I've Been Mugged Blog

Last week, UPS announced an expansion of its B2B drone delivery program titled UPS Flight. The expansion included three items focused upon the healthcare industry. First, UPS began a:

"... new drone delivery service in support of the University of Utah Health hospital campuses, in partnership with Matternet. The University of Utah campus program will involve drone deliveries of samples and other cargo, similar to the program originally introduced at WakeMed Hospital in North Carolina."

The second item included and agreement with:

"... with CVS Health to develop a variety of drone delivery use cases for business-to consumer applications. The program will include evaluation of delivery of prescriptions and retail products to the homes of CVS customers."

The third item included a partnership:

"... with wholesale pharmaceutical distributor AmerisourceBergen... The collaboration will initially deploy the UPS Flight Forward drone airline to transport certain pharmaceuticals, supplies and records to qualifying medical campuses served by AmerisourceBergen across the United States, with plans to then expand its use to other sites of care."

UPS Chief Strategy and Transformation Officer Scott Price said:

“When we launched UPS Flight Forward, we said we would move quickly to scale this business – now the country’s first and only fully-certified drone airline... We started with a hospital campus environment and are now expanding scale and use-cases. UPS Flight Forward will work with new customers in other industries to design additional solutions for a wide array of last-mile and urgent delivery challenges.”

[Editor's note: today's guest post, by reporters at ProPublica, is part of a series which discusses trends in cyberattacks and data breaches. It is reprinted with permission.]

By Renee Dudley, ProPublica

On July 3, employees at Arbor Dental in Longview, Washington, noticed glitches in their computers and couldn’t view X-rays. Arbor was one of dozens of dental clinics in Oregon and Washington stymied by a ransomware attack that disrupted their business and blocked access to patients’ records.

But the hackers didn’t target the clinics directly. Instead, they infiltrated them by exploiting vulnerable cybersecurity at Portland-based PM Consultants Inc., which handled the dentists’ software updates, firewalls and data backups. Arbor’s frantic calls to PM went to voicemail, said Whitney Joy, the clinic’s office coordinator.

“The second it happened, they ghosted everybody,” she said. “They didn’t give us a heads up.”

A week later, PM sent an email to clients. “Due to the size and scale of the attack, we are not optimistic about the chances for a full or timely recovery,” it wrote. “At this time we must recommend you seek outside technical assistance with the recovery of your data.”

On July 22, PM notified clients in an email that it was shutting down, “in part due to this devastating event.” The contact phone number listed on PM's website is disconnected, and the couple that managed the firm did not respond to messages left on their cellphones.

The attack on the dental clinics illustrates a new and worrisome frontier in ransomware — the targeting of managed service providers, or MSPs, to which local governments, medical clinics, and other small- and medium-sized businesses outsource their IT needs. While many MSPs offer reliable support and data storage, others have proven inexperienced or understaffed, unable to defend their own computer systems or help clients salvage files. As a result, cybercriminals profit by infiltrating dozens of businesses or public agencies with a single attack, while the beleaguered MSPs and their incapacitated clients squabble over who should pay the ransom or recovery costs.

Cost savings are the chief appeal of MSPs. It’s often cheaper and more convenient for towns and small businesses with limited technical needs to rely on an MSP rather than hire full-time IT employees. But those benefits are sometimes illusory. This year, attacks on MSPs have paralyzed thousands of small businesses and public agencies. Huntress Labs, a Maryland-based cybersecurity and software firm, has worked with about three dozen MSPs struck by ransomware this year, its executives said. In one incident, 4,200 computers were infected by ransomware through a single MSP.

Last month, hackers infiltrated MSPs in Texas and Wisconsin. An attack on TSM Consulting Services Inc. of Rockwall, Texas, crippled 22 cities and towns, while one on PerCSoft of West Allis, Wisconsin, deprived 400 dental practices around the country of access to electronic files, the Wisconsin Dental Association said in a letter to members. PerCSoft, which hackers penetrated through its cloud remote management software, said in a letter to victims that it had obtained a key to decrypt the ransomware, indicating that it likely paid a ransom. PerCSoft did not return a message seeking comment.

TSM referred questions about the Texas attack to the state’s Department of Information Resources, which referred questions to the FBI, which confirmed that the ransomware struck the towns through TSM. One of the 22 Texas municipalities has been hit by ransomware twice in the past year while using TSM’s services.

FBI spokeswoman Melinda Urbina acknowledged that MSPs are profitable targets for hackers. “Those are the targets they’re going after because they know that those individuals would be more apt to pay because they want to get those services back online for the public,” she said.

Beyond the individual victims, the MSPs’ shortcomings have a larger consequence. They foster the spread of ransomware, one of the world’s most common cybercrimes. By failing to provide clients with reliable backups or to maintain their own cybersecurity, and in some cases paying ransoms when alternatives are available, they may in effect reward criminals and give them an incentive to strike again. This year, ProPublica has reported on other industries in the ransomware economy, such as data recovery and insurance, which also have enriched ransomware hackers.

To get inside MSPs, attackers have capitalized on security lapses such as weak passwords and failure to use two-factor authentication. In Wisconsin and elsewhere, they also have exploited vulnerabilities in “remote monitoring and management” software that the firms use to install computer updates and handle clients’ other IT needs. Even when patches for such vulnerabilities are available, MSPs sometimes haven’t installed them.

The remote management tools are like “golden keys to immediately distribute ransomware,” said Huntress CEO Kyle Hanslovan. “Just like how you’d want to push a patch at lightning speed, it turns out you can push out ransomware at lightning speed as well.”

Otherwise, the hacker may spread the ransomware manually, infecting computers one at a time using software that normally allows MSP technicians to remotely view and click around on a client’s screen to resolve an IT problem, Hanslovan said. One Huntress client had the “record session” feature of this software automatically enabled. By watching those recordings following the attack, Huntress was able to view exactly how the hacker installed and tracked ransomware on the machines.

In some cases, Hanslovan said, MSPs have failed to save and store backup files properly for clients who paid specifically for that service so that systems would be restored in the event of an attack. Instead, the MSPs may have relied on low-cost and insufficient backup solutions, he said. Last month, he said, Huntress worked with an MSP whose clients’ computers and backup files were encrypted in a ransomware attack. The only way to restore the files was to pay the ransom, Hanslovan said.

Even when backups are available, MSPs sometimes prefer to pay the ransom. Hackers have leverage in negotiations because the MSP — usually a small business itself — can’t handle the volume of work for dozens of affected clients who simultaneously demand attention, said Chris Bisnett, chief architect at Huntress.

“It increases the likelihood that someone will pay rather than just try to fix it themselves,” Bisnett said. “It’s one thing if I have 50 computers that are ransomed and encrypted and I can fix them. There’s no way I have time to go and do thousands of computers all at the same time when I’ve got all these customers calling and saying: ‘Hey, we can’t do any business, we’re losing money. We need to be back right now.’ So the likelihood of the MSP just saying, ‘Oh I can’t deal with this, let me just pay,’ goes up.”

Because there are so many victims, the hacker can make a larger ransom demand with greater confidence that it will be paid, Hanslovan said. Attacking the MSP “gives you hundreds or even thousands more computers for the same cost of infection,” he said. The “support cost of negotiating the ransom is low” since the attacker typically corresponds with the MSP rather than its individual clients.

Before this year’s ransomware spree, MSPs were susceptible to other kinds of cybercrime. Last October, the U.S. Department of Homeland Security warned in an alert about attacks on MSPs for “purposes of cyber espionage and intellectual property theft.” It added that “MSPs generally have direct and unfettered access to their customers’ networks,” and that “a compromise in one part of an MSP’s network can spread globally, affecting other customers and introducing risk.”

The first spate of ransomware attacks on MSPs, early this year, deployed what is called the GandCrab strain. Then, in an online hacking forum, the hackers behind GandCrab announced their retirement in May. After that, another strain of ransomware known as Sodinokibi ransomware sprung up and began targeting MSPs.

Sodinokibi ransom amounts are “scaled to the size of the organization and the perceived capacity to pay,” according to Connecticut-based Coveware, which negotiates ransoms for clients hit by ransomware. Sodinokibi will not run on systems that use languages including Russian, Romanian and Ukrainian, according to security firm Cylance, possibly because those are native languages for hackers who don’t want to draw the attention of local law enforcement.

Sodinokibi was the strain used in the attack on TSM Consulting Services that encrypted the computers of 22 Texas municipalities, leaving them unable to fulfill tasks such as accepting online payments for water bills, providing copies of birth and death certificates and responding to emails. Most of the towns have not been publicly identified. More than half have returned to normal operations, the Texas Information Resources Department said in an update posted on its website. The hackers sought millions of dollars. The department is "unaware of any ransom being paid in this event," according to the update.

TSM began operations in 1997, and it provides equipment and support to more than 300 law enforcement agencies in Texas, according to its website. It is unclear why the 22 municipalities, and not TSM’s other clients, were affected by the August attack.

One of the 22 Texas municipalities hit last month was Kaufman, a city about 30 miles southeast of Dallas. An attack last November on Kaufman, which forced its police department to cease normal operations, was mentioned in a ProPublica article about two data recovery firms that purported to use proprietary technology to disable ransomware but in reality often just paid the attackers. TSM had enlisted one of the firms, Florida-based MonsterCloud, to help Kaufman recover from the November intrusion.

MonsterCloud waived its fee in exchange for a video testimonial featuring the Kaufman police chief, the president of TSM and the TSM technician who worked with Kaufman. In the testimonial, TSM technician Robby Pleasant said that the attackers had “reset everyone’s password, including the administrator,” and that the data “was locked up and not functioning.” Pleasant said in the video that MonsterCloud was able to “recover all the data” and “saved the day.”

“They can come in and recover even if someone does find a hole in our armor,” Pleasant said in the video.

Last month, attackers again found a hole in TSM’s armor. Using a third-party software vendor, rather than TSM, Kaufman had strengthened its backup system since the first attack, so it was able to restore much of the lost data, City Manager Michael Slye said. Kaufman’s computer systems were down for 24 hours, and the city handled municipal business such as writing tickets and taking payments on paper during that time, Slye said.

But backup safeguards were less effective for Kaufman’s police department, which uses a different type of software than other city offices, Slye said. The department’s dashcam video storage lost months of footage, and it still isn’t working, he said.

“It was not a fun experience to get this twice,” he said.

A TSM employee who declined to be named said the November attack may have been caused by “someone clicking on a bad email. We don’t have definitive information on that. We went into recovery mode immediately.”

PM Consultants, the Oregon provider of IT services to dental clinics, was run by a husband and wife, Charles Gosta Miller and Ava Piekarski, out of their home, according to state records. The firm didn’t employ enough technicians, said Cameron Willis, general manager of Dentech LLC in Eugene, Oregon, which took on many of PM’s former clients. Some former PM clients have complained to Willis that it was unresponsive to their requests for help, he said.

“A lot of dental office facilities don’t want to spend the money on IT infrastructure the way they should,” and they lack the technical know-how to vet providers, Willis said. They “don’t know any better. They don’t have the time to research. If you have someone who does provide some service, it’s very, very easy to see how some of the fly-by-nights would attract such a large clientele. ... When one office finds something that works, they scream it to the hills.”

In the July 22 email announcing its closure, PM said it had been “inundated with calls” on the morning of the ransomware attack, “and we immediately started investigating and trying to restore data. Throughout the next several days and into the weekend, we worked around the clock on recovery efforts. ... However, it was soon apparent the number of PC’s that needed restoration was too large for our small team to complete in any reasonable time frame.” The company was also “receiving hundreds of calls, emails and texts to which we were unable to respond.”

PM said that it had retained counsel to “assist with recovery of any available insurance, payment and billing proceeds,” and that it would be “sending out final invoices in the next two weeks.” Its formal dissolution, it continued, “will include an option to submit a claim” against the company.

Austin Covington, director of Lower Columbia Oral Health, a Longview, Washington, clinic affected by the attack, said it plans to take legal action against PM and declined to comment further. Other victims have not been publicly identified.

Some dentists “did not lose any data” because they had good backup files, Willis said. “Some clients lost some. Some lost a lot.” He doesn’t know whether clients paid ransoms, he said.

Dentech takes a different approach than PM did, Willis said. To prevent ransomware and other breaches, even its own staff has limited access to the remote management software favored by hackers, he said. It has 14 technicians, who often handle services such as software updates in person, he said. Dentech requires clients to use best practices, Willis said. If they decline, the firm requires them to sign a waiver releasing Dentech of liability in case of ransomware or other data loss.

Without such explicit terms, it’s often unclear whether the MSP or its clients are responsible for paying ransoms or recovery costs associated with an attack. Chris Loehr, executive vice president of Texas-based Solis Security, which helps victims negotiate ransom payments, was called in when GandCrab ransomware struck an MSP and encrypted some of its clients’ backup files several months ago. The MSP paid the ransom only for those that used its data backup service, which had failed, Loehr said. Clients who did not buy the backup service had to decide themselves whether to pay the ransom.

This summer, in a separate incident, Loehr negotiated with hackers on behalf of a New York-based MSP that was hit by Sodinokibi ransomware. The MSP didn’t want to pay the total ransom of about $2 million in bitcoin to unlock the files of all its clients, who were primarily architectural and engineering firms. Instead, each of the 200 affected clients was left to decide whether to pay about $10,000 in bitcoin. The MSP’s owner refused for legal reasons; he was worried that, if he was sued over the attack, a payment might be construed as an admission of fault, Loehr said.

The preponderance of low-quality MSPs has fostered the current ransomware onslaught, Loehr said. He noted that little experience or funding is needed to open an MSP; the barriers to entry are few.

“The startup costs are low,” Loehr said. “It doesn’t take much. The way the MSP world works, it’s not like you have to go out and buy $1 million of software. You can operate out of your house. These guys charge their clients up front. There is little cash flow to get this stuff off the ground.”

“Every IT guy thinks he can do this,” Loehr said. “‘Hey, I’m a technology guy.’

“No.”

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.

[Editor's note: today's guest blog post, by reporters at ProPublica, explores data security issues within the healthcare industry and its outsourcing vendors. It is reprinted with permission.]

By Jack Gillum, Jeff Kao and Jeff Larson - ProPublica

Medical images and health data belonging to millions of Americans, including X-rays, MRIs and CT scans, are sitting unprotected on the internet and available to anyone with basic computer expertise.

The records cover more than 5 million patients in the U.S. and millions more around the world. In some cases, a snoop could use free software programs — or just a typical web browser — to view the images and private data, an investigation by ProPublica and the German broadcaster Bayerischer Rundfunk found.

We identified 187 servers — computers that are used to store and retrieve medical data — in the U.S. that were unprotected by passwords or basic security precautions. The computer systems, from Florida to California, are used in doctors’ offices, medical-imaging centers and mobile X-ray services.

The insecure servers we uncovered add to a growing list of medical records systems that have been compromised in recent years. Unlike some of the more infamous recent security breaches, in which hackers circumvented a company’s cyber defenses, these records were often stored on servers that lacked the security precautions that long ago became standard for businesses and government agencies.

"It’s not even hacking. It’s walking into an open door," said Jackie Singh, a cybersecurity researcher and chief executive of the consulting firm Spyglass Security. Some medical providers started locking down their systems after we told them of what we had found.

Our review found that the extent of the exposure varies, depending on the health provider and what software they use. For instance, the server of U.S. company MobilexUSA displayed the names of more than a million patients — all by typing in a simple data query. Their dates of birth, doctors and procedures were also included.

Alerted by ProPublica, MobilexUSA tightened its security earlier this month. The company takes mobile X-rays and provides imaging services to nursing homes, rehabilitation hospitals, hospice agencies and prisons. "We promptly mitigated the potential vulnerabilities identified by ProPublica and immediately began an ongoing, thorough investigation," MobilexUSA’s parent company said in a statement.

Another imaging system, tied to a physician in Los Angeles, allowed anyone on the internet to see his patients’ echocardiograms. (The doctor did not respond to inquiries from ProPublica.) All told, medical data from more than 16 million scans worldwide was available online, including names, birthdates and, in some cases, Social Security numbers.

Experts say it’s hard to pinpoint who’s to blame for the failure to protect the privacy of medical images. Under U.S. law, health care providers and their business associates are legally accountable for securing the privacy of patient data. Several experts said such exposure of patient data could violate the Health Insurance Portability and Accountability Act, or HIPAA, the 1996 law that requires health care providers to keep Americans’ health data confidential and secure.

Although ProPublica found no evidence that patient data was copied from these systems and published elsewhere, the consequences of unauthorized access to such information could be devastating. "Medical records are one of the most important areas for privacy because they’re so sensitive. Medical knowledge can be used against you in malicious ways: to shame people, to blackmail people," said Cooper Quintin, a security researcher and senior staff technologist with the Electronic Frontier Foundation, a digital-rights group.

"This is so utterly irresponsible," he said.

The issue should not be a surprise to medical providers. For years, one expert has tried to warn about the casual handling of personal health data. Oleg Pianykh, the director of medical analytics at Massachusetts General Hospital’s radiology department, said medical imaging software has traditionally been written with the assumption that patients’ data would be secured by the customer’s computer security systems.

But as those networks at hospitals and medical centers became more complex and connected to the internet, the responsibility for security shifted to network administrators who assumed safeguards were in place. "Suddenly, medical security has become a do-it-yourself project," Pianykh wrote in a 2016 research paper he published in a medical journal.

ProPublica’s investigation built upon findings from Greenbone Networks, a security firm based in Germany that identified problems in at least 52 countries on every inhabited continent. Greenbone’s Dirk Schrader first shared his research with Bayerischer Rundfunk after discovering some patients’ health records were at risk. The German journalists then approached ProPublica to explore the extent of the exposure in the U.S.

Schrader found five servers in Germany and 187 in the U.S. that made patients’ records available without a password. ProPublica and Bayerischer Rundfunk also scanned Internet Protocol addresses and identified, when possible, which medical provider they belonged to.

ProPublica independently determined how many patients could be affected in America, and found some servers ran outdated operating systems with known security vulnerabilities. Schrader said that data from more than 13.7 million medical tests in the U.S. were available online, including more than 400,000 in which X-rays and other images could be downloaded.

The privacy problem traces back to the medical profession’s shift from analog to digital technology. Long gone are the days when film X-rays were displayed on fluorescent light boards. Today, imaging studies can be instantly uploaded to servers and viewed over the internet by doctors in their offices.

In the early days of this technology, as with much of the internet, little thought was given to security. The passage of HIPAA required patient information to be protected from unauthorized access. Three years later, the medical imaging industry published its first security standards.

Our reporting indicated that large hospital chains and academic medical centers did put security protections in place. Most of the cases of unprotected data we found involved independent radiologists, medical imaging centers or archiving services.

One German patient, Katharina Gaspari, got an MRI three years ago and said she normally trusts her doctors. But after Bayerischer Rundfunk showed Gaspari her images available online, she said: "Now, I am not sure if I still can." The German system that stored her records was locked down last week.

We found that some systems used to archive medical images also lacked security precautions. Denver-based Offsite Image left open the names and other details of more than 340,000 human and veterinary records, including those of a large cat named "Marshmellow," ProPublica found. An Offsite Image executive told ProPublica the company charges clients $50 for access to the site and then $1 per study. "Your data is safe and secure with us," Offsite Image’s website says.

The company referred ProPublica to its tech consultant, who at first defended Offsite Image’s security practices and insisted that a password was needed to access patient records. The consultant, Matthew Nelms, then called a ProPublica reporter a day later and acknowledged Offsite Image’s servers had been accessible but were now fixed.

"We were just never even aware that there was a possibility that could even happen," Nelms said.

In 1985, an industry group that included radiologists and makers of imaging equipment created a standard for medical imaging software. The standard, which is now called DICOM, spelled out how medical imaging devices talk to each other and share information.

We shared our findings with officials from the Medical Imaging & Technology Alliance, the group that oversees the standard. They acknowledged that there were hundreds of servers with an open connection on the internet, but suggested the blame lay with the people who were running them.

"Even though it is a comparatively small number," the organization said in a statement, "it may be possible that some of those systems may contain patient records. Those likely represent bad configuration choices on the part of those operating those systems."

Meeting minutes from 2017 show that a working group on security learned of Pianykh’s findings and suggested meeting with him to discuss them further. That “action item” was listed for several months, but Pianykh said he never was contacted. The medical imaging alliance told ProPublica last week that the group did not meet with Pianykh because the concerns that they had were sufficiently addressed in his article. They said the committee concluded its security standards were not flawed.

Pianykh said that misses the point. It’s not a lack of standards; it’s that medical device makers don’t follow them. “Medical-data security has never been soundly built into the clinical data or devices, and is still largely theoretical and does not exist in practice,” Pianykh wrote in 2016.

ProPublica’s latest findings follow several other major breaches. In 2015, U.S. health insurer Anthem Inc. revealed that private data belonging to more than 78 million people was exposed in a hack. In the last two years, U.S. officials have reported that more than 40 million people have had their medical data compromised, according to an analysis of records from the U.S. Department of Health and Human Services.

Joy Pritts, a former HHS privacy official, said the government isn’t tough enough in policing patient privacy breaches. She cited an April announcement from HHS that lowered the maximum annual fine, from $1.5 million to $250,000, for what’s known as “corrected willful neglect” — the result of conscious failures or reckless indifference that a company tries to fix. She said that large firms would not only consider those fines as just the cost of doing business, but that they could also negotiate with the government to get them reduced. A ProPublica examination in 2015 found few consequences for repeat HIPAA offenders.

A spokeswoman for HHS’ Office for Civil Rights, which enforces HIPAA violations, said it wouldn’t comment on open or potential investigations.

"What we typically see in the health care industry is that there is Band-Aid upon Band-Aid applied" to legacy computer systems, said Singh, the cybersecurity expert. She said it’s a “shared responsibility” among manufacturers, standards makers and hospitals to ensure computer servers are secured.

"It’s 2019," she said. "There’s no reason for this."

How Do I Know if My Medical Imaging Data is Secure?

If you are a patient:

If you have had a medical imaging scan (e.g., X-ray, CT scan, MRI, ultrasound, etc.) ask the health care provider that did the scan — or your doctor — if access to your images requires a login and password. Ask your doctor if their office or the medical imaging provider to which they refer patients conducts a regular security assessment as required by HIPAA.

If you are a medical imaging provider or doctor’s office:

Researchers have found that picture archiving and communication systems (PACS) servers implementing the DICOM standard may be at risk if they are connected directly to the internet without a VPN or firewall, or if access to them does not require a secure password. You or your IT staff should make sure that your PACS server cannot be accessed via the internet without a VPN connection and password. If you know the IP address of your PACS server but are not sure whether it is (or has been) accessible via the internet, please reach out to us at [email protected].

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.

[Editor's note: today's post, by reporters at ProPublica, discusses fixes for the security issues discussed in a prior post. It is reprinted with permission.]

By Marshall Allen, ProPublica

In our story about the convicted health care con man David Williams, we detailed how the Texas personal trainer made off with millions by billing some of the nation’s largest health insurers as if he were a doctor providing medical services.

Williams cannily exploited gaping loopholes in the health insurance system that allowed him almost unfettered entry. Taking commonsense steps to close those loopholes, experts say, could block other fraudsters from entry.

1. No one checks to see whether people getting federal ID numbers that allow them to bill insurers have valid licenses. They could.

Anyone billing an insurance company needs a National Provider Identifier, or NPI number. The number is obtained through Medicare, a federal agency that covers people over 65 as well as those with disabilities. But Medicare doesn’t verify that NPI applicants who claim to be licensed are, indeed, licensed by their state’s regulators. The agency could do a license check in less than a minute online or in milliseconds if the process is automated.

Medicare said federal regulations do not allow it to verify NPI applicants’ credentials, so the Department of Health and Human Services might need to revise the regulations. Congress could also order the reform.

2. Insurance companies don’t always verify that the people they are paying are licensed medical providers. They could.

Williams avoided scrutiny from insurers by billing as an out-of-network provider, so he didn’t have a contract with them and didn’t have his credentials verified before receiving payments. At Williams’ trial on federal fraud charges, representatives from the insurance companies testified that it’s not cost effective to review every claim. Almost all are automatically paid.

At a minimum, insurers could ensure that anyone billing them has the proper licensing before a payment is made. Again, this screening would take seconds or less.

Regulators could also require that insurers verify the licenses of those they pay. Some experts say it may take state and federal legislation to mandate it. Officials from America’s Health Insurance Plans, the trade group for the insurers, declined to comment on this suggestion.

3. Insurance companies aren’t reporting most cases of suspected fraud to state and federal regulators. They could.

Many states have a law in place that requires insurers to report suspected cases of fraud to state regulators. This allows regulators to spot serial fraudsters and trends, and it helps officials build criminal and civil cases. But the states have a mishmash of requirements, and many don’t do audits to make sure cases are being reported.

At least three insurance companies caught Williams committing fraud. But the Texas Department of Insurance only received one referral about the case, according to internal documents. If all three insurers that Williams defrauded had referred him, his case could have been prioritized and stopped sooner.

The existing state laws don’t apply to self-funded plans where employers pay for the health benefits. Those are overseen by the federal government. And no federal law requires insurers who administer self-funded plans to report suspected cases of fraud.

State and federal laws would need to be changed to require the consistent reporting of suspected fraud. Experts say audits, and the potential for fines, may also be needed to spur the insurers to file the reports.

Filed under:

• Health Care

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.

[Editor's note: today's guest post, by reporters at ProPublica, discusses security and fraud issues within the health insurance industry. It is reprinted with permission.]

By Marshall Allen, ProPublica

Ever since her 14-year marriage imploded in financial chaos and a protective order, Amy Lankford had kept a wary eye on her ex, David Williams. Williams, then 51, with the beefy body of a former wrestler gone slightly to seed, was always working the angles, looking for shortcuts to success and mostly stumbling. During their marriage, Lankford had been forced to work overtime as a physical therapist when his personal training business couldn’t pay his share of the bills.

So, when Williams gave their three kids iPad Minis for Christmas in 2013, she was immediately suspicious. Where did he get that kind of money? Then one day on her son’s iPad, she noticed numbers next to the green iMessage icon indicating that new text messages were waiting. She clicked.

What she saw next made her heart pound. Somehow the iPad had become linked to her ex-husband’s personal Apple device and the messages were for him.

Most of the texts were from people setting up workouts through his personal training business, Get Fit With Dave, which he ran out of his home in Mansfield, Texas, a suburb of Fort Worth. But, oddly, they were also providing their birth dates and the group number of their health insurance plans. The people had health benefits administered by industry giants, including Aetna, Cigna and UnitedHealthcare. They were pleased to hear their health plans would now pay for their fitness workouts.

Lankford’s mind raced as she scrolled through the messages. It appeared her ex-husband was getting insurance companies to pay for his personal training services. But how could that be possible? Insurance companies pay for care that’s medically necessary, not sessions of dumbbell curls and lunges.

Insurance companies also only pay for care provided by licensed medical providers, like doctors or nurses. Williams called himself “Dr. Dave” because he had a Ph.D. in kinesiology. But he didn’t have a medical license. He wasn’t qualified to bill insurance companies. But, Lankford could see, he was doing it anyway.

As Lankford would learn, “Dr. Dave” had wrongfully obtained, with breathtaking ease, federal identification numbers that allowed him to fraudulently bill insurers as a physician for services to about 1,000 people. Then he battered the system with the bluntest of ploys: submit a deluge of out-of-network claims, confident that insurers would blindly approve a healthy percentage of them. Then, if the insurers did object, he gambled that they had scant appetite for a fight.

By the time the authorities stopped Williams, three years had passed since Lankford had discovered the text messages. In total, records show, he ran the scheme for more than four years, fraudulently billing several of the nation’s top insurance companies — United, Aetna and Cigna — for $25 million and reaping about $4 million in cash.

In response to inquiries, Williams sent a brief handwritten letter. He didn’t deny billing the insurers and defended his work, calling it an “unprecedented and beneficial opportunity to help many people.”

“My objective was to create a system of preventative medicine,” he wrote. Because of his work, “hundreds of patients” got off their prescription medication and avoided surgery.

There are a host of reasons health care costs are out-of-control and routinely top American’s list of financial worries, from unnecessary treatment and high prices to waste and fraud. Most people assume their insurance companies are tightly controlling their health care dollars. Insurers themselves boast of this on their websites.

In 2017, private insurance spending hit $1.2 trillion, according to the federal government, yet no one tracks how much is lost to fraud. Some investigators and health care experts estimate that fraud eats up 10% of all health care spending, and they know schemes abound.

Williams’ case highlights an unsettling reality about the nation’s health insurance system: It is surprisingly easy for fraudsters to gain entry, and it is shockingly difficult to convince insurance companies to stop them.

Williams’ spree also lays bare the financial incentives that drive the system: Rising health care costs boost insurers’ profits. Policing criminals eats away at them. Ultimately, losses are passed on to their clients through higher premiums and out-of-pocket fees or reduced coverage.

Insurance companies “are more focused on their bottom line than ferreting out bad actors,” said Michael Elliott, former lead attorney for the Medicare Fraud Strike Force in North Texas.

As Lankford looked at the iPad that day, she knew something else that made Williams’ romp through the health care system all the more surprising. The personal trainer had already done jail time for a similar crime, and Lankford’s father had uncovered the scheme.

Scanning her ex-husband’s texts, Lankford, then 47, knew just who to call. During the rocky end of her marriage, her dad had become the family watchdog. Jim Pratte has an MBA in finance and retired after a career selling computer hardware, but even the mention of Williams flushed his face red and ratcheted up his Texas twang. His former-son-in law is the reason he underwent firearms training.

Lankford lived a few minutes away from her parents in Mansfield. She brought her dad the iPad and they pored over message after message in which Williams assured clients that their insurance would cover their workouts at no cost to them.

Lankford and Pratte, then 68, were stunned at Williams’ audacity. They were sure the companies would quickly crackdown on what appeared to be a fraudulent scheme.

Especially because Williams had a criminal record.

In early 2006, while Williams and Lankford were going through their divorce, the family computer started freezing up. Lankford asked her dad to help her recover a document. Scrolling through the hard drive, Pratte came upon a folder named “Invoices,” and he suspected it had something to do with Williams.

His soon to be ex-son-in-law had had a promising start. He’d wrestled and earned bachelor’s and master’s degrees at Boise State University, and a Ph.D. at Texas A&M University, before landing a well-paying job as a community college professor in Arlington. But the glow faded when the school suddenly fired him for reasons hidden by a confidential settlement and by Williams himself, who refused to reveal them even to his wife.

Out of a job, Williams had hustled investments from their friends to convert an old Winn-Dixie grocery store into a health club called “Doc’s Gym.” The deal fell apart and everyone lost their money. The failure was written up in the local newspaper under the headline: “What’s up with Doc’s?”

Inside the “Invoices” folder, Pratte found about a dozen bills that appeared to be from a Fort Worth nonprofit organization where his daughter and Williams took their son Jake for autism treatment. As Pratte suspected, the invoices turned out to be fake. Williams had pretended to take Jake for therapy, then created the false bills so he could pocket a cash “reimbursement” from a county agency.

In November 2008, Williams pleaded guilty in Tarrant County District Court to felony theft. He was sentenced to 18 months in jail and was released on bail while he appealed.

Things took an even darker turn about two years later when Williams and Lankford’s 11-year-old son showed up to school with bruising on his face. Investigators determined that Williams had hit the boy in the face about 20 times. Williams pleaded guilty to causing bodily injury to a child, a felony, which, coupled with the bail violation, landed him in jail for about two years.

The time behind bars didn’t go to waste. Williams revised the business plan for Get Fit With Dave, concluding he needed to get access to health insurance.

Williams detailed his plans in letters to Steve Cosio, a tech-savvy friend who ran the Get Fit With Dave website in exchange for personal training sessions. Cosio, whose name later popped up on Lankford’s son’s iPad, kept the letters in their original envelopes and shared them with ProPublica. He said he never suspected Williams was doing anything illegal.

In his letters, Williams said that when he got out, instead of training clients himself, he would recruit clients and other trainers to run the sessions. “It has the potential for increased revenue.”

He asked Cosio to remove the term “personal training” from his website in another letter, adding “95 percent of my clients are paid for by insurance, which does not cover ‘personal training,’ I have to bill it as ‘therapeutic exercise.’ It is the same thing, but I have to play the insurance game … Insurance pays twice as much as cash pay so I have to go after that market.”

Williams downplayed his child abuse conviction — “I can honestly say that I am the only one in here for spanking their child” — and included a dig at his ex-father-in-law, Pratte: “an evil, evil man. He is the reason for my new accommodations.”

Williams told Cosio he needed to raise a quick $30,000 to pay an attorney to get him access to his children. “I will need to get a bunch of clients in a hurry.”

To set his plan in motion, Williams needed what is essentially the key that unlocks access to health care dollars: a National Provider Identifier, or NPI number. The ID number is little known outside the medical community but getting one through the federal government’s Medicare program is a rite of passage for medical professionals and organizations. Without it, they can’t bill insurers for their services.

One would think obtaining an NPI, with its stamp of legitimacy, would entail at least some basic vetting. But Williams discovered and exploited an astonishing loophole: Medicare doesn’t check NPI applications for accuracy — a process that should take mere minutes or, if automated, a millisecond. Instead, as one federal prosecutor later noted in court, Medicare “relies on the honesty of applicants.”

Records show Williams first applied for an NPI under his own name as far back as 2008. But it wasn’t until 2014 that Williams began to ramp up his scheme, even though now he wasn’t just unlicensed, he was a two-time felon. He got a second NPI under the company name, Kinesiology Specialists. The following year, he picked up another under Mansfield Therapy Associates. In 2016, he obtained at least 11 more, often for entities he created in the areas where he found fitness clients: Dallas, Nevada, North Texas and more. By 2017, he had 20 NPIs, each allowing him a new stream of billings.

For every NPI application, Williams also obtained a new employer identification number, which is used for tax purposes. But he never hid who he was, using his real name, address, phone number and email address on the applications. He added the title “Dr.” and listed his credentials as “PhD.” Under medical specialty he often indicated he was a “sports medicine” doctor and provided a license number, even though he wasn’t a physician and didn’t have a medical license.

Medicare officials declined to be interviewed about Williams. But in a statement, they acknowledged that the agency doesn’t verify whether an NPI applicant is a medical provider or has a criminal history. The agency claims it would need “explicit authority” from the Department of Health and Human Services to do so — and currently doesn’t have it. Regulations, and potentially the law, would need to be revised to allow the agency to vet the applications, the statement said.

Medicare does verify the credentials of physicians and other medical providers who want to bill the agency for their Medicare patients.

To those charged with rooting out fraudsters, the current regulations seem like an invitation to plunder. “Medicare has to make sure that the individuals who apply for NPIs are licensed physicians — it’s that simple,” said Elliott, the former prosecutor who ran about 100 health care fraud investigations.

Elliott, who now does white-collar criminal defense, said he knows of two other cases currently under federal investigation in which non-licensed clinic administrators lied to obtain NPI numbers, then used patients’ information to file false claims worth millions.

Medicare warns NPI applicants that submitting false information could lead to a $250,000 fine and five years in prison. But since Medicare started issuing NPIs in 2006, officials said they could not identify anyone who had been sanctioned.

So, for those bent on fraud, the first step is easy; the online approval for an NPI takes just minutes.

Williams got out of jail in November 2012 and launched an aggressive expansion with an irresistible pitch: Time to get those private personal training sessions you thought you couldn’t afford!

“Now accepting most health insurance plans,” his Get Fit With Dave website announced. He added a drop-down menu to his site, allowing potential clients to select their health insurance provider: Aetna. Blue Cross Blue Shield. United.

He began building a team, soliciting trainers from the strength and conditioning department at Texas Christian University. He met with new recruits at local fast food joints or coffee shops to set them up. To the trainers, the business appeared legit: They even signed tax forms. Before long, Williams’ network stretched throughout Texas and into Colorado, Idaho and Nevada.

One Fort Worth trainer recalled meeting Williams through one of his clients, a Southwest Airlines flight attendant. Williams, he said, seemed like a real doctor, and it wasn’t hard to imagine an insurer’s wellness program covering fitness. Plus, it was good money — about $50 an hour and Williams paid him for multiple clients at once if he did boot camps, said the trainer, who asked that his name not be used so he wouldn’t be tarnished by his association with Williams. Williams, he said, even gave him an iPad, with “Kinesiology Specialists” etched on the back, to submit bills and paid him via direct deposit.

Clients came to Williams through his business cards, his website and word-of-mouth. Williams, records show, quickly verified if their insurance companies would cover his fees — although he didn’t tell clients that those fees would be billed as medical services, not personal training. To ensure the clients paid nothing, he waived their annual deductibles — the portion patients pay each year before insurance kicks in. Authorities said Williams banked on being able to file enough claims to quickly blow through their deductibles so he could get paid.

Meredith Glavin, a flight attendant with Southwest, told the authorities she got in touch with Williams after her co-workers said insurance was covering their workouts. After providing her name, address and insurance information on the Get Fit With Dave website, Williams emailed back with the good news: “Everything checks out with your insurance. My services will be covered at no cost to you.”

During a follow-up phone call, Glavin said, they discussed her fitness and weight loss goals and then Williams connected her with a trainer. The workouts were typical fitness exercises, she said, not treatment for a medical condition. But insurance claims show Williams billed the sessions as highly complex $300 examinations to treat “lumbago and sciatica,” a condition in which nerve pain radiates from the lower back into the legs.

He used his favorite billing code — 99215 — to bill Glavin’s insurer, United, the claims show. The code is supposed to be used less often because it requires a comprehensive examination and sophisticated medical decision-making, warranting higher reimbursement. In all, Williams used the code to bill United for more than $20.5 million — without apparently triggering any red flags at the insurer. For that code alone, the insurance giant rewarded him with $2.5 million in payments.

Eventually, Get Fit With Dave expanded to about a dozen trainers and around 1,000 patients, said a source familiar with the case. And, court records show, the checks from insurance companies, some over $100,000, kept rolling in.

Williams bought a couple of pick-up trucks, a new Harley Davidson motorcycle and a fancy house. But greed didn’t seem his only motivation. “I made $50K last week,” he wrote in a December 2014 text to a friend. “Seriously it means nothing. It is not about the money. I have had a lot taken away from me, and maybe I am trying to prove something ... Maybe it is my way of giving the finger to everyone???”

A few miles away, his former father-in-law watched Williams’ illegal business blossom with growing outrage. Pratte kept his grandson’s iPad on his desk, near his computer, and checked it every day. The texts appeared boring, even routine, but Pratte knew they were evidence of ongoing fraud.

“I have another flight attendant friend who is interested in signing up as well,” a new client texted to Williams.

“Tell him to show up with his insurance card,” Williams replied.

To Pratte, the text messages were a “gold mine.” This is the stuff that will really nail his rear end, he recalled thinking as he read the messages. He couldn’t wait to share his findings with the insurers. How often do they get cases wrapped up in a bow?

But when he and Lankford began contacting insurers, they were soon bewildered. When Pratte told Aetna that he wanted to report a case of fraud, he said the customer service representative asked for his member number, then told him non-members couldn’t report criminal activity. Lankford, who happened to be covered by Aetna, made the complaint, but they say they never heard back.

An Aetna spokesman told ProPublica that the insurer could find no record of Pratte’s call but said the company’s fraud hotline takes tips from anyone, even anonymous callers.

Lankford sent an email to Cigna’s special investigations unit in January 2015 “regarding one of your providers that concerns me.” She provided Williams’ company name, address, cellphone number, Social Security number and more, and she described his scheme. “He has no medical license or credentials,” she wrote. “He was in prison for felony theft.”

A supervisory investigator called to ask for the names of personal trainers, which Lankford provided. But, again, there was silence.

Pratte could see many of the clients worked for Southwest and had their benefits administered by United. He jotted down the name, address, phone number, birth date and member identification number of the potential clients on a yellow legal pad — all the information the insurer and Southwest would need to investigate the fraud. This is so easy, Pratte recalled thinking as he wrote down the details, all they have to do is cross-reference this.

Because Southwest self-funds its benefits, the company was on the hook for the bills, which would eventually total about $2.1 million according to a source familiar with the case. It paid United to administer the company’s plan and ensure the claims it covered were legitimate. Pratte said he called the airline in the fall of 2015 and spoke to someone in the human resources department who said they would pass the information to the right people. “That was the last I heard,” he said. Southwest declined to comment for this story. It still pays United to administer its benefits.

Pratte started calling United in the fall of 2014 and spoke to a fraud investigator who took the information with interest, he said. But within a couple of weeks he was told she moved to a different position. Pratte continued calling United over the following two years, making about a dozen calls in total, he said. “He is not a doctor,” Pratte told whoever picked up the phone. “So, I don’t see how he can be filing claims.”

In early 2015, Lankford emailed additional information to the investigator. The investigator wrote back, thanking Lankford and saying she forwarded the details to the people who research licenses. “They will investigate further,” she said in the email.

Meanwhile, the text messages showed Williams continuing to sign up — and bill for — United members.

Frustrated, Pratte made one final call to United in 2016, but he was told the case was closed. United said he’d have to call the Texas Department of Insurance for any additional details. Pratte had already filed a complaint with the regulator but reached out again. The department told him that because he hadn’t personally been defrauded, it would not be able to act on his complaint.

To Pratte, it appeared he had struck out with Aetna, United, Southwest and the Texas Department of Insurance. “I was trying to get as many people as possible to look into it as I could,” Pratte said recently. “I don’t know if that tells me they are incompetent. Or they don’t care. Or they’re too busy.”

A case summary, prepared by the Texas Department of Insurance, shows it first learned of the Williams case in January 2015 but lacked staff to investigate. A spokesman said the regulator later received Pratte’s complaint but didn’t pursue it after learning that United had already investigated and closed its case.

Meanwhile, some Get Fit With Dave clients had begun noticing odd claims on their insurance statements.

Nanette Bishop had heard about Williams when a fellow Southwest flight attendant handed her the trainer’s business card and said, “You’ve got to meet Dr. Dave.” (Bishop said the Southwest legal department advised her not to speak with ProPublica. Details about her interaction with Williams come from court records.)

Bishop said she started strong with the workouts but “fizzled” quickly. Her daughter, who was also on her plan and signed up for workouts, only did a couple sessions. Bishop said she had a hard time staying consistent because she was traveling a lot — for much of October 2014 she was in Germany. Later, she noticed in her insurance records that Williams had been paid for dozens of sessions over many months, even during the time she’d been abroad.

Bishop texted Williams in January 2015 to tell him he needed to refund all the money. “I never worked out four [times] a week and [my daughter] quit the first week of September,” she wrote. Bishop also called United and Southwest Airlines to report the overbilling.

About a month later, Williams received a letter from a subsidiary of United ordering a review Bishop’s medical records.

Another client texted Williams with concerns that her United insurance plan had been billed for 18 workouts in December 2015. That couldn’t be accurate, the woman wrote. “I had to take December off due to my work schedule and family in town,” she wrote. “I understand that people need to be paid but this seems excessive.”

While Pratte, Lankford and some of Williams’ clients repeatedly flagged bogus bills, the mammoth health insurers reacted with sloth-like urgency to the warnings. Their correspondence shows an almost palpable disinterest in taking decisive action — even while acknowledging Williams was fraudulently billing them.

Cigna appears to have been the quickest to intervene. In January 2015, Cigna sent Williams a letter, noting that he wasn’t a licensed medical provider and had misrepresented the services he provided. The insurer said he needed to pay back $175,528 and would not be allowed to continue billing.

“I just got a $175K bill in the mail,” Williams texted to a friend. “Cigna insurance has been overpaying me for the past 18 months and they want it back. I knew that they were reimbursing at too high of a rate so I can’t really complain.”

By then Williams had more than one National Provider Identifier, so he just switched numbers and kept billing Cigna. More than a year later, in May 2016, Cigna sent another letter, saying he now owed $310,309 for inappropriate payments. In total, the company paid him more than $323,000. Williams never gave any of it back. Cigna declined to comment about the Williams case.

Aetna wrote Williams in January 2015 to say it had reviewed his claims and found he wasn’t licensed, resulting in an overpayment of $337,933. The letter said there appeared to be “abusive billing” that gave “rise to a reasonable suspicion of fraud.” But the insurer also gave him a month to provide documentation to dispute the assessment. When Williams hadn’t responded in three months, an Aetna investigator wrote to Williams’ attorney, saying, “We are willing to discuss an amicable resolution of this matter,” and gave him two more weeks to respond.

That August, an Aetna attorney sent Williams’ attorney another letter, noting that Williams had submitted “fraudulent claims” and had continued to submit bills “even after his billing misconduct was identified.”

In January 2016 — a year after Aetna first contacted him — Williams agreed to a settlement that required him to refund the company $240,000 “without admission of fault or liability by either party.”

But that didn’t stop, or even appear to slow, Williams. Not only did he renege on that promise, he picked one of his other NPI numbers and continued to file claims resulting in another $300,000 in payments from Aetna. In total, Aetna paid Williams more than $608,000.

In emails, Ethan Slavin, a company spokesman, didn’t explain why Aetna settled with Williams instead of pursuing criminal prosecution. He blamed the insurer’s slow response on the lengthy settlement process and Williams’ tactic of billing under different organizations and tax identification numbers. Williams did repay some of the money before defaulting, Slavin said.

United, one of the largest companies in the country, paid out the most to Williams. The insurer brought in $226 billion last year and has a subsidiary, Optum, devoted to digging out fraud, even for other insurers. But that prowess is not reflected in its dealings with Williams.

In September 2015, United wrote to Williams, noting his lack of a license and the resulting wrongful payments, totaling $636,637. But then the insurer added a baffling condition: If Williams didn’t respond, United would pay itself back out of his “future payments.” So while demanding repayment because Williams was not a doctor, the company warned it would dock future claims he would be making as a doctor.

Williams responded a month later, noting that he had a Ph.D. in kinesiology and did rehab, so he met the qualifications of a sports medicine doctor.

United responded in November 2015 with the same argument: he wasn’t licensed and thus needed to repay the money, again warning that if he didn’t, United would “initiate repayment by offsetting future payments.”

Williams took United up on its offer. “Please offset future payments until the requested refund amount is met,” he responded.

Then Williams turned to another NPI number, records show, and continued submitting claims to United.

In January 2016, Williams agreed to settle with United and repay $630,000 in monthly installments of $10,000. Inexplicably, the agreement refers to Williams as “a provider of medical services or products licensed as appropriate under the laws of the state of TX” and notes that the settlement doesn’t terminate his continued participation in United’s programs.

In 2016, Williams obtained a new batch of NPI numbers from Medicare. As usual, he used his real name, address and credentials on the applications. The additional numbers allowed him to continue to make claims to United.

In November 2016, United investigators caught Williams again — twice. They sent two letters accusing him of filing 820 claims between May 2016 and August 2016 and demanded repayment. Again, almost inconceivably, the company threatened to cover his debt with “future payments.”

In December 2016, United notified Williams he had only repaid $90,000 of the initial $630,000 he owed and was in default. The following month, United told him he had to pay the remaining $540,000 within 20 days or he could face legal action. Williams replied, saying he wanted to renegotiate the settlement, but the insurer declined. Late that month, United said its inappropriate payments to Williams had ballooned to more than $2.3 million.

A United spokeswoman said it was difficult to stop Williams because he used variations on his name and different organizations to perpetrate the fraud. “He did everything he could not to get caught,” Maria Gordon-Shydlo said.

She acknowledged getting the complaints from Lankford and Pratte, as well as United members, but defended the response of the company, saying it had eventually referred Williams to law enforcement.

The insurer is continuing “to improve our processes and enhance our systems so we can catch these schemes on the front-end,” she said, “before a claim is paid and to recoup dollars that were paid as a result of provider misconduct.”

In all, United paid Williams more than $3.2 million — most of it after the insurer had caught him in the act.

But in reality, the losses weren’t all United’s. Most of the fraud was funded by its client, Southwest.

Many health care experts and fraud investigators said they weren’t surprised to hear that insurers were slow to stop even such an outlandish case of fraud.

“It’s just not worth it to them,” said Dr. Eric Bricker, an internist who spent years running a company that advised employers who self-funded their insurance.

For insurance behemoths pulling in billions, or hundreds of billions, in revenue, fraud that sucks away mere millions is not even a rounding error, he said.

And perhaps counter-intuitively, insurance companies are loath to offend physicians and hospitals in their all-important networks — even those accused of wrongdoing, many experts have said. They attract new clients by providing access to their networks.

This ambivalence toward fraud, Bricker and others said, is no secret. Scammers like Williams are “emblematic of gazillions of people doing variants of the same thing,” Bricker said. Insurers embolden them by using a catch-and-release approach to fraud, in which the insurers identify criminals, then let them go.

Joe Christensen has pursued fraud for both government and commercial insurers, serving as a director in Aetna’s Special Investigations Unit, a team of more than 100 people ferreting out fraud, from 2013 to 2018 and as the director of Utah’s insurance fraud division for 13 years. Fraud in government programs, like Medicare and Medicaid, gets more publicity, he said, and has dedicated arms of agencies pursuing fraudsters. But the losses may be even greater in the commercial market because the dollar levels are higher, he said.

Some commercial insurers take a passive approach, Christensen said, in part because it’s expensive to press a fraud case. At Aetna, he said, investigators would identify cases of apparent fraud, but it was up to the executives and legal team to decide how to handle them. Taking fraudsters to civil or criminal court requires resources, so the company often settled for trying to get repaid through settlements or blocking a suspect provider from billing, he said.

Christensen said while he was at Aetna, investigators almost never sought to partner with law enforcement agencies to pursue criminal cases. Last spring, he became the SIU director for a Southern California-based Medicaid plan called L.A. Care Health Plan, where he was allowed to take a proactive approach. In just about a year, he said, his much smaller team began 37 criminal investigations with law enforcement agencies. The cases are in different stages, but so far there have been seven arrests, four search warrants and one conviction. Christensen recently took a job with an insurer in Utah, where his family lives, so he could be closer to them.

ProPublica asked Aetna how many criminal cases it had pursued in 2017 and 2018. A company official said the question could not be answered because it does not track such cases.

In the spring of 2017, more than four years after Williams first began billing insurers, one of them, United, finally brought him to the attention of the FBI’s heath care fraud squad.

One May day, agents from the FBI and the newly engaged Texas Department of Insurance knocked on the door of Williams’ sprawling six-bedroom home — a spread he’d boasted to one trainer that he’d purchased with cash. Williams didn’t invite them in. He refused to answer questions, claiming his attorney had dealt with the questionable billings.

Undaunted, just days later, Williams used a freshly minted NPI number to send another bill to United. The last known claim he submitted was on June 3, 2017, according to a source familiar with the investigation.

That October, Williams’ long run came to an end when he was arrested by the FBI.

The following May, Williams’ trial began in the United States District Court for the Northern District of Texas. The prosecution didn’t have to make a complex argument. Williams had billed for non-medically necessary services and wasn’t a medical provider — a “slam dunk case” said the agent on the case.

But the testimony served as a cheat sheet for how to defraud the health insurance industry and mostly get away with it.

Without irony, the prosecutor, P.J. Meitl, argued that Williams had preyed on a health insurance system that relies “on trust, relies on honesty” when it pays claims.

He called fraud investigators from Aetna, Cigna and United, who testified that their companies auto-pay millions of claims a year. It’s not cost effective to check them, they said. “Aetna relies on the honesty of the person submitting the claim verifying that it’s true,” testified Kathy Richer, a supervisor in Aetna’s Special Investigations Unit.

In a similar manner, Medicare trusts that people who apply for NPI numbers are actually medical providers, Meitl told the jury. Medicare “does not investigate or verify whether an individual is actually a health care provider before issuing an NPI number.”

Williams’ attorney, Wes Ball, argued that the case was the sign of a “broken” health care system and blamed insurers for making a financial decision not to review Williams’ claims before paying them. United failed to protect Southwest’s money, Ball said, and “might be a vendor you might not want to hire.”

As for the NPI numbers, anyone could have checked Williams’ credentials, he said.

The jury wasn’t convinced, convicting Williams of four counts of health care fraud.

The judge sentenced him to a little more than nine years in federal prison and ordered him to pay $3.9 million in restitution to United, Aetna and Cigna.

Insurers promote themselves as guardians of health care dollars. United says on its website it wants to “help employers manage” medical expenses, resulting in “lower costs.” Aetna promises employers “affordability.” Cigna promises “increased savings.”

But private health insurers allow so much fraud that prosecutors use an idiom to describe the rare person who gets caught: “Pigs get fat, hogs get slaughtered.”

“Pigs” can steal millions, if they bill just enough to avoid notice. But if they get greedy and bill too many millions, they “become a data outlier,” said Elliott, the former fraud task force prosecutor. “You get slaughtered.”

Williams took years to reach hog status.

Part of the problem, experts say, is that health care fraud is often misunderstood as shafting greedy insurers — not the folks paying for health insurance. Ultimately, insurers don’t bear the cost. For their self-funded clients, like Southwest, they merely process the claims. For their traditionally insured clients, they can recover any losses by increasing deductibles and premiums and decreasing coverage.

Williams appears to have duped more than insurers. His twin brother, Dan Williams, recently retired as the assistant special agent in charge of the Dallas field office for criminal investigation for the Internal Revenue Service. He spent 27 years ferreting out fraud, and he gets the irony. “You’re not the first person to point that out,” he said.

Dan Williams said his brother’s sudden riches from the training business piqued his investigative instincts, but he “trusted” his brother when “he told me he was authorized to bill insurance companies.”

In his letter to ProPublica, Williams did not address the issues in the case or even acknowledge that any of his activities were wrong. Instead, he blamed his former wife. “It grieves me that the consequences of a bitter and hurtful divorce have resulted in the ending of this unprecedented and beneficial opportunity to help many people,” he wrote.

Lankford and Pratte are proud of their part in ending his scheme, if still baffled that they had to play such a central role in uncovering it.

If it hadn’t been for the iPad messages, “I have to believe he would still be billing insurance companies from a Caribbean island,” Pratte said.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.

[Editor's note: today's guest post, by reporters at ProPublica, discusses business practices within the healthcare industry, and related issues of wages and debt collection. It is reprinted with permission.]

By Wendi C. Thomas, MLK50

MEMPHIS, Tennessee — This year, a Methodist Le Bonheur Healthcare housekeeper left her job just three hours into her shift and caught a bus to Shelby County General Sessions Court. Wearing her black and gray uniform, she had a different kind of appointment with her employer: The hospital was suing her for unpaid medical bills.

In 2017, the nonprofit hospital system based in Memphis sued the woman for the cost of hospital stays to treat chronic abdominal pain she experienced before the hospital hired her. She now owes Methodist more than $23,000, including around $5,800 in attorney’s fees.

It’s surreal, she said, to be sued by the organization that pays her $12.25 an hour. “You know how much you pay me. And the money you’re paying, I can’t live on,” said the housekeeper, who asked that her name not be used for fear that the hospital would fire her for talking to a reporter.

From 2014 through 2018, the hospital system affiliated with the United Methodist Church has filed more than 8,300 lawsuits against patients, including its own workers. After winning judgments, it has sought to garnish the wages of more than 160 Methodist workers and has actually done so in more than 70 instances over that time, according to an MLK50-ProPublica analysis of Shelby County General Sessions Court records, online docket reports and case files.

Some of the debts were accrued while the employees worked at Methodist; others predated their time there. The figures do not include debts incurred by onetime Methodist employees who have since moved on.

Between January and mid-June, a reporter observed more than a dozen Methodist employees in court to defend themselves in suits brought by the hospital over hospital bills.

That includes a Methodist Le Bonheur employee who owes more than $1,200. In January, she proposed paying $100 a month, even though her sworn affidavit listed monthly expenses that exceeded her $1,650 monthly income. After conferring with an attorney for Methodist, Judge Betty Thomas Moore agreed to the worker’s proposal, but she has already missed a payment.

A few weeks later, a Methodist employee appeared for an initial hearing wearing hospital scrubs. The hospital had sued her for more than $4,000. When she left the courtroom, she was annoyed. Her employer knew where she worked, she said, and should have contacted her before suing her. “I don’t know why they can’t come upstairs,” she said outside the courtroom.

And in May, an employee who has worked for Methodist for more than four years carried a large envelope full of bills with her into the courtroom. She owed more than $5,400, which included a 2017 hospital charge from the newborn unit. That is the same year that her daughter was born, according to her sworn affidavit, which also listed a checking account balance of less than $4. She offered to pay $10 biweekly, or $20 most months, but Methodist’s attorney wanted $200 per month. The judge ordered her to pay $100 per month.

It’s not uncommon for hospitals to sue patients over unpaid debts, but what is striking at Methodist, the largest hospital system in the Memphis region, is how many of those patients end up being its own employees. Hardly a week goes by in which Methodist workers aren’t on the court docket fighting debt lawsuits filed by their employer.

Making matters worse, employees say, is that Methodist’s health insurance benefits only allow employees to seek medical care at Methodist facilities, even though the financial assistance policies at its competitors are more generous.

An expert in hospital billing practices said that if the hospital is suing a fair number of its own employees, it’s time to look both at the insurance provided to workers and the pay scale.

“One would hope that if this is an action being taken against a significant amount of employees, the hospital would look at the insurance they provide workers,” said Mark Rukavina, an expert in nonprofit hospitals and a manager at Community Catalyst, a health care advocacy organization.

Methodist declined requests for an interview. It did not respond to specific written questions about the lawsuits it files against its workers or about how its policies reflect the values of the United Methodist Church. Instead, in a statement, it said it is committed to working with patients who are having trouble paying their medical bills.

“As the second largest private employer in Shelby County, we recognize the responsibility we have as an organization to contribute to the success of the diverse communities we serve and are purposeful about creating jobs in our community — intentionally choosing to keep services like printing, laundry and others in-house that are typically outsourced by the healthcare industry,” the hospital said.

Methodist also declined to answer a question about whether it has any policy that prohibits employees being sued by Methodist from talking to a reporter about the lawsuits filed against them by the hospital.

Employer and Legal Adversary

On a single January day, there were 10 defendants on the docket whose place of employment was listed in court records as Methodist.

Employees in scrubs sat just feet away from the attorneys in dress suits whom their employer hired to sue them. The hospital’s role as a tax-exempt organization that both employs the defendants and is suing them went unremarked upon by judges, attorneys and the defendants themselves.

Methodist’s financial assistance policy stands out from peers in Memphis and across the country, MLK50 and ProPublica found. The policy offers no assistance for patients with any form of health insurance, no matter their out-of-pocket costs. Under Methodist’s insurance plan, employees are responsible for a $750 individual deductible and then 20% of inpatient and outpatient costs, up to a maximum out-of-pocket cost of $4,100 per year.

The housekeeper’s story is documented in Shelby County General Sessions Court records, including online docket reports and online payment history. A reporter interviewed the housekeeper multiple times in person and on the phone. The employee gave the reporter six years of itemized Methodist hospital bills, her credit report and other past-due medical bills. Most of her debts were incurred before she started working at Methodist.

Five times between 2012 and 2014, she visited the hospital for stomach problems, according to the itemized bills. (Years later, she had surgery to treat diverticulitis.) At those times, she had insurance through her job at a hotel, where she cleaned rooms for $10.66 an hour. After insurance paid its share, she owed just over $17,500.

In 2015, the housekeeper left the hotel job and lost her insurance. Three times that year she went to Methodist’s ER, but since she was uninsured and had little income, she qualified for financial assistance. Methodist wrote off more than $45,000 in hospital bills.

In a statement, Methodist said it gives an automatic 70% discount to uninsured patients and free care to uninsured patients at or below 125% of the federal poverty guidelines. For a single adult with two dependents, that would be just over $26,600. Uninsured patients who earn more than that, but less than twice the poverty limit, are also eligible for discounts, it said.

In 2016, unable to find work, the housekeeper left Memphis. For more than a year, she said, she and her son were homeless, bouncing between relatives in Chicago, where she was born, and Texas.

But she missed her daughter and grandchildren in Memphis, so in 2017, she returned. In August 2017, Methodist sued her for the bills she accumulated when she was insured years earlier. Later that month, she was hired at a Methodist hospital, starting at $11.95 an hour.

The hospital’s collections agency, which it owns, didn’t have her correct address and was unable to serve notice that she had been sued, but last year, Methodist tried again. This time, it had the right address.

In November, a process server handed her the civil warrant at her South Memphis apartment.

At the process server’s recommendation, she called the hospital’s collection agency and offered to pay $50 every two weeks. “But they said it wasn’t enough,” she recalled. “I would just have to go to court. They said I’d be owing them all my life,” she recalled.

In a sworn affidavit filed with the court this year, the housekeeper listed her dependents as a grandson and her 27-year-old son, who she said has bipolar disorder and schizophrenia. She told the court she earned $16,000 in 2017, which puts her more than $4,000 below that year’s federal poverty level for a family of three. (Because she had insurance, though, she was ineligible for assistance under the hospital’s policy.)

Fred Morton, a retired Methodist minister in Memphis, said he was surprised to learn that Methodist is suing its own employees.

“The employees should be paid an adequate minimum wage at the very least,” he said. “Certainly they should not be predatory to their own employees on medical bills. That’s very much contrary to Scripture.”

He said that Methodist bishops who serve on its board bear responsibility for reminding it of the denomination’s values. “It’s a matter of the church pushing on its own,” Morton said.

Three United Methodist Church bishops serve on the hospital’s board. Bishop Gary Mueller’s office referred a reporter to Methodist Le Bonheur Healthcare’s communications office. Bishop Bill McAilly declined to comment. Bishop James E. Swanson did not respond to multiple requests for comment.

When the housekeeper appeared before a General Sessions Court judge this year, she’d filed a motion offering to pay $50 biweekly, or $100 in most months. When the hospital’s attorney asked for a $200 per month, she was stunned.

“This is my only job, this is my only income, so how am I supposed to live?” she remembered thinking.

Nervous that the judge would side with the hospital, the housekeeper made another offer.

“I could do $75 every two weeks,” she said quickly. The attorney agreed and the judge signed the order.

Being an employee and defendant is “really kind of sad,” the housekeeper said. Asked how she manages to make ends meet, she says she doesn’t. “It’s killing me, killing me softly,” she said.

She said she didn’t reach out to the hospital’s payroll department or a manager about the hospital bills she’s being sued for. “They don’t care about that... That I do know.”

“I Don’t Want to Be Homeless Again”

Part of what makes paying medical bills so hard for some Methodist employees is that their wages are low, lagging behind several other large employers in the Memphis market. In December, St. Jude Children’s Research Hospital announced it was raising its minimum pay for full and part-time workers to $15 an hour. St. Jude’s decision followed a similar commitment by the Shelby County government, Shelby County Schools and Blue Cross Blue Shield of Tennessee.

At Methodist, which operates five hospitals in Shelby County, the lowest-paid employees make $10 an hour and about 18% of workers make less than $15 an hour, the hospital reported in response to MLK50’s 2018 Living Wage Survey.

As recently as 2017, the Greater Memphis Chamber advertised on its website that the city offered a workforce at “wage rates that are lower than most other parts of the country.”

The United Methodist Church’s Social Principles, which state the denomination’s position on everything from climate change to the death penalty, speak directly to what employees should earn. “Every person has the right to a job at a living wage,” it states.

The Living Wage Model statement on the church’s website says, “Exploitation or underpayment of workers is incompatible with Christ’s commandment to love our neighbor.”

Methodist, which made Forbes’ 2019 list of Best Employers by State, did not answer specific questions about pay for employees. On its website, it says, “It is the policy of Methodist Le Bonheur Healthcare to pay its employees competitive, market-based wages.”

Neither Methodist, nonprofit Baptist Memorial Healthcare or Regional One, the public hospital, pay all their employees at least $15 an hour. Even that figure would make it impossible to make ends meet for an employee trying alone to support a household with dependents, according to MIT’s Living Wage Calculator and another created by the Economic Policy Institute, both of which take into account local living expenses.

The housekeeper’s $12.25 an hour pay falls well short of that. Without overtime, she said her take-home pay would be around $1,600 per month. Her rent is $610.

Even with as much overtime as she gets, she’s turned to payday loans. Since December, she’s renewed a $425 payday loan every two weeks, paying $71 each time. “You have to rob from Paul to pay Peter,” she said. “It doesn’t never seem like you can get ahead.”

The housekeeper applied for a job at Walmart but was told the store nearest her is not accepting applications. She doubts the pay will be any better, but she hopes it’ll be less stressful.

"Times be hard, because sometimes my body feels like I can’t make it, but I get up anyway, because I don’t want to be homeless again."

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.

The Attorney General's Office for the State of Arizona announced last month a major settlement agreement with two healthcare software providers: Medical Informatics Engineering Inc. and its subsidiary, NoMoreClipboard, LLC (hereafter, referred to jointly as "MIE") following a massive data breach at MIE in 2015.  The press release by AG Mike Brnovich stated:

"The settlement resolves a bipartisan lawsuit filed by Arizona and 15 other states against MIE relating to a 2015 data breach, which was the first such multistate lawsuit involving claims under the federal Health Insurance Portability and Accountability Act ("HIPAA"). As a result of the settlement, MIE will pay $900,000 to the states, and it has agreed to a comprehensive injunction requiring the implementation of significant data-security improvements."

The case was filed in the U.S. District Court for the Northern District of Indiana, where MIE is headquartered. States involved in the joint lawsuit and settlement included Arizona, Arkansas, Connecticut, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Michigan, Minnesota, Nebraska, North Carolina, Tennessee, West Virginia, and Wisconsin.

The data breach occurred between May 7, 2015, and May 26, 2015, when hackers broke into WebChart, a web application by MIE and stole:

"... the electronic Protected Health Information ("ePHI") of more than 3.9 million individuals, including roughly 26,000 Arizonans. Stolen ePHI included names, telephone numbers, mailing addresses, usernames, hashed passwords, security questions and answers, spousal information (name and potentially date of birth), email addresses, dates of birth, Social Security numbers, lab results, health insurance policy information, diagnoses, disability codes, doctors’ names, medical conditions, and children’s names and birth statistics."

The consent order and judgment is available here. Indiana’s share was $174,745.29. Indiana AG Curtis Hill said:

"Hoosier consumers trust us to look out for their interests... Once again, we have acted on their behalf to pursue the appropriate penalties and remedies available under the law. We hope our proactive measures serve to motivate all companies doing business in Indiana to exercise the highest possible ethics and the utmost diligence in making sure their systems are safe and secure."

Like most people, you probably have not heard of "aggression detectors." What are these devices? Who makes them? Who uses these devices and why? What consumers are affected?

To answer these questions, ProPublica explained who makes the devices and why:

"In response to mass shootings, some schools and hospitals are installing microphones equipped with algorithms. The devices purport to identify stress and anger before violence erupts... By deploying surveillance technology in public spaces like hallways and cafeterias, device makers and school officials hope to anticipate and prevent everything from mass shootings to underage smoking... Besides Sound Intelligence, South Korea-based Hanwha Techwin, formerly part of Samsung, makes a similar “scream detection” product that’s been installed in American schools. U.K.-based Audio Analytic used to sell its aggression- and gunshot-detection software to customers in Europe and the United States... Sound Intelligence CEO Derek van der Vorst said security cameras made by Sweden-based Axis Communications account for 90% of the detector’s worldwide sales, with privately held Louroe making up the other 10%... Mounted inconspicuously on the ceiling, Louroe’s smoke-detector-sized microphones measure aggression on a scale from zero to one. Users choose threshold settings. Any time they’re exceeded for long enough, the detector alerts the facility’s security apparatus, either through an existing surveillance system or a text message pinpointing the microphone that picked up the sound..."

The microphone-equipped sensors have been installed in a variety of industries. The Sound Intelligence website listed prisons, schools, public transportation, banks, healthcare institutes, retail stores, public spaces, and more. Louroe Electronics' site included a similar list plus law enforcement.

The ProPublica article also discussed several key issues. First, sensor accuracy and its own tests:

"... ProPublica’s analysis, as well as the experiences of some U.S. schools and hospitals that have used Sound Intelligence’s aggression detector, suggest that it can be less than reliable. At the heart of the device is what the company calls a machine learning algorithm. Our research found that it tends to equate aggression with rough, strained noises in a relatively high pitch, like [a student's] coughing. A 1994 YouTube clip of abrasive-sounding comedian Gilbert Gottfried ("Is it hot in here or am I crazy?") set off the detector, which analyzes sound but doesn’t take words or meaning into account... Sound Intelligence and Louroe said they prefer whenever possible to fine-tune sensors at each new customer’s location over a period of days or weeks..."

Second, accuracy concerns:

"[Sound Intelligence CEO] Van der Vorst acknowledged that the detector is imperfect and confirmed our finding that it registers rougher tones as aggressive. He said he “guarantees 100%” that the system will at times misconstrue innocent behavior. But he’s more concerned about failing to catch indicators of violence, and he said the system gives schools and other facilities a much-needed early warning system..."

This is interesting and troubling. Sound Intelligence's position seems to suggest that it is okay for sensor to miss-identify innocent persons as aggressive in order to avoid failures to identify truly aggressive persons seeking to do harm. That sounds like the old saying: the ends justify the means. Not good. The harms against innocent persons matters, especially when they are young students.

Yesterday's blog post described a far better corporate approach. Based upon current inaccuracies and biases with the technology, a police body camera assembled an ethics board to help guide its decisions regarding the technology; and then followed that board's recommendations not to implement facial recognition in its devices. When the inaccuracies and biases are resolved, then it would implement facial recognition.

What ethics boards have Sound Intelligence, Louroe, and other aggression detector makers utilized?

Third, the use of aggression detectors raises the issue of notice. Are there physical postings on-site at schools, hospitals, healthcare facilities, and other locations? Notice seems appropriate, especially since almost all entities provide notice (e.g., terms of service, privacy policy) for visitors to their websites.

Fourth, privacy concerns:

"Although a Louroe spokesman said the detector doesn’t intrude on student privacy because it only captures sound patterns deemed aggressive, its microphones allow administrators to record, replay and store those snippets of conversation indefinitely..."

I encourage parents of school-age children to read the entire ProPublica article. Concerned parents may demand explanations by school officials about the surveillance activities and devices used within their children's schools. Teachers may also be concerned. Patients at healthcare facilities may also be concerned.

Concerned persons may seek answers to several issues:

• The vendor selection process, which aggression detector devices were selected, and why
• Evidence supporting the accuracy of aggression detectors used
• The school's/hospital's policy, if it has one, covering surveillance devices; plus any posted notices
• The treatment and rights of wrongly identified persons (e.g., students, patients,, visitors, staff) by aggression detector devices
• Approaches by the vendor and school to improve device accuracy for both types of errors: a) wrongly identified persons, and b) failures to identify truly aggressive or threatening persons
• How long the school and/or vendor archive recorded conversations
• What persons have access to the archived recordings
• The data security methods used by the school and by the vendor to prevent unauthorized access and abuse of archived recordings
• All entities, by name, which the school and/or vendor share archived recordings with

What are your opinions of aggression detectors? Of device inaccuracy? Of the privacy concerns?

Things have become complicated regarding American Medical Collection Agency (AMCA), a collections firm used by several medical testing firms. After breach announcements by Quest Diagnostics and LabCorp earlier this month, more healthcare firms announced breach notices.

So, more than 20 million persons have been affected. ZD Net reported the patient totals by healthcare firm:

"Quest Diagnostics (11.9 million patients), LabCorp (7.7 million patients), BioReference Laboratories (Opko Health subsidiary, 422,600 patients), Carecentrix (500,000 patients), and Sunrise Laboratories (undisclosed number of patients)."

Now, we learn that AMCA has filed for bankruptcy protection:

"According to the Chapter 11 declaration (.PDF), filed with the court for the Southern District of New York, AMCA first became aware of a potential security incident when a disproportionate number of credit cards that interacted with the company's web portal were linked to fraudulent transactions... Cybersecurity forensics bills of roughly $400,000, IT support costs, severe restrictions that were put in place to protect AMCA's network from further intrusion, looming court cases, and the loss of valuable business partners have all taken their toll."

A "Chapter 11" bankruptcy means a reorganization, compared to a total liquidation under "Chapter 7." So, AMCA executives expect their company to survive.

ZD Net also reported that AMCA has paid more than:

"... $3.8 million to inform over seven million people who have potentially been impacted via mail. This figure alone is more than the company had to hand, forcing AMCA to take out a loan from the CEO and founder, Russell Fuchs, just to meet this expense. By filing for bankruptcy protection, the business will continue on as usual as AMCA seeks to pay off its creditors."

The costs highlight the consequences when companies fail to protect consumers' sensitive personal and payment data. The bankruptcy filing begs the next question: continue operating how effectively? Reportedly, AMCA has already cut its workforce from 155 to 25 employees. Usually under bankruptcy protection, a court decides which creditors get paid and whether they are paid in full -- including employees.

This scenario makes one wonder if AMCA can afford the ongoing expenses and resources necessary to harden its computer systems against intrusions, pay its employees, fully support data breach victims, and pay any post-breach fines. If AMCA can't pay its employees, it is probably already dead.

Two healthcare data breaches have affected about 19 million persons, so far.

First, a data breach at a third-party collections firm has affected about 11.9 million patients at Quest Diagnostics, a medical testing firm. Quest announced in a June 3rd news release that American Medical Collection Agency (AMCA) notified it of data breach affecting Quest patients:

"... an unauthorized user had access to AMCA’s system...AMCA provides billing collections services to Optum360, which in turn is a Quest contractor. Quest and Optum360 are working with forensic experts to investigate the matter. AMCA first notified Quest and Optum360 on May 14, 2019 of potential unauthorized activity on AMCA’s web payment page. On May 31, 2019, AMCA notified Quest and Optum360 that the data on AMCA’s affected system included information regarding approximately 11.9 million Quest patients. AMCA believes this information includes personal information, including certain financial data, Social Security numbers, and medical information, but not laboratory test results."

Quest said that AMCA hasn't yet provided it with details about the data breach. The news release did not state when AMCA or Quest would directly notify affected patients. Hopefully, future news releases will provide dates when the breach occurred, how the attackers broke in, and the fixes underway so this doesn't happen again.

Second, a data breach at the same third-party collections firm has also affected about 7.7 million customers of LabCorp, another medical testing firm. LabCorp disclosed in a filing with the U.S. Securities and Exchange Commission that AMCA notified it of data breach which occurred between August 1, 2018 and March 30, 2019. The filing did not state the date when AMCA notified LabCorp. The filing did state:

"AMCA is an external collection agency used by LabCorp and other healthcare companies. LabCorp has referred approximately 7.7 million consumers to AMCA... AMCA’s affected system included information provided by LabCorp. That information could include first and last name, date of birth, address, phone, date of service, provider, and balance information. AMCA’s affected system also included credit card or bank account information that was provided by the consumer to AMCA... AMCA has advised LabCorp that Social Security Numbers and insurance identification information are not stored or maintained for LabCorp consumers."

LabCorp said in the filing that it didn't provide patients' ordered tests, laboratory results, or diagnostic information to AMCA. AMCA is currently notifying about 200,000 LabCorp consumers whose credit card or bank account information may have been accessed. Also:

"AMCA has not yet provided LabCorp a list of the affected LabCorp consumers or more specific information about them. AMCA has indicated that it is continuing to investigate this incident and has taken steps to increase the security of its systems, processes, and data. LabCorp takes data security very seriously, including the security of data handled by vendors. AMCA has informed LabCorp that it intends to provide the approximately 200,000 affected LabCorp consumers with more specific information about the AMCA Incident, in addition to offering them identity protection and credit monitoring services for 24 months."

Given the ongoing investigation and breach notification, more news seems likely. Both breaches suggest other AMCA clients may have been affected. A check of the AMCA website at press time failed to find any news releases or mentions of both data breaches. C/Net reported:

"LabCorp also said that as a result of the breach, it's stopped sending new collection requests to the AMCA and suspended the AMCA's work on any pending requests related to LabCorp customers... LabCorp declined to comment beyond its SEC filing. AMCA said it conducted an internal audit after being notified of the breach by an outside security compliance firm and took down its web payments page. The company has also hired a third-party forensics firm to investigate the breach and has notified law enforcement."

The Krebs On Security blog reported:

"... AMCA also does business under the name “Retrieval-Masters Credit Bureau,” a company that has been in business since 1977. Retrieval-Masters also has an atrocious reputation for allegedly harassing consumers for debts they never owed. A search on the company’s name at the complaints page of the Consumer Financial Protection Bureau (CFPB) turns up almost 700 complaints for Retrieval-Masters. The company has an abysmal “F” rating from the Better Business Bureau, with 60 complaints closed against it in the last three years. Reviewing a number of those complaints reveals some of the AMCA’s other current and/or previous clients, including New Jersey’s EZPass system.

Both data breaches reminder patients that when companies outsource collections activities, patients' sensitive healthcare and payment information are often shared with outsource vendors. The lack of breach details makes one wonder if AMCA executives were caught unprepared with both inadequate data security on its payments website, and post-breach responses. Hopefully, future news reports will clarify things.

[Editor's note: today's guest post, by reporters at ProPublica, explores business practices within the health insurance industry. It is reprinted with permission.]

By Marshall Allen, ProPublica

The pitches to the health insurance brokers are tantalizing.

“Set sail for Bermuda,” says insurance giant Cigna, offering top-selling brokers five days at one of the island’s luxury resorts.

Health Net of California’s pitch is not subtle: A smiling woman in a business suit rides a giant $100 bill like it’s a surfboard. “Sell more, enroll more, get paid more!” In some cases, its ad says, a broker can “power up” the bonus to $150,000 per employer group.

Not to be outdone, New York’s EmblemHealth promises top-selling brokers “the chance of a lifetime”: going to bat against the retired legendary New York Yankees pitcher Mariano Rivera. In another offer, the company, which bills itself as the state’s largest nonprofit plan, focuses on cash: “The more subscribers you enroll … the bigger the payout.” Bonuses, it says, top out at $100,000 per group, and “there’s no limit to the number of bonuses you can earn.

Such incentives sound like typical business tactics, until you understand who ends up paying for them: the employers who sign up with the insurers — and, of course, their employees.

Human resource directors often rely on independent health insurance brokers to guide them through the thicket of costly and confusing benefit options offered by insurance companies. But what many don’t fully realize is how the health insurance industry steers the process through lucrative financial incentives and commissions. Those enticements, critics say, don’t reward brokers for finding their clients the most cost-effective options.

Here’s how it typically works: Insurers pay brokers a commission for the employers they sign up. That fee is usually a healthy 3 to 6 percent of the total premium. That could be about $50,000 a year on the premiums of a company with 100 people, payable for as long as the plan is in place. That’s $50,000 a year for a single client. And as the client pays more in premiums, the broker’s commission increases.

Commissions can be even higher, up to 40 or 50 percent of the premium, on supplemental plans that employers can buy to cover employees’ dental costs, cancer care or long-term hospitalization.

Those commissions come from the insurers. But the cost is built into the premiums the employer and employees pay for the benefit plan.

Now, layer on top of that the additional bonuses that brokers can earn from some insurers. The offers, some marked “confidential,” are easy to find on the websites of insurance companies and broker agencies. But many brokers say the bonuses are not disclosed to employers unless they ask. These bonuses, too, are indirectly included in the overall cost of health plans.

These industry payments can’t help but influence which plans brokers highlight for employers, said Eric Campbell, director of research at the University of Colorado Center for Bioethics and Humanities.

“It’s a classic conflict of interest,” Campbell said.

There’s “a large body of virtually irrefutable evidence,” Campbell said, that shows drug company payments to doctors influence the way they prescribe. “Denying this effect is like denying that gravity exists.” And there’s no reason, he said, to think brokers are any different.

Critics say the setup is akin to a single real estate agent representing both the buyer and seller in a home sale. A buyer would not expect the seller’s agent to negotiate the lowest price or highlight all the clauses and fine print that add unnecessary costs.

“If you want to draw a straight conclusion: It has been in the best interest of a broker, from a financial point of view, to keep that premium moving up,” said Jeffrey Hogan, a regional manager in Connecticut for a national insurance brokerage and one of a band of outliers in the industry pushing for changes in the way brokers are paid.

As the average cost of employer-sponsored health insurance premiums has tripled in the past two decades, to almost $20,000 for a family of four, a small, but growing, contingent of brokers are questioning their role in the rise in costs. They’ve started negotiating flat fees paid directly by the employers. The fee may be a similar amount to the commission they could have earned, but since it doesn’t come from the insurer, Hogan said, it “eliminates the conflict of interest” and frees brokers to consider unorthodox plans tailored to individual employers’ needs. Any bonuses could also be paid directly by the employer.

Brokers provide a variety of services to employers. They present them with benefits options, enroll them in plans and help them with claims and payment issues. Insurance industry payments to brokers are not illegal and have been accepted as a cost of doing business for generations. When brokers are paid directly by employers, the results can be mutually beneficial.

In 2017, David Contorno, the broker for Palmer Johnson Power Systems, a heavy-equipment distribution company in Madison, Wisconsin, saved the firm so much money while also improving coverage that Palmer Johnson took all 120 employees on an all-expenses paid trip to Vail, Colorado, where they rode four-wheelers and went whitewater rafting. In 2018, the company saved money again and rewarded each employee with a health care “dividend” of about $700.

Contorno is not being altruistic. He earned a flat fee, plus a bonus based on how much the plan saved, with the total equal to roughly what would have made otherwise.

Craig Parsons, who owns Palmer Johnson, said the new payment arrangement puts pressure on the broker to prevent overspending. His previous broker, he said, didn’t have any real incentive to help him reduce costs. “We didn’t have an advocate,” he said. “We didn’t have someone truly watching out for our best interests.” (The former broker acknowledged there were some issues, but said it had provided a valuable service.)

Working for Employers, Not Insurers

Contorno is part of a group called the Health Rosetta, which certifies brokers who agree to follow certain best practices related to health benefits, including eliminating any hidden agreements that raise the cost of employee benefits. To be certified, brokers (who refer to themselves as “benefits advisers”) must disclose all their direct and indirect sources of income — bonuses, commissions, consulting fees, for example — and who pays them to the employers they advise.

Dave Chase, a Washington businessman, created Rosetta in 2016 after working with tech health startups and launching Microsoft’s services to the health industry. He said he saw an opportunity to transform the health care industry by changing the way employers buy benefits. He said brokers have the most underestimated role in the health care system. “The good ones are worth their weight in gold,” Chase said. “But most of the benefit brokers are pitching themselves as buyer’s agents, but they are paid like a seller’s agent.”

There are only 110 Rosetta certified brokers in an industry of more than 100,000, although others who follow a similar philosophy consider themselves part of the movement.

From the employer’s point of view, one big advantage of working with brokers like those certified by Rosetta, is transparency. Currently, there’s no industry standard for how brokers must disclose their payments from insurance companies, so many employers may have no idea how much brokers are making from their business, said Marcy Buckner, vice president of government affairs for the National Association of Health Underwriters, the trade group for health benefits brokers. And thus, she said, employers have no clear sense of the conflicts of interest that may color their broker’s advice to them.

Buckner’s group encourages brokers to bill employers for their commissions directly to eliminate any conflict of interest, but, she said, it’s challenging to shift the culture. Nevertheless, Buckner said she doesn’t think payments from insurers undermine the work done by brokers, who must act in their clients’ best interests or risk losing them. “They want to have these clients for a really long term,” Buckner said.

Industrywide, transparency is not the standard. ProPublica sent a list of questions to 10 of the largest broker agencies, some worth $1 billion or more, including Marsh & McLennan, Aon and Willis Towers Watson, asking if they took bonuses and commissions from insurance companies, and whether they disclosed them to their clients. Four firms declined to answer; the others never responded despite repeated requests.

Insurers also don’t seem to have a problem with the payments. In 2017, Health Care Service Corporation, which oversees Blue Cross Blue Shield plans serving 15 million members in five states, disclosed in its corporate filings that it spent $816 million on broker bonuses and commissions, about 3 percent of its revenue that year. A company spokeswoman acknowledged in an email that employers are actually the ones who pay those fees; the money is just passed through the insurer. “We do not believe there is a conflict of interest,” she said.

In one email to a broker reviewed by ProPublica, Blue Cross Blue Shield of North Carolina called the bonuses it offered — up to $110,000 for bringing in a group of more than 1,000 — the “cherry on top.” The company told ProPublica that such bonuses are standard and that it always encourages brokers to “match their clients with the best product for them.”

Cathryn Donaldson, spokeswoman for the trade group America’s Health Insurance Plans, said in an email that brokers are incentivized “above all else” to serve their clients. “Guiding employees to a plan that offers quality, affordable care will help establish their business and reputation in the industry,” she said.

Some insurer’s pitches, however, clearly reward brokers’ devotion to them, not necessarily their clients. “To thank you for your loyalty to Humana, we want to extend our thanks with a bonus,” says one brochure pitched to brokers online. Horizon Blue Cross Blue Shield of New Jersey offered brokers a bonus as “a way to express our appreciation for your support.” Empire Blue Cross told brokers it would deliver new bonuses “for bringing in large group business ... and for keeping it with us.”

Delta Dental of California’s pitches appears to go one step further, rewarding brokers as “key members of our Small Business Program team.”

ProPublica reached out to all the insurers named in this story, and many didn’t respond. Cigna said in a statement that it offers affordable, high-quality benefit plans and doesn’t see a problem with providing incentives to brokers. Delta Dental emphasized in an email it follows applicable laws and regulations. And Horizon Blue Cross said its gives employers the option of how to pay brokers and discloses all compensation.

The effect of such financial incentives is troubling, said Michael Thompson, president of the National Alliance of Healthcare Purchaser Coalitions, which represents groups of employers who provide benefits. He said brokers don’t typically undermine their clients in a blatant way, but their own financial interests can create a “cozy relationship” that may make them wary of “stirring the pot.”

Employers should know how their brokers are paid, but health care is complex, so they are often not even aware of what they should ask, Thompson said. Employers rely on brokers to be a “trusted adviser,” he added. “Sometimes that trust is warranted and sometimes it’s not.”

Bad Faith Tactics

When officials in Morris County, New Jersey, sought a new broker to manage the county’s benefits, they specified that applicants could not take insurance company payouts related to their business. Instead, the county would pay the broker directly to ensure an unbiased search for the best benefits. The county hired Frenkel Benefits, a New York City broker, in February 2015.

Now, the county is suing the firm in Superior Court of New Jersey, accusing it of double-dipping. In addition to the fees from the county, the broker is accused of collecting a $235,000 commission in 2016 from the insurance giant Cigna. The broker got an additional $19,206 the next year, the lawsuit claims. To get the commission, one of the agency’s brokers allegedly certified, falsely, that the county would be told about the payment, the suit said. The county claims it was never notified and never approved the commission.

The suit also alleges the broker “purposefully concealed” the costs of switching the county’s health coverage to Cigna, which included administrative fees of $800,000.

In an interview, John Bowens, the county’s attorney, said the county had tried to guard against the broker being swayed by a large commission from an insurer. The brokers at Frenkel did not respond to requests for comment. The firm has not filed a response to the claims in the lawsuit. Steven Weisman, one of attorneys representing Frenkel, declined to comment.

Sometimes employers don’t find out their broker didn’t get them the best deal until they switch to another broker.

Josh Butler, a broker in Amarillo, Texas, who is also certified by Rosetta, recently took on a company of about 200 employees that had been signed up for a plan that had high out-of-pocket costs. The previous broker had enrolled the company in a supplemental plan that paid workers $1,000 if they were admitted to the hospital to help pay for uncovered costs. But Butler said the premiums for this coverage cost about $100,000 a year, and only nine employees had used it. That would make it much cheaper to pay for the benefit without insurance.

Butler suspects the previous broker encouraged the hospital benefits because they came with a sizable commission. He sells the same type of policies for the same insurer, so he knows the plan came with a 40 percent commission in the first year. That means about $40,000 of the employer’s premium went into the broker’s pocket.

Butler and other brokers said the insurance companies offer huge commissions to promote lucrative supplemental plans like dental, vision and disability. The total commissions on a supplemental cancer plan one insurer offered come to 57 percent, Butler said.

These massive year-one commissions lead some unscrupulous brokers to “churn” their supplemental benefits, Butler said, convincing employers to jump between insurers every year for the same type of benefits. The insurers don’t mind, Butler said, because the employers end up paying the tab. Brokers may also “product dump,” Butler said, which means pushing employers to sign employees up for multiple types of voluntary supplemental coverage, which brings them a hefty commission on each product.

Carl Schuessler, a broker in Atlanta who is certified by the Rosetta group, said he likes to help employers find out how much profit insurers are making on their premiums. Some states require insurers to provide the information, so when he took over the account for The Gasparilla Inn, an island resort on the Gulf Coast of Florida, he obtained the report for the company’s recent three years of coverage with UnitedHealthcare. He learned that the insurer had only paid out in claims about 65 percent of what the Inn had paid in premiums.

But in those same years the insurer had increased the Inn’s premiums, said Glenn Price, its chief financial officer. “It’s tough to swallow” increases to our premium when the insurer is making healthy profits, Price said. UnitedHealthcare declined to comment.

Schuessler, who is paid by the Inn, helped it transition to a self-funded plan, meaning the company bears the cost of the health care bills. Price said the Inn went from spending about $1 million a year to about $700,000, with lower costs and better benefits for employees, and no increases in three years.

A Need for Regulation

Despite the important function of brokers as middlemen, there’s been scant examination of their role in the marketplace.

Don Reiman, head of a Boise, Idaho, broker agency and a financial planner, said the federal government should require health benefit brokers to adhere to the same regulation he sees in the finance arena. The Employee Retirement Income Security Act, better known as ERISA, requires retirement plan advisers to disclose to employers all compensation that’s related to their plans, exposing potential conflicts.

The Department of Labor requires certain employers that provide health benefits to file documents every year about their plans, including payments to brokers. The department posts the information on its website.

But the data is notoriously messy. After a 2012 report found 23 percent of the forms contained errors, there was a proposal to revamp the data collection in 2016. It is unclear if that work was done, but ProPublica tried to analyze the data and found it incomplete or inaccurate. The data shortcomings mean employers have no real ability to compare payments to brokers.

About five years ago, Contorno, one of the leaders in the Rosetta movement, was blithely happy with the status quo: He had his favored insurers and could usually find traditional plans that appeared to fit his clients’ needs.

Today, he regrets his role in driving up employers’ health costs. One of his LinkedIn posts compares the industry’s acceptance of control by insurance companies to Stockholm Syndrome, the feelings of trust a hostage would have toward a captor.

Contorno began advising Palmer Johnson in 2016. When he took over, the company had a self-funded plan and its claims were reviewed by an administrator owned by its broker, Iowa-based Cottingham & Butler. Contorno brought in an independent claims administrator who closely scrutinized the claims and provided detailed cost information. The switch led to significant savings, said Parsons, the company owner. “It opened our eyes to what a good claims review process can mean to us,” he said.

Brad Plummer, senior vice president for employee benefits for Cottingham & Butler, acknowledged “things didn’t go swimmingly” with the claims company. But overall his company provided valuable service to Palmer Johnson, he said.

Contorno also provided resources to help Palmer Johnson employees find high-quality, low-cost providers, and the company waived any out-of-pocket expense as an incentive to get employees to see those medical providers. If a patient needed an out-of-network procedure, the price was negotiated up front to avoid massive surprise bills to the plan or the patient. The company also contracted with a vendor for drug coverage that does not use the secret rebates and hidden pricing schemes that are common in the industry. Palmer Johnson’s yearly health care costs per employee dropped by more than 25 percent, from about $11,252 in 2015 to $8,288 in 2018. That’s lower than they’d been in 2011, Contorno said.

“Now that my compensation is fully tied to meeting the clients’ goals, that is my sole objective,” he said. “Your broker works for whoever is cutting them the check.”

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.

[Editor's note: today's guest post explores issues within the pharmaceuticals and drug industry. It is reprinted with permission.]

By David Armstrong, ProPublica

In May 1997, the year after Purdue Pharma launched OxyContin, its head of sales and marketing sought input on a key decision from Dr. Richard Sackler, a member of the billionaire family that founded and controls the company. Michael Friedman told Sackler that he didn’t want to correct the false impression among doctors that OxyContin was weaker than morphine, because the myth was boosting prescriptions — and sales.

“It would be extremely dangerous at this early stage in the life of the product,” Friedman wrote to Sackler, “to make physicians think the drug is stronger or equal to morphine….We are well aware of the view held by many physicians that oxycodone [the active ingredient in OxyContin] is weaker than morphine. I do not plan to do anything about that.”

“I agree with you,” Sackler responded. “Is there a general agreement, or are there some holdouts?”

Ten years later, Purdue pleaded guilty in federal court to understating the risk of addiction to OxyContin, including failing to alert doctors that it was a stronger painkiller than morphine, and agreed to pay $600 million in fines and penalties. But Sackler’s support of the decision to conceal OxyContin’s strength from doctors — in email exchanges both with Friedman and another company executive — was not made public.

The email threads were divulged in a sealed court document that ProPublica has obtained: an Aug. 28, 2015, deposition of Richard Sackler. Taken as part of a lawsuit by the state of Kentucky against Purdue, the deposition is believed to be the only time a member of the Sackler family has been questioned under oath about the illegal marketing of OxyContin and what family members knew about it. Purdue has fought a three-year legal battle to keep the deposition and hundreds of other documents secret, in a case brought by STAT, a Boston-based health and medicine news organization; the matter is currently before the Kentucky Supreme Court.

Meanwhile, interest in the deposition’s contents has intensified, as hundreds of cities, counties, states and tribes have sued Purdue and other opioid manufacturers and distributors. A House committee requested the document from Purdue last summer as part of an investigation of drug company marketing practices.

In a statement, Purdue stood behind Sackler’s testimony in the deposition. Sackler, it said, “supports that the company accurately disclosed the potency of OxyContin to healthcare providers.” He “takes great care to explain” that the drug’s label “made clear that OxyContin is twice as potent as morphine,” Purdue said.

Still, Purdue acknowledged, it had made a “determination to avoid emphasizing OxyContin as a powerful cancer pain drug,” out of “a concern that non-cancer patients would be reluctant to take a cancer drug.”

The company, which said it was also speaking on behalf of Sackler, deplored what it called the “intentional leak of the deposition” to ProPublica, calling it “a clear violation of the court’s order” and “regrettable.”

Much of the questioning of Sackler in the 337-page deposition focused on Purdue’s marketing of OxyContin, especially in the first five years after the drug’s 1996 launch. Aggressive marketing of OxyContin is blamed by some analysts for fostering a national crisis that has resulted in 200,000 overdose deaths related to prescription opioids since 1999.

Taken together with a Massachusetts complaint made public last month against Purdue and eight Sacklers, including Richard, the deposition underscores the family’s pivotal role in developing the business strategy for OxyContin and directing the hiring of an expanded sales force to implement a plan to sell the drug at ever-higher doses. Documents show that Richard Sackler was especially involved in the company’s efforts to market the drug, and that he pushed staff to pursue OxyContin’s deregulation in Germany. The son of a Purdue co-founder, he began working at Purdue in 1971 and has been at various times the company’s president and co-chairman of its board.

In a 1996 email introduced during the deposition, Sackler expressed delight at the early success of OxyContin. “Clearly this strategy has outperformed our expectations, market research and fondest dreams,” he wrote. Three years later, he wrote to a Purdue executive, “You won’t believe how committed I am to make OxyContin a huge success. It is almost that I dedicated my life to it. After the initial launch phase, I will have to catch up with my private life again.”

During his deposition, Sackler defended the company’s marketing strategies — including some Purdue had previously acknowledged were improper — and offered benign interpretations of emails that appeared to show Purdue executives or sales representatives minimizing the risks of OxyContin and its euphoric effects. He denied that there was any effort to deceive doctors about the potency of OxyContin and argued that lawyers for Kentucky were misconstruing words such as “stronger” and “weaker” used in email threads.

The term “stronger” in Friedman’s email, Sackler said, “meant more threatening, more frightening. There is no way that this intended or had the effect of causing physicians to overlook the fact that it was twice as potent.”

Emails introduced in the deposition show Sackler’s hidden role in key aspects of the 2007 federal case in which Purdue pleaded guilty. A 19-page statement of facts that Purdue admitted to as part of the plea deal, and which prosecutors said contained the “main violations of law revealed by the government’s criminal investigation,” referred to Friedman’s May 1997 email to Sackler about letting the doctors’ misimpression stand. It did not identify either man by name, attributing the statements to “certain Purdue supervisors and employees.”

Friedman, who by then had risen to chief executive officer, was one of three Purdue executives who pleaded guilty to a misdemeanor of “misbranding” OxyContin. No members of the Sackler family were charged or named as part of the plea agreement. The Massachusetts lawsuit alleges that the Sackler-controlled Purdue board voted that the three executives, but no family members, should plead guilty as individuals. After the case concluded, the Sacklers were concerned about maintaining the allegiance of Friedman and another of the executives, according to the Massachusetts lawsuit. To protect the family, Purdue paid the two executives at least $8 million, that lawsuit alleges.

“The Sacklers spent millions to keep the loyalty of people who knew the truth,” the complaint filed by the Massachusetts attorney general alleges.

The Kentucky deposition’s contents will likely fuel the growing protests against the Sacklers, including pressure to strip the family’s name from cultural and educational institutions to which it has donated. The family has been active in philanthropy for decades, giving away hundreds of millions of dollars. But the source of its wealth received little attention until recent years, in part due to a lack of public information about what the family knew about Purdue’s improper marketing of OxyContin and false claims about the drug’s addictive nature.

Although Purdue has been sued hundreds of times over OxyContin’s marketing, the company has settled many of these cases, and almost never gone to trial. As a condition of settlement, Purdue has often required a confidentiality agreement, shielding millions of records from public view.

That is what happened in Kentucky. In December 2015, the state settled its lawsuit against Purdue, alleging that the company created a “public nuisance” by improperly marketing OxyContin, for $24 million. The settlement required the state attorney general to “completely destroy” documents in its possession from Purdue. But that condition did not apply to records sealed in the circuit court where the case was filed. In March 2016, STAT filed a motion to make those documents public, including Sackler’s deposition. The Kentucky Court of Appeals last year upheld a lower court ruling ordering the deposition and other sealed documents be made public. Purdue asked the state Supreme Court to review the decision, and both sides recently filed briefs. Protesters outside Kentucky’s Capitol last week waved placards urging the court to release the deposition.

Sackler family members have long constituted the majority of Purdue’s board, and company profits flow to trusts that benefit the extended family. During his deposition, which took place over 11 hours in a law office in Louisville, Kentucky, Richard Sackler said “I don’t know” more than 100 times, including when he was asked how much his family had made from OxyContin sales. He acknowledged it was more than $1 billion, but when asked if they had made more than $5 billion, he said, “I don’t know.” Asked if it was more than $10 billion, he replied, “I don’t think so.”

By 2006, OxyContin’s “profit contribution” to Purdue was $4.7 billion, according to a document read at the deposition. From 2007 to 2018, the Sackler family received more than $4 billion in payouts from Purdue, according to the Massachusetts lawsuit.

During the deposition, Sackler was confronted with his email exchanges with company executives about Purdue’s decision not to correct the misperception among many doctors that OxyContin was weaker than morphine. The company viewed this as good news because the softer image of the drug was helping drive sales in the lucrative market for treating conditions like back pain and arthritis, records produced at the deposition show.

Designed to gradually release medicine into the bloodstream, OxyContin allows patients to take fewer pills than they would with other, quicker-acting pain medicines, and its effect lasts longer. But to accomplish these goals, more narcotic is packed into an OxyContin pill than competing products. Abusers quickly figured out how to crush the pills and extract the large amount of narcotic. They would typically snort it or dissolve it into liquid form to inject.

The pending Massachusetts lawsuit against Purdue accuses Sackler and other company executives of determining that “doctors had the crucial misconception that OxyContin was weaker than morphine, which led them to prescribe OxyContin much more often.” It also says that Sackler “directed Purdue staff not to tell doctors the truth,” for fear of reducing sales. But it doesn’t reveal the contents of the email exchange with Friedman, the link between that conversation and the 2007 plea agreement, and the back-and-forth in the deposition.

A few days after the email exchange with Friedman in 1997, Sackler had an email conversation with another company official, Michael Cullen, according to the deposition. “Since oxycodone is perceived as being a weaker opioid than morphine, it has resulted in OxyContin being used much earlier for non-cancer pain,” Cullen wrote to Sackler. “Physicians are positioning this product where Percocet, hydrocodone and Tylenol with codeine have been traditionally used.” Cullen then added, “It is important that we be careful not to change the perception of physicians toward oxycodone when developing promotional pieces, symposia, review articles, studies, et cetera.”

“I think that you have this issue well in hand,” Sackler responded.

Friedman and Cullen could not be reached for comment.

Asked at his deposition about the exchanges with Friedman and Cullen, Sackler didn’t dispute the authenticity of the emails. He said the company was concerned that OxyContin would be stigmatized like morphine, which he said was viewed only as an “end of life” drug that was frightening to people.

“Within this time it appears that people had fallen into a habit of signifying less frightening, less threatening, more patient acceptable as under the rubric of weaker or more frightening, more — less acceptable and less desirable under the rubric or word ‘stronger,’” Sackler said at his deposition. “But we knew that the word ‘weaker’ did not mean less potent. We knew that the word ‘stronger’ did not mean more potent.” He called the use of those words “very unfortunate.”

He said Purdue didn’t want OxyContin “to be polluted by all of the bad associations that patients and healthcare givers had with morphine.”

In his deposition, Sackler also defended sales representatives who, according to the statement of facts in the 2007 plea agreement, falsely told doctors during the 1996-2001 period that OxyContin did not cause euphoria or that it was less likely to do so than other opioids. This euphoric effect experienced by some patients is part of what can make OxyContin addictive. Yet, asked about a 1998 note written by a Purdue salesman, who indicated that he “talked of less euphoria” when promoting OxyContin to a doctor, Sackler argued it wasn’t necessarily improper.

“This was 1998, long before there was an Agreed Statement of Facts,” he said.

The lawyer for the state asked Sackler: “What difference does that make? If it’s improper in 2007, wouldn’t it be improper in 1998?”

“Not necessarily,” Sackler replied.

Shown another sales memo, in which a Purdue representative reported telling a doctor that “there may be less euphoria” with OxyContin, Sackler responded, “We really don’t know what was said.” After further questioning, Sackler said the claim that there may be less euphoria “could be true, and I don’t see the harm.”

The same issue came up regarding a note written by a Purdue sales representative about one doctor: “Got to convince him to counsel patients that they won’t get buzzed as they will with short-acting” opioid painkillers. Sackler defended these comments as well. “Well, what it says here is that they won’t get a buzz. And I don’t think that telling a patient ‘I don’t think you’ll get a buzz’ is harmful,” he said.

Sackler added that the comments from the representative to the doctor “actually could be helpful, because many patients won’t get a buzz, and if he would like to know if they do, he might have had a good medical reason for wanting to know that.”

Sackler said he didn’t believe any of the company sales people working in Kentucky engaged in the improper conduct described in the federal plea deal. “I don’t have any facts to inform me otherwise,” he said.

Purdue said that Sackler’s statements in his deposition “fully acknowledge the wrongful actions taken by some of Purdue’s employees prior to 2002,” as laid out in the 2007 plea agreement. Both the company and Sackler “fully agree” with the facts laid out in that case, Purdue said.

The deposition also reveals that Sackler pushed company officials to find out if German officials could be persuaded to loosen restrictions on the selling of OxyContin. In most countries, narcotic pain relievers are regulated as “controlled” substances because of the potential for abuse. Sackler and other Purdue executives discussed the possibility of persuading German officials to classify OxyContin as an uncontrolled drug, which would likely allow doctors to prescribe the drug more readily — for instance, without seeing a patient. Fewer rules were expected to translate into more sales, according to company documents disclosed at the deposition.

One Purdue official warned Sackler and others that it was a bad idea. Robert Kaiko, who developed OxyContin for Purdue, wrote to Sackler, “If OxyContin is uncontrolled in Germany, it is highly likely that it will eventually be abused there and then controlled.”

Nevertheless, Sackler asked a Purdue executive in Germany for projections of sales with and without controls. He also wondered whether, if one country in the European Union relaxed controls on the drug, others might do the same. When finally informed that German officials had decided the drug would be controlled like other narcotics, Sackler asked in an email if the company could appeal. Told that wasn’t possible, he wrote back to an executive in Germany, “When we are next together we should talk about how this idea was raised and why it failed to be realized. I thought that it was a good idea if it could be done.”

Asked at the deposition about that comment, Sackler responded, “That’s what I said, but I didn’t mean it. I just wanted to be encouraging.” He said he really “was not in favor of” loosening OxyContin regulation and was simply being “polite” and “solicitous” of his own employee.

Near the end of the deposition — after showing Sackler dozens of emails, memos and other records regarding the marketing of OxyContin — a lawyer for Kentucky posed a fundamental question.

“Sitting here today, after all you’ve come to learn as a witness, do you believe Purdue’s conduct in marketing and promoting OxyContin in Kentucky caused any of the prescription drug addiction problems now plaguing the Commonwealth?” he asked.

Sackler replied, “I don’t believe so.”

Filed under:

• Health Care

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.

The Office of the Attorney General of the Commonwealth of Massachusetts announced two settlement agreements with Walgreens, a national pharmacy chain. Walgreens has agreed to pay about $2 million to settle multiple allegations of pricing abuses. According to the announcement:

"Under the first settlement, Walgreens will pay $774,486 to resolve allegations that it submitted claims to MassHealth in which it reported prices for certain prescription drugs at levels that were higher than what Walgreens actually charged, resulting in fraudulent overpayments."

"Under the second settlement, Walgreens will pay $1,437,366 to resolve allegations that from January 2006 through December 2017, rather than dispensing the quantity of insulin called for by a patient’s prescription, Walgreens exceeded the prescription amount and falsified information on claims submitted for reimbursement to MassHealth, including the quantity of insulin and/or days’ supply dispensed."

Both settlements arose from whistle-blower activity. MassHealth is the state's healthcare program based upon a state law passed in 2006 to provide health insurance to all Commonwealth residents. The law was amended in 2008 and 2010 to make it consistent with the federal Affordable Care Act.

Massachusetts Attorney General (AG) Maura Healey said:

"Walgreens repeatedly failed to provide MassHealth with accurate information regarding its dispensing and billing practices, resulting in overpayment to the company at taxpayers’ expense... We will continue to investigate cases of fraud and take action to protect the integrity of MassHealth."

In a separate case, Walgreen's will pay $1 million to the state of Arkansas to settle allegations of Medicaid fraud. Last month, the New York State Attorney General announced that New York State, other states, and the federal government reached:

"... an agreement in principle with Walgreens to settle allegations that Walgreens violated the False Claims Act by billing Medicaid at rates higher than its usual and customary (U&C) rates for certain prescription drugs... Walgreens will pay the states and federal government $60 million, all of which is attributable to the states’ Medicaid programs... The national federal and state civil settlement will resolve allegations relating to Walgreens’ discount drug program, known as the Prescription Savings Club (PSC). The investigation revealed that Walgreens submitted claims to the states’ Medicaid programs in which it identified U&C prices for certain prescription drugs sold through the PSC program that were higher than what Walgreens actually charged for those drugs... This is the second false claims act settlement reached with Walgreens today. On January 22, 2019, AG James announced that Walgreens is to pay New York over $6.5 million as part of a $209.2 million settlement with the federal government and other states, resolving allegations that Walgreens knowingly engaged in fraudulent conduct when it dispensed insulin pens..."

States involved in the settlement include New York, California, Illinois, Indiana, Michigan and Ohio. Kudos to all Attorneys General and their staffs for protecting patients against corporate greed.

In the United States, some states have enacted legislation making medical marijuana legal -- despite it being illegal at a federal level. This situation presents privacy issues for both retailers and patients.

In her "Data Security And Privacy" podcast series, privacy consultant Rebecca Harold (@PrivacyProf) interviewed a patient cannabis advocate about privacy and data security issues:

"Most people assume that their data is safe in cannabis stores & medical cannabis dispensaries. Or they believe if they pay in cash there will be no record of their cannabis purchase. Those are incorrect beliefs. How do dispensaries secure & share data? Who WANTS that data? What security is needed? Some in government, law enforcement & employers want data about state legal marijuana and medical cannabis purchases. Michelle Dumay, Cannabis Patient Advocate, helps cannabis dispensaries & stores to secure their customers’ & patients’ data & privacy. Michelle learned through experience getting treatment for her daughter that most medical cannabis dispensaries are not compliant with laws governing the security and privacy of patient data... In this episode, we discuss information security & privacy practices of cannabis shops, risks & what needs to be done when it comes to securing data and understanding privacy laws."

Many consumers know that the Health Insurance Portability and Accountability Act (HIPAA) governs how patients' privacy is protected and the businesses which must comply with that law.

Poor data security (e.g., data breaches, unauthorized recording of patients inside or outside of dispensaries) can result in the misuse of patients' personal and medical information by bad actors and others. Downstream consequences can be negative, such as employers using the data to decline job applications.

After listening to the episode, it seems reasonable for consumers to assume that traditional information industry players (e.g., credit reporting agencies, advertisers, data brokers, law enforcement, government intelligence agencies, etc.) all want marijuana purchase data. Note the use of "consumers," and not only "patients," since about 10 states have legalized recreational marijuana.

Listen to an encore presentation of the "Medical Cannabis Patient Privacy And Data Security" episode.

[Editor's note: today's guest post, by reporters at ProPublica, is part of a series which explores data collection, data sharing, and privacy issues within the healthcare industry. It is reprinted with permission.]

By Derek Kravitz and Marshall Allen, ProPublica

Medical devices are gathering more and more data from their users, whether it’s their heart rates, sleep patterns or the number of steps taken in a day. Insurers and medical device makers say such data can be used to vastly improve health care.

But the data that’s generated can also be used in ways that patients don’t necessarily expect. It can be packaged and sold for advertising. It can anonymized and used by customer support and information technology companies. Or it can be shared with health insurers, who may use it to deny reimbursement. Privacy experts warn that data gathered by insurers could also be used to rate individuals’ health care costs and potentially raise their premiums.

Patients typically have to give consent for their data to be used — so-called “donated data.” But some patients said they weren’t aware that their information was being gathered and shared. And once the data is shared, it can be used in a number of ways. Here are a few of the most popular medical devices that can share data with insurers:

Continuous Positive Airway Pressure, or CPAP, Machines

What Are They?

One of the more popular devices for those with sleep apnea, CPAP machines are covered by insurers after a sleep study confirms the diagnosis. These units, which deliver pressurized air through masks worn by patients as they sleep, collect data and transmit it wirelessly.

What Do They Collect?

It depends on the unit, but CPAP machines can collect data on the number of hours a patient uses the device, the number of interruptions in sleep and the amount of air that leaks from the mask.

Who Gets the Info?

The data may be transmitted to the makers or suppliers of the machines. Doctors may use it to assess whether the therapy is effective. Health insurers may receive the data to track whether patients are using their CPAP machines as directed. They may refuse to reimburse the costs of the machine if the patient doesn’t use it enough. The device maker ResMed said in a statement that patients may withdraw their consent to have their data shared.

Heart Monitors

What Are They?

Heart monitors, oftentimes small, battery-powered devices worn on the body and attached to the skin with electrodes, measure and record the heart’s electrical signals, typically over a few days or weeks, to detect things like irregular heartbeats or abnormal heart rhythms. Some devices implanted under the skin can last up to five years.

What Do They Collect?

Wearable ones include Holter monitors, wired external devices that attach to the skin, and event recorders, which can track slow or fast heartbeats and fainting spells. Data can also be shared from implanted pacemakers, which keep the heart beating properly for those with arrhythmias.

Who Gets the Info?

Low resting heart rates or other abnormal heart conditions are commonly used by insurance companies to place patients in more expensive rate classes. Children undergoing genetic testing are sometimes outfitted with heart monitors before their diagnosis, increasing the odds that their data is used by insurers. This sharing is the most common complaint cited by the World Privacy Forum, a consumer rights group.

Blood Glucose Monitors

What Are They?

Millions of Americans who have diabetes are familiar with blood glucose meters, or glucometers, which take a blood sample on a strip of paper and analyze it for glucose, or sugar, levels. This allows patients and their doctors to monitor their diabetes so they don’t have complications like heart or kidney disease. Blood glucose meters are used by the more the 1.2 million Americans with Type 1 diabetes, which is usually diagnosed in children, teens and young adults.

What Do They Collect?

Blood sugar monitors measure the concentration of glucose in a patient’s blood, a key indicator of proper diabetes management.

Who Gets the Info?

Diabetes monitoring equipment is sold directly to patients, but many still rely on insurer-provided devices. To get reimbursement for blood glucose meters, health insurers will typically ask for at least a month’s worth of blood sugar data.

Lifestyle Monitors

What Are They?

Step counters, medication alerts and trackers, and in-home cameras are among the devices in the increasingly crowded lifestyle health industry.

What Do They Collect?

Many health data research apps are made up of “donated data,” which is provided by consumers and falls outside of federal guidelines that require the sharing of personal health data be disclosed and anonymized to protect the identity of the patient. This data includes everything from counters for the number of steps you take, the calories you eat and the number of flights of stairs you climb to more traditional health metrics, such as pulse and heart rates.

Who Gets the Info?

It varies by device. But the makers of the Fitbit step counter, for example, say they never sell customer personal data or share personal information unless a user requests it; it is part of a legal process; or it is provided on a “confidential basis” to a third-party customer support or IT provider. That said, Fitbit allows users who give consent to share data “with a health insurer or wellness program,” according to a statement from the company.

Filed under:

• Health Care

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.

[Editor's note: today's guest post, by reporters at ProPublica, is part of a series which explores data collection, data sharing, and privacy issues within the healthcare industry. It is reprinted with permission.]

By Marshall Allen, ProPublica

Last March, Tony Schmidt discovered something unsettling about the machine that helps him breathe at night. Without his knowledge, it was spying on him.

From his bedside, the device was tracking when he was using it and sending the information not just to his doctor, but to the maker of the machine, to the medical supply company that provided it and to his health insurer.

Schmidt, an information technology specialist from Carrollton, Texas, was shocked. “I had no idea they were sending my information across the wire.”

Schmidt, 59, has sleep apnea, a disorder that causes worrisome breaks in his breathing at night. Like millions of people, he relies on a continuous positive airway pressure, or CPAP, machine that streams warm air into his nose while he sleeps, keeping his airway open. Without it, Schmidt would wake up hundreds of times a night; then, during the day, he’d nod off at work, sometimes while driving and even as he sat on the toilet.

“I couldn’t keep a job,” he said. “I couldn’t stay awake.” The CPAP, he said, saved his career, maybe even his life.

As many CPAP users discover, the life-altering device comes with caveats: Health insurance companies are often tracking whether patients use them. If they aren’t, the insurers might not cover the machines or the supplies that go with them.

In fact, faced with the popularity of CPAPs, which can cost $400 to $800, and their need for replacement filters, face masks and hoses, health insurers have deployed a host of tactics that can make the therapy more expensive or even price it out of reach.

Patients have been required to rent CPAPs at rates that total much more than the retail price of the devices, or they’ve discovered that the supplies would be substantially cheaper if they didn’t have insurance at all.

Experts who study health care costs say insurers’ CPAP strategies are part of the industry’s playbook of shifting the costs of widely used therapies, devices and tests to unsuspecting patients.

“The doctors and providers are not in control of medicine anymore,” said Harry Lawrence, owner of Advanced Oxy-Med Services, a New York company that provides CPAP supplies. “It’s strictly the insurance companies. They call the shots.”

Insurers say their concerns are legitimate. The masks and hoses can be cumbersome and noisy, and studies show that about third of patients don’t use their CPAPs as directed.

But the companies’ practices have spawned lawsuits and concerns by some doctors who say that policies that restrict access to the machines could have serious, or even deadly, consequences for patients with severe conditions. And privacy experts worry that data collected by insurers could be used to discriminate against patients or raise their costs.

Schmidt’s privacy concerns began the day after he registered his new CPAP unit with ResMed, its manufacturer. He opted out of receiving any further information. But he had barely wiped the sleep out of his eyes the next morning when a peppy email arrived in his inbox. It was ResMed, praising him for completing his first night of therapy. “Congratulations! You’ve earned yourself a badge!” the email said.

Then came this exchange with his supply company, Medigy: Schmidt had emailed the company to praise the “professional, kind, efficient and competent” technician who set up the device. A Medigy representative wrote back, thanking him, then adding that Schmidt’s machine “is doing a great job keeping your airway open.” A report detailing Schmidt’s usage was attached.

Alarmed, Schmidt complained to Medigy and learned his data was also being shared with his insurer, Blue Cross Blue Shield. He’d known his old machine had tracked his sleep because he’d taken its removable data card to his doctor. But this new invasion of privacy felt different. Was the data encrypted to protect his privacy as it was transmitted? What else were they doing with his personal information?

He filed complaints with the Better Business Bureau and the federal government to no avail. “My doctor is the ONLY one that has permission to have my data,” he wrote in one complaint.

In an email, a Blue Cross Blue Shield spokesperson said that it’s standard practice for insurers to monitor sleep apnea patients and deny payment if they aren’t using the machine. And privacy experts said that sharing the data with insurance companies is allowed under federal privacy laws. A ResMed representative said once patients have given consent, it may share the data it gathers, which is encrypted, with the patients’ doctors, insurers and supply companies.

Schmidt returned the new CPAP machine and went back to a model that allowed him to use a removable data card. His doctor can verify his compliance, he said.

Luke Petty, the operations manager for Medigy, said a lot of CPAP users direct their ire at companies like his. The complaints online number in the thousands. But insurance companies set the prices and make the rules, he said, and suppliers follow them, so they can get paid.

“Every year it’s a new hurdle, a new trick, a new game for the patients,” Petty said.

A Sleep Saving Machine Gets Popular

The American Sleep Apnea Association estimates about 22 million Americans have sleep apnea, although it’s often not diagnosed. The number of people seeking treatment has grown along with awareness of the disorder. It’s a potentially serious disorder that left untreated can lead to risks for heart disease, diabetes, cancer and cognitive disorders. CPAP is one of the only treatments that works for many patients.

Exact numbers are hard to come by, but ResMed, the leading device maker, said it’s monitoring the CPAP use of millions of patients.

Sleep apnea specialists and health care cost experts say insurers have countered the deluge by forcing patients to prove they’re using the treatment.

Medicare, the government insurance program for seniors and the disabled, began requiring CPAP “compliance” after a boom in demand. Because of the discomfort of wearing a mask, hooked up to a noisy machine, many patients struggle to adapt to nightly use. Between 2001 and 2009, Medicare payments for individual sleep studies almost quadrupled to $235 million. Many of those studies led to a CPAP prescription. Under Medicare rules, patients must use the CPAP for four hours a night for at least 70 percent of the nights in any 30-day period within three months of getting the device. Medicare requires doctors to document the adherence and effectiveness of the therapy.

Sleep apnea experts deemed Medicare’s requirements arbitrary. But private insurers soon adopted similar rules, verifying usage with data from patients’ machines — with or without their knowledge.

Kristine Grow, spokeswoman for the trade association America’s Health Insurance Plans, said monitoring CPAP use is important because if patients aren’t using the machines, a less expensive therapy might be a smarter option. Monitoring patients also helps insurance companies advise doctors about the best treatment for patients, she said. When asked why insurers don’t just rely on doctors to verify compliance, Grow said she didn’t know.

Many insurers also require patients to rack up monthly rental fees rather than simply pay for a CPAP.

Dr. Ofer Jacobowitz, a sleep apnea expert at ENT and Allergy Associates and assistant professor at The Mount Sinai Hospital in New York, said his patients often pay rental fees for a year or longer before meeting the prices insurers set for their CPAPs. But since patients’ deductibles — the amount they must pay before insurance kicks in — reset at the beginning of each year, they may end up covering the entire cost of the rental for much of that time, he said.

The rental fees can surpass the retail cost of the machine, patients and doctors say. Alan Levy, an attorney who lives in Rahway, New Jersey, bought an individual insurance plan through the now-defunct Health Republic Insurance of New Jersey in 2015. When his doctor prescribed a CPAP, the company that supplied his device, At Home Medical, told him he needed to rent the device for $104 a month for 15 months. The company told him the cost of the CPAP was $2,400.

Levy said he wouldn’t have worried about the cost if his insurance had paid it. But Levy’s plan required him to reach a $5,000 deductible before his insurance plan paid a dime. So Levy looked online and discovered the machine actually cost about $500.

Levy said he called At Home Medical to ask if he could avoid the rental fee and pay $500 up front for the machine, and a company representative said no. “I’m being overcharged simply because I have insurance,” Levy recalled protesting.

Levy refused to pay the rental fees. “At no point did I ever agree to enter into a monthly rental subscription,” he wrote in a letter disputing the charges. He asked for documentation supporting the cost. The company responded that he was being billed under the provisions of his insurance carrier.

Levy’s law practice focuses, ironically, on defending insurance companies in personal injury cases. So he sued At Home Medical, accusing the company of violating the New Jersey Consumer Fraud Act. Levy didn’t expect the case to go to trial. “I knew they were going to have to spend thousands of dollars on attorney’s fees to defend a claim worth hundreds of dollars,” he said.

Sure enough, At Home Medical, agreed to allow Levy to pay $600 — still more than the retail cost — for the machine.

The company declined to comment on the case. Suppliers said that Levy’s case is extreme, but acknowledged that patients’ rental fees often add up to more than the device is worth.

Levy said that he was happy to abide by the terms of his plan, but that didn’t mean the insurance company could charge him an unfair price. “If the machine’s worth $500, no matter what the plan says, or the medical device company says, they shouldn’t be charging many times that price,” he said.

Dr. Douglas Kirsch, president of the American Academy of Sleep Medicine, said high rental fees aren’t the only problem. Patients can also get better deals on CPAP filters, hoses, masks and other supplies when they don’t use insurance, he said.

Cigna, one of the largest health insurers in the country, currently faces a class-action suit in U.S. District Court in Connecticut over its billing practices, including for CPAP supplies. One of the plaintiffs, Jeffrey Neufeld, who lives in Connecticut, contends that Cigna directed him to order his supplies through a middleman who jacked up the prices.

Neufeld declined to comment for this story. But his attorney, Robert Izard, said Cigna contracted with a company called CareCentrix, which coordinates a network of suppliers for the insurer. Neufeld decided to contact his supplier directly to find out what it had been paid for his supplies and compare that to what he was being charged. He discovered that he was paying substantially more than the supplier said the products were worth. For instance, Neufeld owed $25.68 for a disposable filter under his Cigna plan, while the supplier was paid $7.50. He owed $147.78 for a face mask through his Cigna plan while the supplier was paid $95.

ProPublica found all the CPAP supplies billed to Neufeld online at even lower prices than those the supplier had been paid. Longtime CPAP users say it’s well known that supplies are cheaper when they are purchased without insurance.

Neufeld’s cost “should have been based on the lower amount charged by the actual provider, not the marked-up bill from the middleman,” Izard said. Patients covered by other insurance companies may have fallen victim to similar markups, he said.

Cigna would not comment on the case. But in documents filed in the suit, it denied misrepresenting costs or overcharging Neufeld. The supply company did not return calls for comment.

In a statement, Stephen Wogen, CareCentrix’s chief growth officer, said insurers may agree to pay higher prices for some services, while negotiating lower prices for others, to achieve better overall value. For this reason, he said, isolating select prices doesn’t reflect the overall value of the company’s services. CareCentrix declined to comment on Neufeld’s allegations.

Izard said Cigna and CareCentrix benefit from such behind-the-scenes deals by shifting the extra costs to patients, who often end up covering the marked-up prices out of their deductibles. And even once their insurance kicks in, the amount the patients must pay will be much higher.

The ubiquity of CPAP insurance concerns struck home during the reporting of this story, when a ProPublica colleague discovered how his insurer was using his data against him.

Sleep Aid or Surveillance Device?

Without his CPAP, Eric Umansky, a deputy managing editor at ProPublica, wakes up repeatedly through the night and snores so insufferably that he is banished to the living room couch. “My marriage depends on it.”

In September, his doctor prescribed a new mask and airflow setting for his machine. Advanced Oxy-Med Services, the medical supply company approved by his insurer, sent him a modem that he plugged into his machine, giving the company the ability to change the settings remotely if needed.

But when the mask hadn’t arrived a few days later, Umansky called Advanced Oxy-Med. That’s when he got a surprise: His insurance company might not pay for the mask, a customer service representative told him, because he hadn’t been using his machine enough. “On Tuesday night, you only used the mask for three-and-a-half hours,” the representative said. “And on Monday night, you only used it for three hours.”

“Wait — you guys are using this thing to track my sleep?” Umansky recalled saying. “And you are using it to deny me something my doctor says I need?”

Umansky’s new modem had been beaming his personal data from his Brooklyn bedroom to the Newburgh, New York-based supply company, which, in turn, forwarded the information to his insurance company, UnitedHealthcare.

Umansky was bewildered. He hadn’t been using the machine all night because he needed a new mask. But his insurance company wouldn’t pay for the new mask until he proved he was using the machine all night — even though, in his case, he, not the insurance company, is the owner of the device.

“You view it as a device that is yours and is serving you,” Umansky said. “And suddenly you realize it is a surveillance device being used by your health insurance company to limit your access to health care.”

Privacy experts said such concerns are likely to grow as a host of devices now gather data about patients, including insertable heart monitors and blood glucose meters, as well as Fitbits, Apple Watches and other lifestyle applications. Privacy laws have lagged behind this new technology, and patients may be surprised to learn how little control they have over how the data is used or with whom it is shared, said Pam Dixon, executive director of the World Privacy Forum.

“What if they find you only sleep a fitful five hours a night?” Dixon said. “That’s a big deal over time. Does that affect your health care prices?”

UnitedHealthcare said in a statement that it only uses the data from CPAPs to verify patients are using the machines.

Lawrence, the owner of Advanced Oxy-Med Services, conceded that his company should have told Umansky his CPAP use would be monitored for compliance, but it had to follow the insurers’ rules to get paid.

As for Umansky, it’s now been two months since his doctor prescribed him a new airflow setting for his CPAP machine. The supply company has been paying close attention to his usage, Umansky said, but it still hasn’t updated the setting.

The irony is not lost on Umansky: “I wish they would spend as much time providing me actual care as they do monitoring whether I’m ‘compliant.’”

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.

On Friday, the Centers For Medicare and Medicaid Services (CMS) announced a data breach at a computer system which interacts with the Healthcare.gov site. Files for about 75,000 users -- agents and brokers -- were accessed by unauthorized persons. The announcement stated:

"Earlier this week, CMS staff detected anomalous activity in the Federally Facilitated Exchanges, or FFE’s Direct Enrollment pathway for agents and brokers. The Direct Enrollment pathway, first launched in 2013, allows agents and brokers to assist consumers with applications for coverage in the FFE... CMS began the initial investigation of anomalous system activity in the Direct Enrollment pathway for agents and brokers on October 13, 2018 and a breach was declared on October 16, 2018. The agent and broker accounts that were associated with the anomalous activity were deactivated, and – out of an abundance of caution – the Direct Enrollment pathway for agents and brokers was disabled."

CMS has notified and is working with Federal law enforcement. It expects to restore the Direct Enrollment pathway for agents and brokers within the next 7 days, before the start of the sign-up period on November 1st for health care coverage under the Affordable Care Act.

CMS Administrator Seema Verma said:

"I want to make clear to the public that HealthCare.gov and the Marketplace Call Center are still available, and open enrollment will not be negatively impacted. We are working to identify the individuals potentially impacted as quickly as possible so that we can notify them and provide resources such as credit protection."

Sadly, data breaches happen -- all too often within government agencies and corporations. It should be noted that this breach was detected quickly -- within 3 days. Other data breaches have gone undetected for weeks or months; and too many corporate data breaches affected millions.

Aetna inked settlement agreements with several states, including New Jersey, to resolve disclosures of sensitive patient information. According to an announcement by the Attorney General for New Jersey, the settlement agreements resolve:

"... a multi-state investigation focused on two separate privacy breaches by Aetna that occurred in 2017 – one involving a mailing that potentially revealed information about addressees’ HIV/AIDS status, the other involving a mailing that potentially revealed individuals’ involvement in a study of patients with atrial fibrillation (or AFib)..."

Connecticut, Washington, and the District of Columbia joined with New Jersey for both the  investigation and settlement agreements. The multi-state investigation found:

"... that Aetna inadvertently disclosed HIV/AIDS-related information about thousands of individuals across the U.S. – including approximately 647 New Jersey residents – through a third-party mailing on July 28, 2017. The envelopes used in the mailing had an over-sized, transparent glassine address window, which revealed not only the recipients’ names and addresses, but also text that included the words “HIV Medications"... The second breach occurred in September 2017 and involved a mailing sent to 1,600 individuals concerning a study of patients with AFib. The envelopes for the mailing included the name and logo for the study – IMPACT AFib – which could have been interpreted as indicating that the addressee had an AFib diagnosis... Aetna not only violated the federal Health Insurance Portability and Accountability Act (HIPAA), but also state laws pertaining to the protected health information of individuals in general, and of persons with AIDS or HIV infection in particular..."

A class-action lawsuit filed on behalf of affected HIV/AIDS patients has been settled, pending approval from a federal court, which requires Aetna to pay about $17 million to resolve allegations. Terms of the multi-state settlement agreement require Aetna to pay a $365,211.59 civil penalty to New Jersey, and:

• Implement policy, processes, and employee training reforms to both better protect persons' protected health information, and ensure mailings maintain persons' privacy; and
• Hire an independent consultant to evaluate and report on its privacy protection practices, and to monitor its compliance with the terms of the settlement agreements.

In December of last year, CVS Health and Aetna announced a merger agreement where CVS Health acquired Aetna for about $69 billion. Last week, CVS Health announced an expansion of its board of directors to include the addition of three directors from its Aetna unit. At press time, neither company's website mentioned the multi-state settlement agreement.

[Editor's note: today's guest post, by reporters at ProPublica, explores privacy and data collection issues within the healthcare industry. It is reprinted with permission.]

By Marshall Allen, ProPublica

To an outsider, the fancy booths at last month’s health insurance industry gathering in San Diego aren’t very compelling. A handful of companies pitching “lifestyle” data and salespeople touting jargony phrases like “social determinants of health.”

But dig deeper and the implications of what they’re selling might give many patients pause: A future in which everything you do — the things you buy, the food you eat, the time you spend watching TV — may help determine how much you pay for health insurance.

With little public scrutiny, the health insurance industry has joined forces with data brokers to vacuum up personal details about hundreds of millions of Americans, including, odds are, many readers of this story. The companies are tracking your race, education level, TV habits, marital status, net worth. They’re collecting what you post on social media, whether you’re behind on your bills, what you order online. Then they feed this information into complicated computer algorithms that spit out predictions about how much your health care could cost them.

Are you a woman who recently changed your name? You could be newly married and have a pricey pregnancy pending. Or maybe you’re stressed and anxious from a recent divorce. That, too, the computer models predict, may run up your medical bills.

Are you a woman who’s purchased plus-size clothing? You’re considered at risk of depression. Mental health care can be expensive.

Low-income and a minority? That means, the data brokers say, you are more likely to live in a dilapidated and dangerous neighborhood, increasing your health risks.

“We sit on oceans of data,” said Eric McCulley, director of strategic solutions for LexisNexis Risk Solutions, during a conversation at the data firm’s booth. And he isn’t apologetic about using it. “The fact is, our data is in the public domain,” he said. “We didn’t put it out there.”

Insurers contend they use the information to spot health issues in their clients — and flag them so they get services they need. And companies like LexisNexis say the data shouldn’t be used to set prices. But as a research scientist from one company told me: “I can’t say it hasn’t happened.”

At a time when every week brings a new privacy scandal and worries abound about the misuse of personal information, patient advocates and privacy scholars say the insurance industry’s data gathering runs counter to its touted, and federally required, allegiance to patients’ medical privacy. The Health Insurance Portability and Accountability Act, or HIPAA, only protects medical information.

“We have a health privacy machine that’s in crisis,” said Frank Pasquale, a professor at the University of Maryland Carey School of Law who specializes in issues related to machine learning and algorithms. “We have a law that only covers one source of health information. They are rapidly developing another source.”

Patient advocates warn that using unverified, error-prone “lifestyle” data to make medical assumptions could lead insurers to improperly price plans — for instance raising rates based on false information — or discriminate against anyone tagged as high cost. And, they say, the use of the data raises thorny questions that should be debated publicly, such as: Should a person’s rates be raised because algorithms say they are more likely to run up medical bills? Such questions would be moot in Europe, where a strict law took effect in May that bans trading in personal data.

This year, ProPublica and NPR are investigating the various tactics the health insurance industry uses to maximize its profits. Understanding these strategies is important because patients — through taxes, cash payments and insurance premiums — are the ones funding the entire health care system. Yet the industry’s bewildering web of strategies and inside deals often have little to do with patients’ needs. As the series’ first story showed, contrary to popular belief, lower bills aren’t health insurers’ top priority.

Inside the San Diego Convention Center last month, there were few qualms about the way insurance companies were mining Americans’ lives for information — or what they planned to do with the data.

The sprawling convention center was a balmy draw for one of America’s Health Insurance Plans’ marquee gatherings. Insurance executives and managers wandered through the exhibit hall, sampling chocolate-covered strawberries, champagne and other delectables designed to encourage deal-making.

Up front, the prime real estate belonged to the big guns in health data: The booths of Optum, IBM Watson Health and LexisNexis stretched toward the ceiling, with flat screen monitors and some comfy seating. (NPR collaborates with IBM Watson Health on national polls about consumer health topics.)

To understand the scope of what they were offering, consider Optum. The company, owned by the massive UnitedHealth Group, has collected the medical diagnoses, tests, prescriptions, costs and socioeconomic data of 150 million Americans going back to 1993, according to its marketing materials. (UnitedHealth Group provides financial support to NPR.) The company says it uses the information to link patients’ medical outcomes and costs to details like their level of education, net worth, family structure and race. An Optum spokesman said the socioeconomic data is de-identified and is not used for pricing health plans.

Optum’s marketing materials also boast that it now has access to even more. In 2016, the company filed a patent application to gather what people share on platforms like Facebook and Twitter, and link this material to the person’s clinical and payment information. A company spokesman said in an email that the patent application never went anywhere. But the company’s current marketing materials say it combines claims and clinical information with social media interactions.

I had a lot of questions about this and first reached out to Optum in May, but the company didn’t connect me with any of its experts as promised. At the conference, Optum salespeople said they weren’t allowed to talk to me about how the company uses this information.

It isn’t hard to understand the appeal of all this data to insurers. Merging information from data brokers with people’s clinical and payment records is a no-brainer if you overlook potential patient concerns. Electronic medical records now make it easy for insurers to analyze massive amounts of information and combine it with the personal details scooped up by data brokers.

It also makes sense given the shifts in how providers are getting paid. Doctors and hospitals have typically been paid based on the quantity of care they provide. But the industry is moving toward paying them in lump sums for caring for a patient, or for an event, like a knee surgery. In those cases, the medical providers can profit more when patients stay healthy. More money at stake means more interest in the social factors that might affect a patient’s health.

Some insurance companies are already using socioeconomic data to help patients get appropriate care, such as programs to help patients with chronic diseases stay healthy. Studies show social and economic aspects of people’s lives play an important role in their health. Knowing these personal details can help them identify those who may need help paying for medication or help getting to the doctor.

But patient advocates are skeptical health insurers have altruistic designs on people’s personal information.

The industry has a history of boosting profits by signing up healthy people and finding ways to avoid sick people — called “cherry-picking” and “lemon-dropping,” experts say. Among the classic examples: A company was accused of putting its enrollment office on the third floor of a building without an elevator, so only healthy patients could make the trek to sign up. Another tried to appeal to spry seniors by holding square dances.

The Affordable Care Act prohibits insurers from denying people coverage based on pre-existing health conditions or charging sick people more for individual or small group plans. But experts said patients’ personal information could still be used for marketing, and to assess risks and determine the prices of certain plans. And the Trump administration is promoting short-term health plans, which do allow insurers to deny coverage to sick patients.

Robert Greenwald, faculty director of Harvard Law School’s Center for Health Law and Policy Innovation, said insurance companies still cherry-pick, but now they’re subtler. The center analyzes health insurance plans to see if they discriminate. He said insurers will do things like failing to include enough information about which drugs a plan covers — which pushes sick people who need specific medications elsewhere. Or they may change the things a plan covers, or how much a patient has to pay for a type of care, after a patient has enrolled. Or, Greenwald added, they might exclude or limit certain types of providers from their networks — like those who have skill caring for patients with HIV or hepatitis C.

If there were concerns that personal data might be used to cherry-pick or lemon-drop, they weren’t raised at the conference.

At the IBM Watson Health booth, Kevin Ruane, a senior consulting scientist, told me that the company surveys 80,000 Americans a year to assess lifestyle, attitudes and behaviors that could relate to health care. Participants are asked whether they trust their doctor, have financial problems, go online, or own a Fitbit and similar questions. The responses of hundreds of adjacent households are analyzed together to identify social and economic factors for an area.

Ruane said he has used IBM Watson Health’s socioeconomic analysis to help insurance companies assess a potential market. The ACA increased the value of such assessments, experts say, because companies often don’t know the medical history of people seeking coverage. A region with too many sick people, or with patients who don’t take care of themselves, might not be worth the risk.

Ruane acknowledged that the information his company gathers may not be accurate for every person. “We talk to our clients and tell them to be careful about this,” he said. “Use it as a data insight. But it’s not necessarily a fact.”

In a separate conversation, a salesman from a different company joked about the potential for error. “God forbid you live on the wrong street these days,” he said. “You’re going to get lumped in with a lot of bad things.”

The LexisNexis booth was emblazoned with the slogan “Data. Insight. Action.” The company said it uses 442 non-medical personal attributes to predict a person’s medical costs. Its cache includes more than 78 billion records from more than 10,000 public and proprietary sources, including people’s cellphone numbers, criminal records, bankruptcies, property records, neighborhood safety and more. The information is used to predict patients’ health risks and costs in eight areas, including how often they are likely to visit emergency rooms, their total cost, their pharmacy costs, their motivation to stay healthy and their stress levels.

People who downsize their homes tend to have higher health care costs, the company says. As do those whose parents didn’t finish high school. Patients who own more valuable homes are less likely to land back in the hospital within 30 days of their discharge. The company says it has validated its scores against insurance claims and clinical data. But it won’t share its methods and hasn’t published the work in peer-reviewed journals.

McCulley, LexisNexis’ director of strategic solutions, said predictions made by the algorithms about patients are based on the combination of the personal attributes. He gave a hypothetical example: A high school dropout who had a recent income loss and doesn’t have a relative nearby might have higher than expected health costs.

But couldn’t that same type of person be healthy? I asked.

“Sure,” McCulley said, with no apparent dismay at the possibility that the predictions could be wrong.

McCulley and others at LexisNexis insist the scores are only used to help patients get the care they need and not to determine how much someone would pay for their health insurance. The company cited three different federal laws that restricted them and their clients from using the scores in that way. But privacy experts said none of the laws cited by the company bar the practice. The company backed off the assertions when I pointed that the laws did not seem to apply.

LexisNexis officials also said the company’s contracts expressly prohibit using the analysis to help price insurance plans. They would not provide a contract. But I knew that in at least one instance a company was already testing whether the scores could be used as a pricing tool.

Before the conference, I’d seen a press release announcing that the largest health actuarial firm in the world, Milliman, was now using the LexisNexis scores. I tracked down Marcos Dachary, who works in business development for Milliman. Actuaries calculate health care risks and help set the price of premiums for insurers. I asked Dachary if Milliman was using the LexisNexis scores to price health plans and he said: “There could be an opportunity.”

The scores could allow an insurance company to assess the risks posed by individual patients and make adjustments to protect themselves from losses, he said. For example, he said, the company could raise premiums, or revise contracts with providers.

It’s too early to tell whether the LexisNexis scores will actually be useful for pricing, he said. But he was excited about the possibilities. “One thing about social determinants data — it piques your mind,” he said.

Dachary acknowledged the scores could also be used to discriminate. Others, he said, have raised that concern. As much as there could be positive potential, he said, “there could also be negative potential.”

It’s that negative potential that still bothers data analyst Erin Kaufman, who left the health insurance industry in January. The 35-year-old from Atlanta had earned her doctorate in public health because she wanted to help people, but one day at Aetna, her boss told her to work with a new data set.

To her surprise, the company had obtained personal information from a data broker on millions of Americans. The data contained each person’s habits and hobbies, like whether they owned a gun, and if so, what type, she said. It included whether they had magazine subscriptions, liked to ride bikes or run marathons. It had hundreds of personal details about each person.

The Aetna data team merged the data with the information it had on patients it insured. The goal was to see how people’s personal interests and hobbies might relate to their health care costs. But Kaufman said it felt wrong: The information about the people who knitted or crocheted made her think of her grandmother. And the details about individuals who liked camping made her think of herself. What business did the insurance company have looking at this information? “It was a dataset that really dug into our clients’ lives,” she said. “No one gave anyone permission to do this.”

In a statement, Aetna said it uses consumer marketing information to supplement its claims and clinical information. The combined data helps predict the risk of repeat emergency room visits or hospital admissions. The information is used to reach out to members and help them and plays no role in pricing plans or underwriting, the statement said.

Kaufman said she had concerns about the accuracy of drawing inferences about an individual’s health from an analysis of a group of people with similar traits. Health scores generated from arrest records, home ownership and similar material may be wrong, she said.

Pam Dixon, executive director of the World Privacy Forum, a nonprofit that advocates for privacy in the digital age, shares Kaufman’s concerns. She points to a study by the analytics company SAS, which worked in 2012 with an unnamed major health insurance company to predict a person’s health care costs using 1,500 data elements, including the investments and types of cars people owned.

The SAS study said higher health care costs could be predicted by looking at things like ethnicity, watching TV and mail order purchases.

“I find that enormously offensive as a list,” Dixon said. “This is not health data. This is inferred data.”

Data scientist Cathy O’Neil said drawing conclusions about health risks on such data could lead to a bias against some poor people. It would be easy to infer they are prone to costly illnesses based on their backgrounds and living conditions, said O’Neil, author of the book “Weapons of Math Destruction,” which looked at how algorithms can increase inequality. That could lead to poor people being charged more, making it harder for them to get the care they need, she said. Employers, she said, could even decide not to hire people with data points that could indicate high medical costs in the future.

O’Neil said the companies should also measure how the scores might discriminate against the poor, sick or minorities.

American policymakers could do more to protect people’s information, experts said. In the United States, companies can harvest personal data unless a specific law bans it, although California just passed legislation that could create restrictions, said William McGeveran, a professor at the University of Minnesota Law School. Europe, in contrast, passed a strict law called the General Data Protection Regulation, which went into effect in May.

“In Europe, data protection is a constitutional right,” McGeveran said.

Pasquale, the University of Maryland law professor, said health scores should be treated like credit scores. Federal law gives people the right to know their credit scores and how they’re calculated. If people are going to be rated by whether they listen to sad songs on Spotify or look up information about AIDS online, they should know, Pasquale said. “The risk of improper use is extremely high. And data scores are not properly vetted and validated and available for scrutiny.”

As I reported this story I wondered how the data vendors might be using my personal information to score my potential health costs. So, I filled out a request on the LexisNexis website for the company to send me some of the personal information it has on me. A week later a somewhat creepy, 182-page walk down memory lane arrived in the mail. Federal law only requires the company to provide a subset of the information it collected about me. So that’s all I got.

LexisNexis had captured details about my life going back 25 years, many that I’d forgotten. It had my phone numbers going back decades and my home addresses going back to my childhood in Golden, Colorado. Each location had a field to show whether the address was “high risk.” Mine were all blank. The company also collects records of any liens and criminal activity, which, thankfully, I didn’t have.

My report was boring, which isn’t a surprise. I’ve lived a middle-class life and grown up in good neighborhoods. But it made me wonder: What if I had lived in “high risk” neighborhoods? Could that ever be used by insurers to jack up my rates — or to avoid me altogether?

I wanted to see more. If LexisNexis had health risk scores on me, I wanted to see how they were calculated and, more importantly, whether they were accurate. But the company told me that if it had calculated my scores it would have done so on behalf of their client, my insurance company. So, I couldn’t have them.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.

Recent advances in technology allow consumers to alter, customize, or build locally items previously not possible. These items are often referred to as Do-It-Yourself (DIY) products. You've probably heard DIY used in home repair and renovation projects on television. DIY now happens in some unexpected areas. Today's blog post highlights two areas.

DIY Glucose Monitors

Earlier this year, CNet described the bag an eight-year-old patient carries with her everywhere daily:

"... It houses a Dexcom glucose monitor and a pack of glucose tablets, which work in conjunction with the sensor attached to her arm and the insulin pump plugged into her stomach. The final item in her bag was an iPhone 5S. It's unusual for such a young child to have a smartphone. But Ruby's iPhone, which connects via Bluetooth to her Dexcom monitor, allowing [her mother] to read it remotely, illustrates the way technology has transformed the management of diabetes from an entirely manual process -- pricking fingers to measure blood sugar, writing down numbers in a notebook, calculating insulin doses and injecting it -- to a semi-automatic one..."

Some people have access to these new technologies, but many don't. Others want more connectivity and better capabilities. So, some creative "hacking" has resulted:

"There are people who are unwilling to wait, and who embrace unorthodox methods. (You can find them on Twitter via the hashtag #WeAreNotWaiting.) The Nightscout Foundation, an online diabetes community, figured out a workaround for the Pebble Watch. Groups such as Nightscout, Tidepool and OpenAPS are developing open-source fixes for diabetes that give major medical tech companies a run for their money... One major gripe of many tech-enabled diabetes patients is that the two devices they wear at all times -- the monitor and the pump -- don't talk to each other... diabetes will never be a hands-off disease to manage, but an artificial pancreas is basically as close as it gets. The FDA approved the first artificial pancreas -- the Medtronic 670G -- in October 2017. But thanks to a little DIY spirit, people have had them for years."

CNet shared the experience of another tech-enabled patient:

"Take Dana Lewis, founder of the open-source artificial pancreas system, or OpenAPS. Lewis started hacking her glucose monitor to increase the volume of the alarm so that it would wake her in the night. From there, Lewis tinkered with her equipment until she created a closed-loop system, which she's refined over time in terms of both hardware and algorithms that enable faster distribution of insulin. It has massively reduced the "cognitive burden" on her everyday life... JDRF, one of the biggest global diabetes research charities, said in October that it was backing the open-source community by launching an initiative to encourage rival manufacturers like Dexcom and Medtronic to open their protocols and make their devices interoperable."

Convenience and affordability are huge drivers. As you might have guessed, there are risks:

"Hacking a glucose monitor is not without risk -- inaccurate readings, failed alarms or the wrong dose of insulin distributed by the pump could have fatal consequences... Lewis and the OpenAPS community encourage people to embrace the build-your-own-pancreas method rather than waiting for the tech to become available and affordable."

Are DIY glucose monitors a good thing? Some patients think so as a way to achieve convenient and affordable healthcare solutions. That might lead you to conclude anything DIY is an improvement. Right? Keep reading.

DIY Guns

Got a 3-D printer? If so, then you can print your own DIY gun. How did this happen? How did the USA get to here? Wired explained:

"Five years ago, 25-year-old radical libertarian Cody Wilson stood on a remote central Texas gun range and pulled the trigger on the world’s first fully 3-D-printed gun... he drove back to Austin and uploaded the blueprints for the pistol to his website, Defcad.com... In the days after that first test-firing, his gun was downloaded more than 100,000 times. Wilson made the decision to go all in on the project, dropping out of law school at the University of Texas, as if to confirm his belief that technology supersedes law..."

The law intervened. Wilson stopped, took down his site, and then pursued a legal remedy:

"Two months ago, the Department of Justice quietly offered Wilson a settlement to end a lawsuit he and a group of co-plaintiffs have pursued since 2015 against the United States government. Wilson and his team of lawyers focused their legal argument on a free speech claim: They pointed out that by forbidding Wilson from posting his 3-D-printable data, the State Department was not only violating his right to bear arms but his right to freely share information. By blurring the line between a gun and a digital file, Wilson had also successfully blurred the lines between the Second Amendment and the First."

So, now you... anybody with an internet connection and a 3-D printer (and a computer-controlled milling machine for some advanced parts)... can produce their own DIY gun. No registration required. No licenses nor permits. No training required. And, that's anyone anywhere in the world.

Oh, there's more:

"The Department of Justice's surprising settlement, confirmed in court documents earlier this month, essentially surrenders to that argument. It promises to change the export control rules surrounding any firearm below .50 caliber—with a few exceptions like fully automatic weapons and rare gun designs that use caseless ammunition—and move their regulation to the Commerce Department, which won't try to police technical data about the guns posted on the public internet. In the meantime, it gives Wilson a unique license to publish data about those weapons anywhere he chooses."

As you might have guessed, Wilson is re-launching his website, but this time with blueprints for more DIY weaponry besides pistols: AR-15 rifles and semi-automatic weaponry. So, it will be easier for people to skirt federal and state gun laws. Is that a good thing?

You probably have some thoughts and concerns. I do. There are plenty of issues and questions. Are DIY products a good thing? Who is liable? How should laws be upgraded? How can society facilitate one set of DIY products and not the other? What related issues do you see? Any other notable DIY products?