.

Consumers need a comparable mechanism to lock down their medical records and prevent eligibility-file sharing. Without a mechanism, then consumers have no control over both their medical and personal information. Without control, consumers lack privacy. You lack privacy.

It will be interesting to watch how Select Medical manages its new acquisition. The Select Medical website lists these core values:

"We deliver superior quality in all that we do. At Select Medical, we set high standards of performance for ourselves and for others. We provide superior services to our patients. We continually strive to uphold and improve our reputation for excellence.

We treat others as they would like to be treated. At Select Medical, we treat each other with respect and promote a positive environment where people feel valued. We are honest and open in our relationships and straightforward in our communications.

We are results-oriented and achieve our objectives. At Select Medical, we are focused and decisive in achieving our objectives and helping others achieve theirs. We accept responsibility for our decisions and actions. We are accountable for using our time, talents and resources effectively."

My wife and I know how we want to be treated. We wanted to be treated with respect. We know how we want our sensitive personal and health information treated:

  • Don't collect it unless we're patients,
  • Don't archive it unless we're patients,
  • Don't share it without notice and consent. Consent must be explicit, specific, for a stated duration, and for specific purposes,
  • Don't collect and archive it if you can't protect it,
  • Be transparent. Provide clear, honest answers about breach investigations and data-sharing practices,
  • Don't try to trick us with promises of convenience,
  • Hold your outsourcing vendors to the same standards,
  • Don't make consumers assume the risk. You benefited from data sharing, so you pay the costs, and
  • Two years of credit monitoring is insufficient since the risk is far longer.

What are your opinions? Does the data sharing by employers bother you?


Class-Action Lawsuits Filed Against Medical Informatics Engineering And Experian

Medical Informatics Engineering logo One result of the Medical Informatics Engineering (MIE) data breach has been a class-action lawsuit filed against MIE. The Journal Gazette reported on July 31:

"James Young, a patient whose medical information was compromised, filed the paperwork Wednesday in U.S. District Court in Fort Wayne. The Indianapolis man is seeking to create a class action, which would allow others who had personal information stolen in the data breach to join the lawsuit... Young alleges that MIE failed "to take adequate and reasonable measures to ensure its data systems were protected," failed to stop the breach and failed to notify customers ina timely manner."

In a Sunday, August 2 article, the Fort Wayne, Indiana-based Journal Gazette described the wide range of companies that access consumers' medical records:

"A lot more people than you realize, including your employer, your bank, state and federal agencies, insurance companies, drug companies, marketers, medical transcribers and the public, if your health records are subpoenaed as part of a court case. All those entities can access your records without getting special permission from you, according to Patient Privacy Rights."

Austin, Texas-based Patient Privacy Rights is an education, privacy, and advocacy organization dedicated to helping consumers regain control over their personal health information.

The Journal Gazette news article was the first report I've read disclosing the total number of breach victims. Reportedly, MIE sent 3.1 million breach notices to affected consumers nationwide. Help Net Security reported a total of nearly 5.5 million consumers in the U.S. affected. That includes 1.5 million consumers affected in Indiana, and 3.9 million consumers in other states. Compromised or stolen data goes as far back as 1997. Reportedly, the Indiana Attorney General's office has begun an investigation.

The Journal Gazette news article also discussed some of the ways stolen medical information can be misused:

"An unethical provider could bill an insurance company or the federal government for health care that it never gave you. Any amount not covered would then be billed directly to you, which could affect your credit score... Then there’s the issue of using sensitive medical information for marketing – or even for blackmail. Let’s say someone was treated for AIDS, hepatitis C or a sexually transmitted disease. A company selling prescription drugs or other products might like to target that patient for advertising. But sending brochures or coupons in the mail could tip off others about the condition. Someone with those or similar medical conditions could face discrimination in hiring..."

Experian logoIn a separate case, a class-action was filed against the credit reporting service Experian. The Krebs On Security blog reported on July 21:

"The suit alleges that Experian negligently violated consumer protection laws when it failed to detect for nearly 10 months that a customer of its data broker subsidiary was a scammer who ran a criminal service that resold consumer data to identity thieves... The lawsuit comes just days after a judge in New Hampshire handed down a 13-year jail sentence against Hieu Minh Ngo, a 25-year-old Vietnamese man who ran an ID theft service variously named Superget.info and findget.me. Ngo admitted hacking into or otherwise illegally gaining access to databases belonging to some of the world’s largest data brokers, including a Court Ventures— a company that Experian acquired in 2012. He got access to some 200 million consumer records by posing as a private investigator based in the United States... The class action lawsuit, filed July 17, 2015 in the U.S. District Court for the Central District of California, seeks statutory damages for Experian’s alleged violations of, among other statutes, the Fair Credit Reporting Act (FCRA)..."

I included information about both class-actions in a single blog post since both companies are of interest to consumers affected by MIE's data breach. MIE has offered breach victims two years of free credit monitoring services from Experian.


Medical Informatics Engineering Breach Highlights Breach Notice, Privacy, And Cloud-Storage Issues

Medical Informatics Engineering logo In early June,  Medical Informatics Engineering (MIE) announced a data breach where unauthorized persons accessed its systems. The breach at MIE, an electronic health records vendor used by many health providers, exposed the sensitive Protected Health Information (PHI) of an undisclosed number of patients in several states. MIE began to notify during June its corporate clients. MIE began notifying affected patients on July 17.

The July 24, 2015 MIE press release about the breach

"FORT WAYNE, Ind.--(BUSINESS WIRE--On behalf of itself, its NoMoreClipboard subsidiary and its affected clients, Medical Informatics Engineering is writing to provide updated notice of a data security compromise that has affected the security of some personal and protected health information relating to certain clients and individuals who have used a Medical Informatics Engineering electronic health record or a NoMoreClipboard personal health record or patient portal. We emphasize that the patients of only certain clients of Medical Informatics Engineering and NoMoreClipboard were affected by this compromise and those clients have all been notified."

No More Clipboard logo NoMoreClipboard.com (NMC) is a cloud-based service by MIE for storing patients' health records, and making the records easily accessible by a variety of devices: desktops, laptop,s tablets, and smart phones. The service is sold to doctors, hospitals, and related professionals.

According to its breach FAQ page, MIE's client list includes:

  • Concentra,
  • Allied Physicians, Inc. d/b/a Fort Wayne Neurological Center (including Neurology, Physical Medicine and Neurosurgery),
  • Franciscan St. Francis Health Indianapolis,
  • Gynecology Center, Inc. Fort Wayne,
  • Rochester Medical Group,
  • RediMed,and Fort Wayne Radiology Association, LLC (including d/b/a Nuvena Vein Center and Dexa Diagnostics, Open View MRI, LLC, Breast Diagnostic Center, LLC, P.E.T. Imaging Services, LLC, MRI Center — Fort Wayne Radiology, Inc. f/k/a Advanced Imaging Systems, Inc.)

NoMoreClipboard.com's client list includes many clinics, hospitals, physicians, specialists, attorneys, schools, and more (links added):

NoMoreClipboard.com Clients Affected By Data Breach
Advanced Cardiac Care
Advanced Foot Specialists
All About Childrens Pediatric Partners, PC
Allen County Dept of Health
Allied Physicians, Inc. d/b/a Fort Wayne Neurological Center
Altagracia Medical Center
Anderson Family Medicine
Arkansas Otolaryngology, P.A.
Auburn Cardiology Associates
Basedow Family Clinic Inc.
Bastrop Medical Clinic
Batish Family Medicine
Beaver Medical
Boston Podiatry Services PC
Brian Griner M.D.
Brightstarts Pediatrics
Burnsville Medical Center
Capital Rehabilitation
Cardiovascular Consultants of Kansas
Carl Gustafson OD
Carolina Gastroenterology
Carolina Kidney & Hypertension Center
Carolinas Psychiatric Associates
Center for Advanced Spinal Surgery
Chang Neurosurgery & Spine Care
Cheyenne County Hospital
Children's Clinic of Owasso, P.C.
Clara A. Lennox MD
Claude E. Younes M.D., Inc.
CMMC
Coalville Health Center
Cornerstone Medical and Wellness, LLC
Cumberland Heart
David A. Wassil, D.O.
David M Mayer MD
Dr. Alicia Guice
Dr. Anne Hughes
Dr. Buchele
Dr. Clark
Dr. Harvey
Dr. John Labban
Dr. John Suen
Dr. Puleo
Dr. Rajesh Rana
Dr. Rustagi
Dr. Schermerhorn
Dr. Shah
Ear, Nose & Throat Associates, P.C.
East Carolina Medical Associates
Eastern Washington Dermatology Associates
Ellinwood District Hospital
Family Care Chiropractic Center
Family Practice Associates of Macomb
Family Practice of Macomb
Floyd Trillis Jr., M.D.
Fredonia Regional Hospital
Fremont Family Medicine
Generations Primary Care
Grace Community Health Center, Inc.
Grisell Memorial Hospital
Harding Pediatrics LLP
Harlan County Health System
Health Access Program
Heart Institute of Venice
Henderson Minor Outpatient Medicine
Henry County Hospital myhealth portal
Highgate Clinic
Hobart Family Medical Clinic
Howard Stierwalt, M.D.
Howard University Hospital
Hudson Essex Nephrology
Huntington Medical Associates
Huntington Medical Group
Hutchinson Regional Medical Center
Idaho Sports Medicine Institute
In Step Foot & Ankle Specialists
Independence Rehabilitation Inc
Indiana Endocrine Specialists
Indiana Internal Medicine Consultants
Indiana Ohio Heart Indiana Surgical Specialists
Indiana University
Indiana University Health Center
Indianapolis Gastroenterology and Hepatology
Internal Medicine Associates
IU — Northwest
Jackson Neurolosurgery Clinic
James E. Hunt, MD
Jasmine K. Leong MD
Jewell County Hospital
John Hiestand, M.D.
Jonathan F. Diller, M.D.
Jubilee Community Health
Kardous Primary Care
Keith A. Harvey, M.D.
Kenneth Cesa DPM
Kings Clinic and Urgent Care
Kiowa County Memorial Hospital
Kristin Egan MD
Lakeshore Family Practice
Lane County Hospital
Logan County Hospital
Margaret Mary Health
Masonboro Urgent Care
McDonough Medical Group Psychiatry
Medical Care, Inc.
Medical Center of East Houston
Medicine Lodge Memorial Hospital
MedPartners
MHP Cardiology
Michael Mann, MD, PC
Michelle Barnes Marshall, P.C.
Michiana Gastroenterology, Inc.
Minneola District Hospital
Mora Surgical Clinic
Moundridge Mercy Hospital Inc
myhealthnow
Nancy L. Carteron M.D.
Naples Heart Rhythm Specialists
Nate Delisi DO
Neighborhood Health Clinic
Neosho Memorial Regional Medical Center
Neuro Spine Pain Surgery Center
Norman G. McKoy, M.D. & Ass., P.A.
North Corridor Internal Medicine
Nova Pain Management
Novapex Franklin
Oakland Family Practice
Oakland Medical Group
Ohio Physical Medicine & Rehabilitation Inc.
On Track For Life
Ottawa County Health Center
Pareshchandra C. Patel MD
Parkview Health System, Inc. d/b/a Family Practice Associates of Huntington
Parkview Health System, Inc. d/b/a Fort Wayne Cardiology
Parrott Medical Clinic
Partners In Family Care
Personalized Health Care Of Tucson
Phillips County Hospital
Physical Medicine Consultants
Physicians of North Worchester County
Precision Weight Loss Center
Primary & Alternative Medical Center
Prince George's County Health Dept.
Rebecca J. Kurth M.D.
Relief Center Republic County Hospital
Ricardo S. Lemos MD
Richard A. Stone M.D.
Richard Ganz MD
River Primary Care
Rolando P. Oro MD, PA
Ronald Chochinov
Sabetha Community Hospital
Santa Cruz Pulmonary Medical Group
Santone Chiropractic
Sarasota Cardiovascular Group
Sarasota Center for Family Health Wellness
Sarasota Heart Center
Satanta District Hospital
Saul & Cutarelli MD's Inc.
Shaver Medical Clinic, P. A.
Skiatook Osteopathic Clinic Inc.
Sleep Centers of Fort Wayne
Smith County Hospital
Smith Family Chiropractic
Somers Eye Center
South Forsyth Family Medicine & Pediatrics
Southeast Rehabilitation Associates PC
Southgate Radiology
Southwest Internal Medicine & Pain Management
Southwest Orthopaedic Surgery Specialists, PLC
Stafford County Hospital
Stephen Helvie MD
Stephen T. Child MD
Susan A. Kubica MD
Texas Childrens Hospital
The Children's Health Place
The Heart & Vascular Specialists
The Heart and Vascular Center of Sarasota
The Imaging Center
The Johnson Center for Pelvic Health
The Medical Foundation, My Lab Results Portal
Thompson Family Chiropractic
Trego County Hospital
Union Square Dermatology
Volunteers in Medicine
Wells Chiropractic Clinic
Wichita County Health Center
William Klope MD
Wyoming Total Health Record Patient Portal
Yovanni Tineo M.D.
Zack Hall M.D.

The MIE press release included few details about exactly how hackers accessed its systems:

"On May 26, 2015, we discovered suspicious activity in one of our servers. We immediately began an investigation to identify and remediate any identified security vulnerability. Our first priority was to safeguard the security of personal and protected health information, and we have been working with a team of third-party experts to investigate the attack and enhance data security and protection. This investigation is ongoing. On May 26, 2015, we also reported this incident to law enforcement including the FBI Cyber Squad. Law enforcement is actively investigating this matter, and we are cooperating fully with law enforcement’s investigation. The investigation indicates this is a sophisticated cyber attack. Our forensic investigation indicates the unauthorized access to our network began on May 7, 2015. Our monitoring systems helped us detect this unauthorized access, and we were able to shut down the attackers as they attempted to access client data."

The breach highlights the need for greater transparency by both health care providers and the outsourcing vendors they hire. The breach also highlights the fact that medical records are stored and accessible via cloud-based services. Did you know that? I didn't before. And, this raises the question: is storage of PHI in the cloud the best and safest way?

The breach notices from MIE to consumers may create confusion, since patients don't do business directly with MIE and probably won't recognize its name. My wife received a breach notice on Friday and did not recognize MIE by name. I hadn't heard of MIE, either, so I did some online research. During June, MIE notified both the California Attorney General's office (Aobe PDF) and the New Hampshire Attorney General's office (Adobe PDF) of residents in each state affected by the data breach. MIE is represented by the law firm of Lewis, Brisbois, Bisgaard and Smith LLP (LBBS). LBBS has offices in 35 states and the District of Columbia.

MIE probably notified several other states, but many states, including the Massachusetts Attorney General's office, do not post online breach notices they receive. (They should, since it helps consumers verify breach notices.) HIPAA federal law requires certain entities to send breach notices to affected patients for breaches of unprotected data affecting more than 500 patients. At press time, a check of the Health & Human Services site did not find an MIE breach listing. When posted, it should reveal the total number of patients affected by the breach.

The breach notice my wife received was dated July 17, 2015. It repeated information already available online and offered few, new details. It began:

"My name is Eric Jones and I am co-founder and COO of Medical Informatics Engineering, a company that provides electronic medical record services to certain health care provider clients, including Concentra. On behalf of Medical Informatics Engineering, I am writing to notify you that a data security compromise occurred at medical Informatics Engineering that has affected the security of some of your personal  and protected health information. This letter contains details about the incident and our response..."

My wife didn't recognize either Concentra nor No More Clipboard by name. The notice she received listed the following patients' information as exposed or stolen:

"While investigations into this incident are ongoing, we determined the security of some personal and protected health information contained on Medical Informatics Engineering's network has been affected. The affected information: SSN, Address, Phone, Birth Date"

This seemed vague. Which address: e-mail or residential street address? Which phone: mobile, land-line, or both? Were Social Security Numbers stored in open or encrypted format? And, if not encrypted, why not? The breach notice didn't say much.

Then, there is this: the breach letter my wife received included far fewer information elements than the July 24, 2015 press release:

"The affected data relating to individuals affiliated with affected Medical Informatics Engineering clients may include an individual’s name, telephone number, mailing address, username, hashed password, security question and answer, spousal information (name and potentially date of birth), email address, date of birth, Social Security number, lab results, health insurance policy information, diagnosis, disability code, doctor’s name, medical conditions, and child’s name and birth statistics. The affected data relating to individuals who used a NoMoreClipboard portal/personal health record may include an individuals’ name, home address, Social Security number, username, hashed password, spousal information (name and potentially date of birth), security question and answer, email address, date of birth, health information, and health insurance policy information."

This raised the question: which MIE document is correct? The breach notice, the press release, or neither? The notice seemed to raise more questions than it answered, so Monday morning we called the MIE hotline listed in its breach notice. After waiting 50 minutes on hold, a representative finally answered. The phone representative identified herself and her employer, Epic Systems based in Oregon. So, MIE outsourced the hotline support portion of its post-breach response.

I asked the representative to explain exactly how MIE acquired my wife's medical records. She looked up my wife's record in their system and replied that MIE had acquired it through business with Concentra. This was puzzling since neither my wife nor I have done business with Concentra. So, I was on the phone with one subcontractor who was pointing the finger at another subcontractor. Lovely. And, nobody on the phone actually from MIE. Disappointing.

Next, I called the nearest Concentra office, which is 17 miles away in Wilmington, Massachusetts. (We live in Boston.) The person in the billing department was helpful. (She admitted that she, too, had received a breach notice from MIE.) The representative attempted to find my wife's information in Concentra's systems. As my wife and I thought: no record. We have not done any business with Concentra. Confirmed.

The Wilmington-office representative's first answer was to give me the MIE breach hotline number. I explained that I had already called the MIE hotline. Then, the representative provided a regional contact in Concentra's human resources department. I have called Tyree Wallace twice, but so far no response. Not good.

What to make of this situation? One vendor's system has errors, but I can't yet tell which: MIE or Concentra. Maybe that's a result of the hack. May be not. The whole situation reminds me of the robo-signing and residential mortgage-back securities scandals by banks, where shortcuts were taken without proper documentation and items repackaged, sold, and resold without disclosures -- nobody knew exactly what was what. An epic mess. Could a similar epic mess happened with electronic medical records? I hope not.

I reviewed the breach notice again, bu this time focused upon MIE's offer of two years of free credit monitoring services with the Experian ProtectMyID Elite service. The ProtectMyID website lists the following features:

"Credit Monitoring: You may review your credit card statements every month for purchases you didn't make. But, every day, we check your credit report for other types of fraud that are much more dangerous. We watch for 50 leading indicators of identity theft. Each one, from a new loan to medical collections, poses a unique threat to your identity that we'll help you address."

"Internet Scan: ProtectMyID continually monitors a vast number of online sources where compromised credit and debit card numbers, Social Security numbers and other personal data is found, traded or sold, helping reduce your potential exposure to identity theft."

"National Change of Address Monitoring: Your bills and monthly statements can feed criminals important account and personal information. An identity thief may steal a single piece of your mail or all of it with a fraudulent change of address request at the post office. Every day, we look for the red flags. We monitor address changes at the national and credit report levels and help you resolve any issues."

Is this a good deal? Each affected patient can decide for their self, since you know your needs best. Plus, patients' needs vary. The Internet scan and address monitoring features sound nice, but only you can determine if you need those protections. While two years of free credit monitoring is better than one year, I couldn't find an explicit statement in the site where ProtectMyID monitors credit reports at all three credit reporting agencies (e.g., Experian, Equifax, TransUnion), or only one. Monitoring only one doesn't seem like effective coverage. In 8+ years of blogging, I've learned that criminals are smart and persistent. Monitor only one branded credit report (e.g., Experians), and criminals will approach lenders who use other branded credit reports, in order to take out fraudulent loans.

So, what to make of this breach? I see several issues:

  1. Transparency matters: the MIE breach and its post-breach response highlight the importance of transparency. Health care providers and outsourced vendors should make it easy for patients to determine who has their electronic health records and why. Breach notices should clearly state both the EHR vendor's name and the health care provider each patient specifically used. Don't use vague, confusing language MIE used. (See above.) Be specific and clear in breach notices. Something like this would be better: "We acquired your electronic health records during [year] from Concentra. It was acquired for [insert reasons]."
  2. Update online policies: health care provider's websites should identify the EHR vendors by name in their policies (e.g., terms of use, privacy). EHR vendor sites should identify their clients. Why? When breaches happen, patients need to quickly and easily verify the vendor's breach notice received. When policies don't mention vendors by name, verification is harder.
  3. Effective credit monitoring: ideally, provide a free service that monitors credit reports at all three major credit reporting agencies (e.g., Equifax, Experian, and TransUnion), not one.
  4. Cloud-based EHR services: is this the best, safest way to store PHI? Cloud storage offers speed, flexibility, and storage benefits. But what about security? Can PHI be effectively secured and protected in the cloud? If you want to learn more, read this 2013 report by the Center for Democracy & technology about HIPAA compliance and cloud storage (Adobe PDF). The MIE breach highlights the risk. Time will tell if experts were correct. Time will tell if cloud-storage vendors can adequately protect electronic health records (EHR).

In my opinion: an epic fail is brewing. It seems that MIE has done, so far, the minimum with its post breach response. The efforts seem focused upon avoiding liability instead of helping affected patients. So far, MIE has failed to provide a satisfactory answer about when, how, and why it acquired my wife's electronic medical records. I look forward to more disclosures by MIE about exactly how hackers breached its system, and what it will do so this doesn't happen again.

During the next day or so, my wife and I will file a HIPAA complaint. I encourage other patients in similar situations to file complaints, too.

Did you receive a breach notice from MIE? What are your opinions of the MIE data breach and the company's response? Of the free ProtectMyID credit monitoring arranged by MIE? If you have used Concentra, what are your opinions of it?


Less Competition. Consumers Pay More And Get Less

Business leaders and economists like to promote the idea of a free marketplace, where there is plenty of competition and consumers get more benefits, such as lower prices and more choice. So, are consumers getting a good deal? The facts suggest not.

On Monday, April 27, former U.S. Labor Secretary and professor Robert Reich posted the following:

"We’re paying more and getting less because giant companies face less and less competition. For example:

1. U.S. airlines have consolidated into a handful of giant carriers that divide up routes and collude on fares. In 2005 the U.S. had nine major airlines. Now we have just four.

2. 80% of Americans are served by just one Internet Service Provider – usually Comcast, AT&T, or Time-Warner.

3. The biggest banks have become far bigger. In 1990, the five biggest held just 10% of all banking assets. Now the biggest five hold almost 45%.

4. Monsanto owns the key genetic traits in more than 90% of the soybeans and 80% of the corn planted by U.S. farmers.

5. Giant health insurers are larger; the giant hospital chains, far bigger; the most powerful digital platforms (Amazon, Facebook, Google), gigantic.

Whatever happened to antitrust enforcement?"

There are more examples. Here in the Northeast, EverSource, a publicly-traded utility holding company, provides residential energy services in Connecticut, Massachusetts, and New Hampshire. EverSource was created when Northeast Utilities merged with NSTAR Electric & Gas. Northeast Utilities included Connecticut Light & Power, Public Service of New Hampshire, Western Massachusetts Electric, and Yankee Gas. Earlier this year, electricity rates in Boston rose from 29 percent higher to 63 percent higher in February than the national average.

What are your opinions? What consolidation examples come to mind? Are we consumers getting a good deal, or are we getting screwed?


Survey: Almost Half Of Respondents Are Concerned About Data Breaches At Health Care Providers

There have been several high-profile data breaches recently at health care providers. You've probably heard about them, including the massive breach at Anthem that affected 80 million patients. Earlier this month, Software Advice released the results of an online survey. It found:

"...45 percent of patients surveyed are “very” or “moderately concerned” about a security breach (which we defined as their medical records and/or insurance information being accessed without their consent, and potentially resulting in identity theft). We also asked the 45 percent who are very or moderately concerned to list the reasons behind their level of concern... The highest percentage of respondents (47 percent) say they are concerned about becoming the victim of fraud or identity theft."

When criminals use stolen health care credentials, it is usually to gain access to expensive treatments under the victim's name, and/or to gain access to prescription drugs. The victims are often liable for any co-payments. Experts warn that resolving medical identity fraud can be costly, time, consuming and require plenty of effort and expertise since the victim's medical records have been corrupted with the thief's medical and health information.

The researchers surveyed 243 people. The survey explored how patients' security concerns affect their relationships with their physicians:

"... we asked respondents whether data security concerns lead them to withhold personal health information from their doctors. We defined “personal health information” as including their own (or their family’s) prescription, mental illness and substance abuse history. While the majority of our sample (79 percent) say this “rarely or never” happens, it is significant (and unfortunate) that 21 percent of patients withhold personal information from their physicians specifically because they are concerned about a security breach."

That equals one in every five patients withholding personal information. And, there's more. Many patients fail to read the privacy notices from their physicians or health care providers:

"... we wanted to see how many actually read the Notice of Privacy Practices (NPP) at their doctors’ offices. NPPs are written explanations of how a provider may use and share health information, and how patients can exercise their privacy rights. Patients usually get NPPs (which typically look like this) during their first visit to a health care provider. HIPAA requires NPPs be presented to all patients, but patients do not necessarily have to read or sign the forms. In fact, 44 percent of our sample tell us they “rarely or never” read NPPs all the way through before signing, and 3 percent simply “never sign” them."

The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act are laws enacted to protect patients' privacy and medical information. The HIPAA law specifies which health care providers and entities (e.g., "covered entities," "business associates," "subcontractors") are required to comply with HIPAA privacy and data security requirements. The U.S. Department of Health & Human Services (HHS) federal agency operates the official HIPAA privacy web site.

So, too many consumers (and especially teenagers) have a bad habit of ignoring privacy policies at health care providers, just as they ignore privacy policies at websites in general. (Granted, the legalese makes most privacy policies difficult to understand. And, many mobile app developers avoided publishing privacy policies, until forced to do so.) That must change because consumers are only hurting themselves.

Another key finding from the survey:

"... 54 percent of respondents say they would be “very” or “moderately likely” to change providers as a result of their personal health information being accessed without their permission. Digging deeper, we asked patients in that 54 percent if there would be anything their provider could do to retain them in spite of a breach... While 28 percent say there is nothing their provider could do that would convince them to stay, the greatest percentage of our respondents (37 percent) would stick with their doctor if they provided specific examples of how the practice’s security policies and procedures had improved after the breach."

Patients were especially likely to switch health care providers if the breach was caused by staff members. Good. It's one way to hold health care providers accountable when they fail to protect patients' sensitive medical information. And, good data security and privacy makes for good health care practices. After a data breach, it is even more important for health care providers to perform explicit actions to regain patients' trust.

Informed consumers know that their medical information is very valuable to criminals. How valuable? The Pittsburgh-Post Gazette reported:

"The value of personal financial and health records is two or three times [the value of financial information alone], because there’s so many more opportunities for fraud... Combine a Social Security number, birth date and some health history, and a thief can open credit accounts plus bill insurers or the government for fictitious medical care... Hackers also can comb through clinical information, looking for material to blackmail wealthy or powerful patients..."

The newspaper described the troubling history and increasing number of data breaches in the health care industry:

"In 2011 and 2012, combined, there were 458 big breaches involving a total of 14.7 million people, according to the federal Department of Health and Human Services. In 2013 and 2014, there were 528 involving 19 million people. Around 10 percent of breaches stem from hacking, while around half are physical thefts of records or computers. The rest are inadvertent losses, unauthorized disclosures or improper disposals of health information."

You can browse details about many of those breaches in this blog. Select "Medical Fraud" or "Health Care/EHR" in the categories tag cloud on the right.

Another privacy threat for consumers is when non-covered entities, like social networking websites and fitness apps, collect medical and health information. Consumers don't realize that they share personal medical information with non-covered entities, they lose HIPAA privacy and data security protections.

Who are these non-covered entities? The Privacy Right Clearinghouse website provides a good description of HIPAA Basics, including:

"Here are just a few examples of those who aren’t covered under HIPAA but may handle health information: life and long-term insurance companies; workers' compensation insurers, administrative agencies, or employers (unless they are otherwise considered covered entities); agencies that deliver Social Security and welfare benefits; automobile insurance plans that include health benefits; search engines and websites that provide health or medical information and are not operated by a covered entity; marketers; gyms and fitness clubs; direct to consumer (DTC) genetic testing companies; many mobile applications (apps) used for health and fitness purposes; those who conduct screenings at pharmacies, shopping centers, health fairs, or other public places for blood pressure, cholesterol, spinal alignment, and other conditions; certain alternative medicine practitioners; most schools and school districts; researchers who obtain health data directly from health care providers; most law enforcement agencies; many state agencies, like child protective services; courts, where health information is material to a case"

So, the next time you hear a corporate apologist claim that breaches at health care providers don't matter, you now know how ridiculous that claim is. Breaches matter to patients. Hence, they matter. Period. No excuses. If health care entities archive data in cloud services, they'd better protect it and commit sufficient resources. Smart health care providers listen to their patients' needs. Woe to those that don't.

What are your opinions of the survey?


Anthem Breach Update: Free Services For Consumers Affected, Class Action Lawsuits

Anthem Anthem, Inc. has announced that it will provide 24 months of free identity-theft repair and credit monitoring services for breach victims by the health care insurer's massive data breach announced on Friday, February 6, 2015. In its latest announcement, Anthem stated that breach victims include both current and former customers as far back as 2004. It also said:

"This includes customers of Anthem, Inc. companies Amerigroup, Anthem and Empire Blue Cross Blue Shield companies, Caremore, Unicare and HealthLink. Additionally customers of Blue Cross and Blue Shield companies who used their Blue Cross and Blue Shield insurance in one of fourteen states where Anthem, Inc. operates may be impacted and are also eligible: California, Colorado, Connecticut, Georgia, Indiana, Kentucky, Maine, Missouri, Nevada, New Hampshire, New York, Virginia, and Wisconsin."

Founded in 2004, AllClear ID, Inc. is headquartered in Austin, Texas. In 2012, Debix changed its company name to AllClear ID. Experts predict that the data breach could cost Anthem $100 million or more. Earlier this month, the Attorney Generals in 10 states sent a joint letter to Anthem urging it to step up its post-breach response and notices to breach victims. Connecticut Attorney General George Jepsen said on February 10:

"My office has been flooded with phone calls from concerned Connecticut residents who are frustrated with the lack of information from Anthem, and their feelings are completely justified... Anthem started out well by publicly disclosing the breach relatively quickly, but its subsequent delay in providing information to affected individuals is flatly unacceptable."

Attorney generals from Arkansas, Illinois, Kentucky, Maine, Mississippi, Nebraska, Nevada, Pennsylvania and Rhode Island signed the joint letter. On February 11, John Shegerian, Chairman and CEO of Electronic Recyclers International (ERI), warned health care companies to better protect consumers' sensitive information:

"This is more than a simple invasion of privacy, although it is that as well... With the theft of medical records comes a whole new host of problems and concerns, perhaps even worse than other forms of cybercrime. Whereas credit card fraud may be corrected in a relatively straightforward manner, it can be tougher to identify that medical data has been breached. Maximum insurance payout limits may be reached as a result of fraudulent claims, and this might only be discovered when a consumer's claims for legitimate services are denied. Plus, there’s the problem that people’s private health information and medical records are out there and vulnerable, which undoes everything the HIPAA Privacy Rules were designed to protect."

ERI processes the electronic waste produced by health care and other companies. Several class-action lawsuits have already been filed:

  • Aswad Hood v. Anthem, Inc., No. 2:15-cv-00918 (Adobe PDF). Filed Feb. 9, 2015. U.S. District Court, Central District of California
  • Samantha Kirby v. Anthem Inc. et al., No. 2:15-cv-00820. Filed Feb. 5, 2015. U.S. District Court, Central District of California
  • Danny Juliano v. Anthem Inc., No. 2:15-cv-00219. Filed Feb. 5, 2015. U.S. District Court, Northern District of Alabama.

Anthem has arranged for services provided by AllClear ID. No enrollment is necessary, Breach victims who have already experienced fraud and financial theft receive the free AllClear Secure identity repair service. To use these services:

"... call 877-263-7995 and a dedicated investigator will do the work to recover financial losses, restore your credit, and make sure your identity is returned to its proper condition. Call centers are open Monday to Saturday from 9 a.m. to 9 p.m. ET. From Monday, Feb. 16 to Friday, Feb. 20, the call center will be open extended hours from 9 a.m. to 11 p.m. ET."

Breach victims who also want the AllClear PRO credit monitoring and insurance services, should call 877-263-7995. or enroll online at https://anthem.allclearid.com/. Some breach victims included children under the age of 18. Anthem has also arranged for AllClear ID ChildScan services. See the Anthem Breach FAQ page for details.


Massive Data Breach At Anthem Affects 80 Million People. Latest In A Series Of Incidents

Anthem On Friday, Anthem, Inc. announced that identity thieves had gained unauthorized access to its computer network and stole the sensitive personal information of patients and staff. Joseph R. Swedish, the President and CEO, stated in a letter to its members that the data elements compromised included personal information about:

"... current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data... Based on what we know now, there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised."

Affected patients included the following health care plans: Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, and Unicare. BlueCard members were also affected. While the Anthem breach notice did not mention 80 million affected patients, several news sources mentioned that statistics, including the Los Angeles Times and Forbes.

Anthem said it took steps to fix and close the data breach. It contacted the Federal Bureau of Investigation (FBI), and hired Mandiant, a respectable computer security firm, to evaluate its computer systems, networks, and data security processes. The health care provider launched the Anthem Facts website to keep members informed about the data breach and answer many questions. The site includes Mr. Swedish's breach notification letter. Members with questions can call the health care provider at 1-877-263-7995.

This is a massive data breach. Nor is it good news for several reasons. First, the data elements stolen are sufficient to allow criminals to commit financial fraud using the victims' identities. To the good, Anthem stated it wiil contact affected members and provide free credit monitoring services. However, the health care company's announcement did not state the number of years of complimentary credit monitoring services. Many companies provide one or two years, even though the stolen information retains value for a far longer period.

Second, since e-mail addresses and names were stolen, it means that breach victims are at risk of receiving e-mail spam and phishing attacks as the hackers resell the stolen data to other criminals worldwide. The FAQ page in the Anthem Facts site acknowledged this risk and advised members to:

"... be aware of scam email campaigns targeting current and former Anthem members. These scams, designed to capture personal information (known as "phishing") are designed to appear as if they are from Anthem and the emails include a "click here" link for credit monitoring. These emails are NOT from Anthem.DO NOT click on any links in email. DO NOT reply to the email or reach out to the senders in any way. DO NOT supply any information on the website that may open, If you have clicked on a link in email. DO NOT open any attachments that arrive with email."

Anthem also confirmed this in several tweets:

Anthem tweets about phishiing. Click to view larger image

Opening e-mail attachments from unknown persons can spawn computer viruses and malware on your desktop, laptop, tablet, or smart phone. So, it is wise to learn how to spot phishing e-mails. There is plenty of information in this blog.

Third, security experts are concerned that Anthem applied data encryption only to information during transit and not will it was "at rest" and stored in databases. Forbes reported:

"Encryption, which scrambles data so only authorized parties can read it, is considered the most effective way to achieve data security. Several data experts say the lack of encryption made it easier for hackers to gain access to up to 80 million customer records including Social Security numbers, e-mail addresses and other personal information... The Health Insurance Portability and Accountability Act, known more commonly under its acronym “HIPAA,” doesn’t require health care companies to encrypt such data."

Fourth, it is good that Anthem has hired a reputable, skilled computer security firm to help it understand exactly how the breach occurred and then apply the necessary fixes. After studying several breaches and companies' post-breach actions during the 7+ years I've written this blog, I've noticed that post-breach fixes don't happen quickly. The breach investigation takes time. Hence, you see in the announcement cautious words, such as "Based upon what we know now." The fixes often include a mixture of technical solutions and staff training. During the coming months we will see how transparent Anthem will be with sharing data about the breach and the fixes it applies to its networks, computers, and staff training.

The fact is: there is nothing to stop criminals from repeatedly attacking the company's networks. Hopefully, Anthem will implement fixes fast enough and sufficient enough to both identify and thwart future attacks.

Fifth and perhaps more troubling is the history of data breaches at Anthem. Anthem, Inc. was formed in 2004 with the merger of Anthem and WellPoint Health Networks. The company changed its name from WellPoint to Anthem in 2014. A March 2008 WellPoint breach affected 130,000 patients and a 2006 breach affected about 200,000 patients when backup computer tapes were stolen from a vendor.

In 2011, Wellpoint settled data security allegations with the State of Indiana Attorney General after a data breach during 2009-10 affected 32,000 Indiana residents. A faulty website security update exposed the personal, financial, and medical information of about 470,000 consumers nationwide. Wellpoint made a $100,000 payment to the state.

In 2013, WellPoint paid $1.7 million to the U.S. Department of Health and Human Services (HHS) to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules:

"The HHS Office for Civil Rights (OCR) began its investigation following a breach report submitted by WellPoint as required by the Health Information Technology for Economic and Clinical Health, or HITECH Act. The HITECH Breach Notification Rule requires HIPAA-covered entities to notify HHS of a breach of unsecured protected health information. The report indicated that security weaknesses in an online application database left the electronic protected health information (ePHI) of 612,402 individuals accessible to unauthorized individuals over the Internet. OCR’s investigation indicated that WellPoint did not implement appropriate administrative and technical safeguards as required under the HIPAA Security Rule."

Sixth, In its breach notice, Mr. Swedish said:

"Safeguarding your personal, financial and medical information is one of our top priorities, and because of that, we have state-of-the-art information security systems to protect your data... I want to personally apologize to each of you for what has happened, as I know you expect us to protect your information. We will continue to do everything in our power to make our systems and security processes better and more secure, and hope that we can earn back your trust and confidence in Anthem."

The health care company's history suggests otherwise. Safeguarding patients' data may not be a top priority. An apology is nice, but actions speak louder than words. In 2012, Anthem settled a lawsuit with the Office of the California Attorney General. Terms of the settlement included a $150,000 payment, technical fixes to its computer networks, restricting access only to certain employees, and data-security training of all employees. Anthem allegedly printed Social Security numbers on letters it mailed to more than 33,000 persons from April 2011 and March 2012; a clear privacy and data security no-no. The lawsuit claimed that this practice violated state law prohibiting the disclosure of Social Security numbers. After that 2012 breach, Anthem offered affected members one year of free credit monitoring services.

The latest data security lapse at Anthem/WellPoint causes one to wonder if data security is truly a top priority, if the state-of-the-art systems Mr. Swedish described have truly kept pace with Internet and software developments, and if adequate employee training about data security stopped after terms of the 2012 settlement were fulfilled.

While writing this blog, I have learned that identity criminals are both creative and persistent. The "bad guys" possess the same computer skills and equipment as the "good guys." In my opinion, repeated security lapses will stop only when company executives go to prison. Fines are not enough.

What are your opinions of the Anthem breach? Of the company's statements and actions so far? If you receive a breach notice from Anthem, please share details (but exclude any information that would further compromise the security of your personal information).


Ebola And Leading Death Causes HIghlight Bigger Issues Facing the USA

The Ebola virus disease has been in the news. And, everyone seems worried. We all may be worried about the wrong stuff. ProPublica reported in September 2013:

"... a study in the current issue of the Journal of Patient Safety that says the numbers may be much higher — between 210,000 and 440,000 patients each year who go to the hospital for care suffer some type of preventable harm that contributes to their death, the study says. That would make medical errors the third-leading cause of death in America, behind heart disease, which is the first, and cancer, which is second."

I'll bet you didn't know that so many people die every year from medical errors. Below is the ranked list of death causes in 2011 in the U.S.A. published by the Center For Disease Control (CDC):

  1. Heart disease: 596,577
  2. Cancer: 576,691
  3. Chronic lower respiratory diseases: 142,943
  4. Stroke (cerebrovascular diseases): 128,932
  5. Accidents (unintentional injuries): 126,438
  6. Alzheimer's disease: 84,974
  7. Diabetes: 73,831
  8. Influenza and Pneumonia: 53,826
  9. Nephritis, nephrotic syndrome, and nephrosis: 45,591
  10. Intentional self-harm (suicide): 39,518

440,000 deaths per year from medical errors easily captures the number 3 spot. As bad as this is, sadly there is more.

On Friday October 17, professor and former U.S. Labor Secretary Robert Reich posted on his Facebook page (link added):

"The failures at Dallas Presbyterian Hospital reflect a much bigger problem. According to the US Centers for Disease Control and Prevention, hospital-acquired infections now affect one in 25 patients, causing 99,000 deaths each year. That’s 1 out of 4 deaths in hospitals -- more deaths than caused by many of the conditions that lead patients to enter hospitals in the first place..."

Hence, a more accurate ranked list of leading causes of death would include both medical errors and hospital-acquired infections:

  1. Heart disease: 596,577
  2. Cancer: 576,691
  3. Medical errors: 440,000
  4. Chronic lower respiratory diseases: 142,943
  5. Stroke (cerebrovascular diseases): 128,932
  6. Accidents (unintentional injuries): 126,438
  7. Hospital-acquired infections: 99,000
  8. Alzheimer's disease: 84,974
  9. Diabetes: 73,831
  10. Influenza and Pneumonia: 53,826
  11. Nephritis, nephrotic syndrome, and nephrosis: 45,591
  12. Intentional self-harm (suicide): 39,518

With existing death causes like these, the calls by politicians to ban flights from West Africa seem to miss the point. So much for American exceptionalism. Mr. Reich explored the problem further:

"... hospital administrators don’t have much incentive to improve. Most people have no idea of the infection rate at any given hospital, and don’t ask their doctors. If a hospital’s infection rate goes down the hospital doesn’t get more patients, and if it goes up the hospital doesn’t get fewer. (In fact, it might even make money because it can then increase its billing.) Bottom line: The CDC should require hospitals to report their infection rates into a common database that you have access to, and you should consult it before choosing a hospital for yourself or a loved one."

Now, that proposal makes sense. It allows consumers to make informed decisions about where to seek health care.

What are your opinions of the leading causes of death? Is the country focused on the right problem? Have you asked your physician about hospital infection rates?