103 posts categorized "Health Care/EHR" Feed

Two Data Breaches At Collections Vendor Used By Healthcare Testing Firms Affect About 19 Million Persons

Two healthcare data breaches have affected about 19 million persons, so far.

First, a data breach at a third-party collections firm has affected about 11.9 million patients at Quest Diagnostics, a medical testing firm. Quest announced in a June 3rd news release that American Medical Collection Agency (AMCA) notified it of data breach affecting Quest patients:

"... an unauthorized user had access to AMCA’s system...AMCA provides billing collections services to Optum360, which in turn is a Quest contractor. Quest and Optum360 are working with forensic experts to investigate the matter. AMCA first notified Quest and Optum360 on May 14, 2019 of potential unauthorized activity on AMCA’s web payment page. On May 31, 2019, AMCA notified Quest and Optum360 that the data on AMCA’s affected system included information regarding approximately 11.9 million Quest patients. AMCA believes this information includes personal information, including certain financial data, Social Security numbers, and medical information, but not laboratory test results."

Quest said that AMCA hasn't yet provided it with details about the data breach. The news release did not state when AMCA or Quest would directly notify affected patients. Hopefully, future news releases will provide dates when the breach occurred, how the attackers broke in, and the fixes underway so this doesn't happen again.

Second, a data breach at the same third-party collections firm has also affected about 7.7 million customers of LabCorp, another medical testing firm. LabCorp disclosed in a filing with the U.S. Securities and Exchange Commission that AMCA notified it of data breach which occurred between August 1, 2018 and March 30, 2019. The filing did not state the date when AMCA notified LabCorp. The filing did state:

"AMCA is an external collection agency used by LabCorp and other healthcare companies. LabCorp has referred approximately 7.7 million consumers to AMCA... AMCA’s affected system included information provided by LabCorp. That information could include first and last name, date of birth, address, phone, date of service, provider, and balance information. AMCA’s affected system also included credit card or bank account information that was provided by the consumer to AMCA... AMCA has advised LabCorp that Social Security Numbers and insurance identification information are not stored or maintained for LabCorp consumers."

LabCorp said in the filing that it didn't provide patients' ordered tests, laboratory results, or diagnostic information to AMCA. AMCA is currently notifying about 200,000 LabCorp consumers whose credit card or bank account information may have been accessed. Also:

"AMCA has not yet provided LabCorp a list of the affected LabCorp consumers or more specific information about them. AMCA has indicated that it is continuing to investigate this incident and has taken steps to increase the security of its systems, processes, and data. LabCorp takes data security very seriously, including the security of data handled by vendors. AMCA has informed LabCorp that it intends to provide the approximately 200,000 affected LabCorp consumers with more specific information about the AMCA Incident, in addition to offering them identity protection and credit monitoring services for 24 months."

Given the ongoing investigation and breach notification, more news seems likely. Both breaches suggest other AMCA clients may have been affected. A check of the AMCA website at press time failed to find any news releases or mentions of both data breaches. C/Net reported:

"LabCorp also said that as a result of the breach, it's stopped sending new collection requests to the AMCA and suspended the AMCA's work on any pending requests related to LabCorp customers... LabCorp declined to comment beyond its SEC filing. AMCA said it conducted an internal audit after being notified of the breach by an outside security compliance firm and took down its web payments page. The company has also hired a third-party forensics firm to investigate the breach and has notified law enforcement."

The Krebs On Security blog reported:

"... AMCA also does business under the name “Retrieval-Masters Credit Bureau,” a company that has been in business since 1977. Retrieval-Masters also has an atrocious reputation for allegedly harassing consumers for debts they never owed. A search on the company’s name at the complaints page of the Consumer Financial Protection Bureau (CFPB) turns up almost 700 complaints for Retrieval-Masters. The company has an abysmal “F” rating from the Better Business Bureau, with 60 complaints closed against it in the last three years. Reviewing a number of those complaints reveals some of the AMCA’s other current and/or previous clients, including New Jersey’s EZPass system.

Both data breaches reminder patients that when companies outsource collections activities, patients' sensitive healthcare and payment information are often shared with outsource vendors. The lack of breach details makes one wonder if AMCA executives were caught unprepared with both inadequate data security on its payments website, and post-breach responses. Hopefully, future news reports will clarify things.


Behind the Scenes, Health Insurers Use Cash and Gifts to Sway Which Benefits Employers Choose

[Editor's note: today's guest post, by reporters at ProPublica, explores business practices within the health insurance industry. It is reprinted with permission.]

By Marshall Allen, ProPublica

The pitches to the health insurance brokers are tantalizing.

“Set sail for Bermuda,” says insurance giant Cigna, offering top-selling brokers five days at one of the island’s luxury resorts.

Health Net of California’s pitch is not subtle: A smiling woman in a business suit rides a giant $100 bill like it’s a surfboard. “Sell more, enroll more, get paid more!” In some cases, its ad says, a broker can “power up” the bonus to $150,000 per employer group.

Not to be outdone, New York’s EmblemHealth promises top-selling brokers “the chance of a lifetime”: going to bat against the retired legendary New York Yankees pitcher Mariano Rivera. In another offer, the company, which bills itself as the state’s largest nonprofit plan, focuses on cash: “The more subscribers you enroll … the bigger the payout.” Bonuses, it says, top out at $100,000 per group, and “there’s no limit to the number of bonuses you can earn.

Such incentives sound like typical business tactics, until you understand who ends up paying for them: the employers who sign up with the insurers — and, of course, their employees.

Human resource directors often rely on independent health insurance brokers to guide them through the thicket of costly and confusing benefit options offered by insurance companies. But what many don’t fully realize is how the health insurance industry steers the process through lucrative financial incentives and commissions. Those enticements, critics say, don’t reward brokers for finding their clients the most cost-effective options.

Here’s how it typically works: Insurers pay brokers a commission for the employers they sign up. That fee is usually a healthy 3 to 6 percent of the total premium. That could be about $50,000 a year on the premiums of a company with 100 people, payable for as long as the plan is in place. That’s $50,000 a year for a single client. And as the client pays more in premiums, the broker’s commission increases.

Commissions can be even higher, up to 40 or 50 percent of the premium, on supplemental plans that employers can buy to cover employees’ dental costs, cancer care or long-term hospitalization.

Those commissions come from the insurers. But the cost is built into the premiums the employer and employees pay for the benefit plan.

Now, layer on top of that the additional bonuses that brokers can earn from some insurers. The offers, some marked “confidential,” are easy to find on the websites of insurance companies and broker agencies. But many brokers say the bonuses are not disclosed to employers unless they ask. These bonuses, too, are indirectly included in the overall cost of health plans.

These industry payments can’t help but influence which plans brokers highlight for employers, said Eric Campbell, director of research at the University of Colorado Center for Bioethics and Humanities.

“It’s a classic conflict of interest,” Campbell said.

There’s “a large body of virtually irrefutable evidence,” Campbell said, that shows drug company payments to doctors influence the way they prescribe. “Denying this effect is like denying that gravity exists.” And there’s no reason, he said, to think brokers are any different.

Critics say the setup is akin to a single real estate agent representing both the buyer and seller in a home sale. A buyer would not expect the seller’s agent to negotiate the lowest price or highlight all the clauses and fine print that add unnecessary costs.

“If you want to draw a straight conclusion: It has been in the best interest of a broker, from a financial point of view, to keep that premium moving up,” said Jeffrey Hogan, a regional manager in Connecticut for a national insurance brokerage and one of a band of outliers in the industry pushing for changes in the way brokers are paid.

As the average cost of employer-sponsored health insurance premiums has tripled in the past two decades, to almost $20,000 for a family of four, a small, but growing, contingent of brokers are questioning their role in the rise in costs. They’ve started negotiating flat fees paid directly by the employers. The fee may be a similar amount to the commission they could have earned, but since it doesn’t come from the insurer, Hogan said, it “eliminates the conflict of interest” and frees brokers to consider unorthodox plans tailored to individual employers’ needs. Any bonuses could also be paid directly by the employer.

Brokers provide a variety of services to employers. They present them with benefits options, enroll them in plans and help them with claims and payment issues. Insurance industry payments to brokers are not illegal and have been accepted as a cost of doing business for generations. When brokers are paid directly by employers, the results can be mutually beneficial.

In 2017, David Contorno, the broker for Palmer Johnson Power Systems, a heavy-equipment distribution company in Madison, Wisconsin, saved the firm so much money while also improving coverage that Palmer Johnson took all 120 employees on an all-expenses paid trip to Vail, Colorado, where they rode four-wheelers and went whitewater rafting. In 2018, the company saved money again and rewarded each employee with a health care “dividend” of about $700.

Contorno is not being altruistic. He earned a flat fee, plus a bonus based on how much the plan saved, with the total equal to roughly what would have made otherwise.

Craig Parsons, who owns Palmer Johnson, said the new payment arrangement puts pressure on the broker to prevent overspending. His previous broker, he said, didn’t have any real incentive to help him reduce costs. “We didn’t have an advocate,” he said. “We didn’t have someone truly watching out for our best interests.” (The former broker acknowledged there were some issues, but said it had provided a valuable service.)

Working for Employers, Not Insurers

Contorno is part of a group called the Health Rosetta, which certifies brokers who agree to follow certain best practices related to health benefits, including eliminating any hidden agreements that raise the cost of employee benefits. To be certified, brokers (who refer to themselves as “benefits advisers”) must disclose all their direct and indirect sources of income — bonuses, commissions, consulting fees, for example — and who pays them to the employers they advise.

Dave Chase, a Washington businessman, created Rosetta in 2016 after working with tech health startups and launching Microsoft’s services to the health industry. He said he saw an opportunity to transform the health care industry by changing the way employers buy benefits. He said brokers have the most underestimated role in the health care system. “The good ones are worth their weight in gold,” Chase said. “But most of the benefit brokers are pitching themselves as buyer’s agents, but they are paid like a seller’s agent.”

There are only 110 Rosetta certified brokers in an industry of more than 100,000, although others who follow a similar philosophy consider themselves part of the movement.

From the employer’s point of view, one big advantage of working with brokers like those certified by Rosetta, is transparency. Currently, there’s no industry standard for how brokers must disclose their payments from insurance companies, so many employers may have no idea how much brokers are making from their business, said Marcy Buckner, vice president of government affairs for the National Association of Health Underwriters, the trade group for health benefits brokers. And thus, she said, employers have no clear sense of the conflicts of interest that may color their broker’s advice to them.

Buckner’s group encourages brokers to bill employers for their commissions directly to eliminate any conflict of interest, but, she said, it’s challenging to shift the culture. Nevertheless, Buckner said she doesn’t think payments from insurers undermine the work done by brokers, who must act in their clients’ best interests or risk losing them. “They want to have these clients for a really long term,” Buckner said.

Industrywide, transparency is not the standard. ProPublica sent a list of questions to 10 of the largest broker agencies, some worth $1 billion or more, including Marsh & McLennan, Aon and Willis Towers Watson, asking if they took bonuses and commissions from insurance companies, and whether they disclosed them to their clients. Four firms declined to answer; the others never responded despite repeated requests.

Insurers also don’t seem to have a problem with the payments. In 2017, Health Care Service Corporation, which oversees Blue Cross Blue Shield plans serving 15 million members in five states, disclosed in its corporate filings that it spent $816 million on broker bonuses and commissions, about 3 percent of its revenue that year. A company spokeswoman acknowledged in an email that employers are actually the ones who pay those fees; the money is just passed through the insurer. “We do not believe there is a conflict of interest,” she said.

In one email to a broker reviewed by ProPublica, Blue Cross Blue Shield of North Carolina called the bonuses it offered — up to $110,000 for bringing in a group of more than 1,000 — the “cherry on top.” The company told ProPublica that such bonuses are standard and that it always encourages brokers to “match their clients with the best product for them.”

Cathryn Donaldson, spokeswoman for the trade group America’s Health Insurance Plans, said in an email that brokers are incentivized “above all else” to serve their clients. “Guiding employees to a plan that offers quality, affordable care will help establish their business and reputation in the industry,” she said.

Some insurer’s pitches, however, clearly reward brokers’ devotion to them, not necessarily their clients. “To thank you for your loyalty to Humana, we want to extend our thanks with a bonus,” says one brochure pitched to brokers online. Horizon Blue Cross Blue Shield of New Jersey offered brokers a bonus as “a way to express our appreciation for your support.” Empire Blue Cross told brokers it would deliver new bonuses “for bringing in large group business ... and for keeping it with us.”

Delta Dental of California’s pitches appears to go one step further, rewarding brokers as “key members of our Small Business Program team.”

ProPublica reached out to all the insurers named in this story, and many didn’t respond. Cigna said in a statement that it offers affordable, high-quality benefit plans and doesn’t see a problem with providing incentives to brokers. Delta Dental emphasized in an email it follows applicable laws and regulations. And Horizon Blue Cross said its gives employers the option of how to pay brokers and discloses all compensation.

The effect of such financial incentives is troubling, said Michael Thompson, president of the National Alliance of Healthcare Purchaser Coalitions, which represents groups of employers who provide benefits. He said brokers don’t typically undermine their clients in a blatant way, but their own financial interests can create a “cozy relationship” that may make them wary of “stirring the pot.”

Employers should know how their brokers are paid, but health care is complex, so they are often not even aware of what they should ask, Thompson said. Employers rely on brokers to be a “trusted adviser,” he added. “Sometimes that trust is warranted and sometimes it’s not.”

Bad Faith Tactics

When officials in Morris County, New Jersey, sought a new broker to manage the county’s benefits, they specified that applicants could not take insurance company payouts related to their business. Instead, the county would pay the broker directly to ensure an unbiased search for the best benefits. The county hired Frenkel Benefits, a New York City broker, in February 2015.

Now, the county is suing the firm in Superior Court of New Jersey, accusing it of double-dipping. In addition to the fees from the county, the broker is accused of collecting a $235,000 commission in 2016 from the insurance giant Cigna. The broker got an additional $19,206 the next year, the lawsuit claims. To get the commission, one of the agency’s brokers allegedly certified, falsely, that the county would be told about the payment, the suit said. The county claims it was never notified and never approved the commission.

The suit also alleges the broker “purposefully concealed” the costs of switching the county’s health coverage to Cigna, which included administrative fees of $800,000.

In an interview, John Bowens, the county’s attorney, said the county had tried to guard against the broker being swayed by a large commission from an insurer. The brokers at Frenkel did not respond to requests for comment. The firm has not filed a response to the claims in the lawsuit. Steven Weisman, one of attorneys representing Frenkel, declined to comment.

Sometimes employers don’t find out their broker didn’t get them the best deal until they switch to another broker.

Josh Butler, a broker in Amarillo, Texas, who is also certified by Rosetta, recently took on a company of about 200 employees that had been signed up for a plan that had high out-of-pocket costs. The previous broker had enrolled the company in a supplemental plan that paid workers $1,000 if they were admitted to the hospital to help pay for uncovered costs. But Butler said the premiums for this coverage cost about $100,000 a year, and only nine employees had used it. That would make it much cheaper to pay for the benefit without insurance.

Butler suspects the previous broker encouraged the hospital benefits because they came with a sizable commission. He sells the same type of policies for the same insurer, so he knows the plan came with a 40 percent commission in the first year. That means about $40,000 of the employer’s premium went into the broker’s pocket.

Butler and other brokers said the insurance companies offer huge commissions to promote lucrative supplemental plans like dental, vision and disability. The total commissions on a supplemental cancer plan one insurer offered come to 57 percent, Butler said.

These massive year-one commissions lead some unscrupulous brokers to “churn” their supplemental benefits, Butler said, convincing employers to jump between insurers every year for the same type of benefits. The insurers don’t mind, Butler said, because the employers end up paying the tab. Brokers may also “product dump,” Butler said, which means pushing employers to sign employees up for multiple types of voluntary supplemental coverage, which brings them a hefty commission on each product.

Carl Schuessler, a broker in Atlanta who is certified by the Rosetta group, said he likes to help employers find out how much profit insurers are making on their premiums. Some states require insurers to provide the information, so when he took over the account for The Gasparilla Inn, an island resort on the Gulf Coast of Florida, he obtained the report for the company’s recent three years of coverage with UnitedHealthcare. He learned that the insurer had only paid out in claims about 65 percent of what the Inn had paid in premiums.

But in those same years the insurer had increased the Inn’s premiums, said Glenn Price, its chief financial officer. “It’s tough to swallow” increases to our premium when the insurer is making healthy profits, Price said. UnitedHealthcare declined to comment.

Schuessler, who is paid by the Inn, helped it transition to a self-funded plan, meaning the company bears the cost of the health care bills. Price said the Inn went from spending about $1 million a year to about $700,000, with lower costs and better benefits for employees, and no increases in three years.

A Need for Regulation

Despite the important function of brokers as middlemen, there’s been scant examination of their role in the marketplace.

Don Reiman, head of a Boise, Idaho, broker agency and a financial planner, said the federal government should require health benefit brokers to adhere to the same regulation he sees in the finance arena. The Employee Retirement Income Security Act, better known as ERISA, requires retirement plan advisers to disclose to employers all compensation that’s related to their plans, exposing potential conflicts.

The Department of Labor requires certain employers that provide health benefits to file documents every year about their plans, including payments to brokers. The department posts the information on its website.

But the data is notoriously messy. After a 2012 report found 23 percent of the forms contained errors, there was a proposal to revamp the data collection in 2016. It is unclear if that work was done, but ProPublica tried to analyze the data and found it incomplete or inaccurate. The data shortcomings mean employers have no real ability to compare payments to brokers.

About five years ago, Contorno, one of the leaders in the Rosetta movement, was blithely happy with the status quo: He had his favored insurers and could usually find traditional plans that appeared to fit his clients’ needs.

Today, he regrets his role in driving up employers’ health costs. One of his LinkedIn posts compares the industry’s acceptance of control by insurance companies to Stockholm Syndrome, the feelings of trust a hostage would have toward a captor.

Contorno began advising Palmer Johnson in 2016. When he took over, the company had a self-funded plan and its claims were reviewed by an administrator owned by its broker, Iowa-based Cottingham & Butler. Contorno brought in an independent claims administrator who closely scrutinized the claims and provided detailed cost information. The switch led to significant savings, said Parsons, the company owner. “It opened our eyes to what a good claims review process can mean to us,” he said.

Brad Plummer, senior vice president for employee benefits for Cottingham & Butler, acknowledged “things didn’t go swimmingly” with the claims company. But overall his company provided valuable service to Palmer Johnson, he said.

Contorno also provided resources to help Palmer Johnson employees find high-quality, low-cost providers, and the company waived any out-of-pocket expense as an incentive to get employees to see those medical providers. If a patient needed an out-of-network procedure, the price was negotiated up front to avoid massive surprise bills to the plan or the patient. The company also contracted with a vendor for drug coverage that does not use the secret rebates and hidden pricing schemes that are common in the industry. Palmer Johnson’s yearly health care costs per employee dropped by more than 25 percent, from about $11,252 in 2015 to $8,288 in 2018. That’s lower than they’d been in 2011, Contorno said.

“Now that my compensation is fully tied to meeting the clients’ goals, that is my sole objective,” he said. “Your broker works for whoever is cutting them the check.”

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.


Sackler Embraced Plan to Conceal OxyContin’s Strength From Doctors, Sealed Testimony Shows

[Editor's note: today's guest post explores issues within the pharmaceuticals and drug industry. It is reprinted with permission.]

By David Armstrong, ProPublica

In May 1997, the year after Purdue Pharma launched OxyContin, its head of sales and marketing sought input on a key decision from Dr. Richard Sackler, a member of the billionaire family that founded and controls the company. Michael Friedman told Sackler that he didn’t want to correct the false impression among doctors that OxyContin was weaker than morphine, because the myth was boosting prescriptions — and sales.

“It would be extremely dangerous at this early stage in the life of the product,” Friedman wrote to Sackler, “to make physicians think the drug is stronger or equal to morphine….We are well aware of the view held by many physicians that oxycodone [the active ingredient in OxyContin] is weaker than morphine. I do not plan to do anything about that.”

“I agree with you,” Sackler responded. “Is there a general agreement, or are there some holdouts?”

Ten years later, Purdue pleaded guilty in federal court to understating the risk of addiction to OxyContin, including failing to alert doctors that it was a stronger painkiller than morphine, and agreed to pay $600 million in fines and penalties. But Sackler’s support of the decision to conceal OxyContin’s strength from doctors — in email exchanges both with Friedman and another company executive — was not made public.

The email threads were divulged in a sealed court document that ProPublica has obtained: an Aug. 28, 2015, deposition of Richard Sackler. Taken as part of a lawsuit by the state of Kentucky against Purdue, the deposition is believed to be the only time a member of the Sackler family has been questioned under oath about the illegal marketing of OxyContin and what family members knew about it. Purdue has fought a three-year legal battle to keep the deposition and hundreds of other documents secret, in a case brought by STAT, a Boston-based health and medicine news organization; the matter is currently before the Kentucky Supreme Court.

Meanwhile, interest in the deposition’s contents has intensified, as hundreds of cities, counties, states and tribes have sued Purdue and other opioid manufacturers and distributors. A House committee requested the document from Purdue last summer as part of an investigation of drug company marketing practices.

In a statement, Purdue stood behind Sackler’s testimony in the deposition. Sackler, it said, “supports that the company accurately disclosed the potency of OxyContin to healthcare providers.” He “takes great care to explain” that the drug’s label “made clear that OxyContin is twice as potent as morphine,” Purdue said.

Still, Purdue acknowledged, it had made a “determination to avoid emphasizing OxyContin as a powerful cancer pain drug,” out of “a concern that non-cancer patients would be reluctant to take a cancer drug.”

The company, which said it was also speaking on behalf of Sackler, deplored what it called the “intentional leak of the deposition” to ProPublica, calling it “a clear violation of the court’s order” and “regrettable.”

Much of the questioning of Sackler in the 337-page deposition focused on Purdue’s marketing of OxyContin, especially in the first five years after the drug’s 1996 launch. Aggressive marketing of OxyContin is blamed by some analysts for fostering a national crisis that has resulted in 200,000 overdose deaths related to prescription opioids since 1999.

Taken together with a Massachusetts complaint made public last month against Purdue and eight Sacklers, including Richard, the deposition underscores the family’s pivotal role in developing the business strategy for OxyContin and directing the hiring of an expanded sales force to implement a plan to sell the drug at ever-higher doses. Documents show that Richard Sackler was especially involved in the company’s efforts to market the drug, and that he pushed staff to pursue OxyContin’s deregulation in Germany. The son of a Purdue co-founder, he began working at Purdue in 1971 and has been at various times the company’s president and co-chairman of its board.

In a 1996 email introduced during the deposition, Sackler expressed delight at the early success of OxyContin. “Clearly this strategy has outperformed our expectations, market research and fondest dreams,” he wrote. Three years later, he wrote to a Purdue executive, “You won’t believe how committed I am to make OxyContin a huge success. It is almost that I dedicated my life to it. After the initial launch phase, I will have to catch up with my private life again.”

During his deposition, Sackler defended the company’s marketing strategies — including some Purdue had previously acknowledged were improper — and offered benign interpretations of emails that appeared to show Purdue executives or sales representatives minimizing the risks of OxyContin and its euphoric effects. He denied that there was any effort to deceive doctors about the potency of OxyContin and argued that lawyers for Kentucky were misconstruing words such as “stronger” and “weaker” used in email threads.

The term “stronger” in Friedman’s email, Sackler said, “meant more threatening, more frightening. There is no way that this intended or had the effect of causing physicians to overlook the fact that it was twice as potent.”

Emails introduced in the deposition show Sackler’s hidden role in key aspects of the 2007 federal case in which Purdue pleaded guilty. A 19-page statement of facts that Purdue admitted to as part of the plea deal, and which prosecutors said contained the “main violations of law revealed by the government’s criminal investigation,” referred to Friedman’s May 1997 email to Sackler about letting the doctors’ misimpression stand. It did not identify either man by name, attributing the statements to “certain Purdue supervisors and employees.”

Friedman, who by then had risen to chief executive officer, was one of three Purdue executives who pleaded guilty to a misdemeanor of “misbranding” OxyContin. No members of the Sackler family were charged or named as part of the plea agreement. The Massachusetts lawsuit alleges that the Sackler-controlled Purdue board voted that the three executives, but no family members, should plead guilty as individuals. After the case concluded, the Sacklers were concerned about maintaining the allegiance of Friedman and another of the executives, according to the Massachusetts lawsuit. To protect the family, Purdue paid the two executives at least $8 million, that lawsuit alleges.

“The Sacklers spent millions to keep the loyalty of people who knew the truth,” the complaint filed by the Massachusetts attorney general alleges.

The Kentucky deposition’s contents will likely fuel the growing protests against the Sacklers, including pressure to strip the family’s name from cultural and educational institutions to which it has donated. The family has been active in philanthropy for decades, giving away hundreds of millions of dollars. But the source of its wealth received little attention until recent years, in part due to a lack of public information about what the family knew about Purdue’s improper marketing of OxyContin and false claims about the drug’s addictive nature.

Although Purdue has been sued hundreds of times over OxyContin’s marketing, the company has settled many of these cases, and almost never gone to trial. As a condition of settlement, Purdue has often required a confidentiality agreement, shielding millions of records from public view.

That is what happened in Kentucky. In December 2015, the state settled its lawsuit against Purdue, alleging that the company created a “public nuisance” by improperly marketing OxyContin, for $24 million. The settlement required the state attorney general to “completely destroy” documents in its possession from Purdue. But that condition did not apply to records sealed in the circuit court where the case was filed. In March 2016, STAT filed a motion to make those documents public, including Sackler’s deposition. The Kentucky Court of Appeals last year upheld a lower court ruling ordering the deposition and other sealed documents be made public. Purdue asked the state Supreme Court to review the decision, and both sides recently filed briefs. Protesters outside Kentucky’s Capitol last week waved placards urging the court to release the deposition.

Sackler family members have long constituted the majority of Purdue’s board, and company profits flow to trusts that benefit the extended family. During his deposition, which took place over 11 hours in a law office in Louisville, Kentucky, Richard Sackler said “I don’t know” more than 100 times, including when he was asked how much his family had made from OxyContin sales. He acknowledged it was more than $1 billion, but when asked if they had made more than $5 billion, he said, “I don’t know.” Asked if it was more than $10 billion, he replied, “I don’t think so.”

By 2006, OxyContin’s “profit contribution” to Purdue was $4.7 billion, according to a document read at the deposition. From 2007 to 2018, the Sackler family received more than $4 billion in payouts from Purdue, according to the Massachusetts lawsuit.

During the deposition, Sackler was confronted with his email exchanges with company executives about Purdue’s decision not to correct the misperception among many doctors that OxyContin was weaker than morphine. The company viewed this as good news because the softer image of the drug was helping drive sales in the lucrative market for treating conditions like back pain and arthritis, records produced at the deposition show.

Designed to gradually release medicine into the bloodstream, OxyContin allows patients to take fewer pills than they would with other, quicker-acting pain medicines, and its effect lasts longer. But to accomplish these goals, more narcotic is packed into an OxyContin pill than competing products. Abusers quickly figured out how to crush the pills and extract the large amount of narcotic. They would typically snort it or dissolve it into liquid form to inject.

The pending Massachusetts lawsuit against Purdue accuses Sackler and other company executives of determining that “doctors had the crucial misconception that OxyContin was weaker than morphine, which led them to prescribe OxyContin much more often.” It also says that Sackler “directed Purdue staff not to tell doctors the truth,” for fear of reducing sales. But it doesn’t reveal the contents of the email exchange with Friedman, the link between that conversation and the 2007 plea agreement, and the back-and-forth in the deposition.

A few days after the email exchange with Friedman in 1997, Sackler had an email conversation with another company official, Michael Cullen, according to the deposition. “Since oxycodone is perceived as being a weaker opioid than morphine, it has resulted in OxyContin being used much earlier for non-cancer pain,” Cullen wrote to Sackler. “Physicians are positioning this product where Percocet, hydrocodone and Tylenol with codeine have been traditionally used.” Cullen then added, “It is important that we be careful not to change the perception of physicians toward oxycodone when developing promotional pieces, symposia, review articles, studies, et cetera.”

“I think that you have this issue well in hand,” Sackler responded.

Friedman and Cullen could not be reached for comment.

Asked at his deposition about the exchanges with Friedman and Cullen, Sackler didn’t dispute the authenticity of the emails. He said the company was concerned that OxyContin would be stigmatized like morphine, which he said was viewed only as an “end of life” drug that was frightening to people.

“Within this time it appears that people had fallen into a habit of signifying less frightening, less threatening, more patient acceptable as under the rubric of weaker or more frightening, more — less acceptable and less desirable under the rubric or word ‘stronger,’” Sackler said at his deposition. “But we knew that the word ‘weaker’ did not mean less potent. We knew that the word ‘stronger’ did not mean more potent.” He called the use of those words “very unfortunate.”

He said Purdue didn’t want OxyContin “to be polluted by all of the bad associations that patients and healthcare givers had with morphine.”

In his deposition, Sackler also defended sales representatives who, according to the statement of facts in the 2007 plea agreement, falsely told doctors during the 1996-2001 period that OxyContin did not cause euphoria or that it was less likely to do so than other opioids. This euphoric effect experienced by some patients is part of what can make OxyContin addictive. Yet, asked about a 1998 note written by a Purdue salesman, who indicated that he “talked of less euphoria” when promoting OxyContin to a doctor, Sackler argued it wasn’t necessarily improper.

“This was 1998, long before there was an Agreed Statement of Facts,” he said.

The lawyer for the state asked Sackler: “What difference does that make? If it’s improper in 2007, wouldn’t it be improper in 1998?”

“Not necessarily,” Sackler replied.

Shown another sales memo, in which a Purdue representative reported telling a doctor that “there may be less euphoria” with OxyContin, Sackler responded, “We really don’t know what was said.” After further questioning, Sackler said the claim that there may be less euphoria “could be true, and I don’t see the harm.”

The same issue came up regarding a note written by a Purdue sales representative about one doctor: “Got to convince him to counsel patients that they won’t get buzzed as they will with short-acting” opioid painkillers. Sackler defended these comments as well. “Well, what it says here is that they won’t get a buzz. And I don’t think that telling a patient ‘I don’t think you’ll get a buzz’ is harmful,” he said.

Sackler added that the comments from the representative to the doctor “actually could be helpful, because many patients won’t get a buzz, and if he would like to know if they do, he might have had a good medical reason for wanting to know that.”

Sackler said he didn’t believe any of the company sales people working in Kentucky engaged in the improper conduct described in the federal plea deal. “I don’t have any facts to inform me otherwise,” he said.

Purdue said that Sackler’s statements in his deposition “fully acknowledge the wrongful actions taken by some of Purdue’s employees prior to 2002,” as laid out in the 2007 plea agreement. Both the company and Sackler “fully agree” with the facts laid out in that case, Purdue said.

The deposition also reveals that Sackler pushed company officials to find out if German officials could be persuaded to loosen restrictions on the selling of OxyContin. In most countries, narcotic pain relievers are regulated as “controlled” substances because of the potential for abuse. Sackler and other Purdue executives discussed the possibility of persuading German officials to classify OxyContin as an uncontrolled drug, which would likely allow doctors to prescribe the drug more readily — for instance, without seeing a patient. Fewer rules were expected to translate into more sales, according to company documents disclosed at the deposition.

One Purdue official warned Sackler and others that it was a bad idea. Robert Kaiko, who developed OxyContin for Purdue, wrote to Sackler, “If OxyContin is uncontrolled in Germany, it is highly likely that it will eventually be abused there and then controlled.”

Nevertheless, Sackler asked a Purdue executive in Germany for projections of sales with and without controls. He also wondered whether, if one country in the European Union relaxed controls on the drug, others might do the same. When finally informed that German officials had decided the drug would be controlled like other narcotics, Sackler asked in an email if the company could appeal. Told that wasn’t possible, he wrote back to an executive in Germany, “When we are next together we should talk about how this idea was raised and why it failed to be realized. I thought that it was a good idea if it could be done.”

Asked at the deposition about that comment, Sackler responded, “That’s what I said, but I didn’t mean it. I just wanted to be encouraging.” He said he really “was not in favor of” loosening OxyContin regulation and was simply being “polite” and “solicitous” of his own employee.

Near the end of the deposition — after showing Sackler dozens of emails, memos and other records regarding the marketing of OxyContin — a lawyer for Kentucky posed a fundamental question.

“Sitting here today, after all you’ve come to learn as a witness, do you believe Purdue’s conduct in marketing and promoting OxyContin in Kentucky caused any of the prescription drug addiction problems now plaguing the Commonwealth?” he asked.

Sackler replied, “I don’t believe so.”

Filed under:

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.


Walgreens To Pay About $2 Million To Massachusetts To Settle Multiple Price Abuse Allegations. Other Settlement Payments Exceed $200 Million

Walgreens logo The Office of the Attorney General of the Commonwealth of Massachusetts announced two settlement agreements with Walgreens, a national pharmacy chain. Walgreens has agreed to pay about $2 million to settle multiple allegations of pricing abuses. According to the announcement:

"Under the first settlement, Walgreens will pay $774,486 to resolve allegations that it submitted claims to MassHealth in which it reported prices for certain prescription drugs at levels that were higher than what Walgreens actually charged, resulting in fraudulent overpayments."

"Under the second settlement, Walgreens will pay $1,437,366 to resolve allegations that from January 2006 through December 2017, rather than dispensing the quantity of insulin called for by a patient’s prescription, Walgreens exceeded the prescription amount and falsified information on claims submitted for reimbursement to MassHealth, including the quantity of insulin and/or days’ supply dispensed."

Both settlements arose from whistle-blower activity. MassHealth is the state's healthcare program based upon a state law passed in 2006 to provide health insurance to all Commonwealth residents. The law was amended in 2008 and 2010 to make it consistent with the federal Affordable Care Act.

Massachusetts Attorney General (AG) Maura Healey said:

"Walgreens repeatedly failed to provide MassHealth with accurate information regarding its dispensing and billing practices, resulting in overpayment to the company at taxpayers’ expense... We will continue to investigate cases of fraud and take action to protect the integrity of MassHealth."

In a separate case, Walgreen's will pay $1 million to the state of Arkansas to settle allegations of Medicaid fraud. Last month, the New York State Attorney General announced that New York State, other states, and the federal government reached:

"... an agreement in principle with Walgreens to settle allegations that Walgreens violated the False Claims Act by billing Medicaid at rates higher than its usual and customary (U&C) rates for certain prescription drugs... Walgreens will pay the states and federal government $60 million, all of which is attributable to the states’ Medicaid programs... The national federal and state civil settlement will resolve allegations relating to Walgreens’ discount drug program, known as the Prescription Savings Club (PSC). The investigation revealed that Walgreens submitted claims to the states’ Medicaid programs in which it identified U&C prices for certain prescription drugs sold through the PSC program that were higher than what Walgreens actually charged for those drugs... This is the second false claims act settlement reached with Walgreens today. On January 22, 2019, AG James announced that Walgreens is to pay New York over $6.5 million as part of a $209.2 million settlement with the federal government and other states, resolving allegations that Walgreens knowingly engaged in fraudulent conduct when it dispensed insulin pens..."

States involved in the settlement include New York, California, Illinois, Indiana, Michigan and Ohio. Kudos to all Attorneys General and their staffs for protecting patients against corporate greed.


The Privacy And Data Security Issues With Medical Marijuana

In the United States, some states have enacted legislation making medical marijuana legal -- despite it being illegal at a federal level. This situation presents privacy issues for both retailers and patients.

In her "Data Security And Privacy" podcast series, privacy consultant Rebecca Harold (@PrivacyProf) interviewed a patient cannabis advocate about privacy and data security issues:

"Most people assume that their data is safe in cannabis stores & medical cannabis dispensaries. Or they believe if they pay in cash there will be no record of their cannabis purchase. Those are incorrect beliefs. How do dispensaries secure & share data? Who WANTS that data? What security is needed? Some in government, law enforcement & employers want data about state legal marijuana and medical cannabis purchases. Michelle Dumay, Cannabis Patient Advocate, helps cannabis dispensaries & stores to secure their customers’ & patients’ data & privacy. Michelle learned through experience getting treatment for her daughter that most medical cannabis dispensaries are not compliant with laws governing the security and privacy of patient data... In this episode, we discuss information security & privacy practices of cannabis shops, risks & what needs to be done when it comes to securing data and understanding privacy laws."

Many consumers know that the Health Insurance Portability and Accountability Act (HIPAA) governs how patients' privacy is protected and the businesses which must comply with that law.

Poor data security (e.g., data breaches, unauthorized recording of patients inside or outside of dispensaries) can result in the misuse of patients' personal and medical information by bad actors and others. Downstream consequences can be negative, such as employers using the data to decline job applications.

After listening to the episode, it seems reasonable for consumers to assume that traditional information industry players (e.g., credit reporting agencies, advertisers, data brokers, law enforcement, government intelligence agencies, etc.) all want marijuana purchase data. Note the use of "consumers," and not only "patients," since about 10 states have legalized recreational marijuana.

Listen to an encore presentation of the "Medical Cannabis Patient Privacy And Data Security" episode.


Your Medical Devices Are Not Keeping Your Health Data to Themselves

[Editor's note: today's guest post, by reporters at ProPublica, is part of a series which explores data collection, data sharing, and privacy issues within the healthcare industry. It is reprinted with permission.]

By Derek Kravitz and Marshall Allen, ProPublica

Medical devices are gathering more and more data from their users, whether it’s their heart rates, sleep patterns or the number of steps taken in a day. Insurers and medical device makers say such data can be used to vastly improve health care.

But the data that’s generated can also be used in ways that patients don’t necessarily expect. It can be packaged and sold for advertising. It can anonymized and used by customer support and information technology companies. Or it can be shared with health insurers, who may use it to deny reimbursement. Privacy experts warn that data gathered by insurers could also be used to rate individuals’ health care costs and potentially raise their premiums.

Patients typically have to give consent for their data to be used — so-called “donated data.” But some patients said they weren’t aware that their information was being gathered and shared. And once the data is shared, it can be used in a number of ways. Here are a few of the most popular medical devices that can share data with insurers:

Continuous Positive Airway Pressure, or CPAP, Machines

What Are They?

One of the more popular devices for those with sleep apnea, CPAP machines are covered by insurers after a sleep study confirms the diagnosis. These units, which deliver pressurized air through masks worn by patients as they sleep, collect data and transmit it wirelessly.

What Do They Collect?

It depends on the unit, but CPAP machines can collect data on the number of hours a patient uses the device, the number of interruptions in sleep and the amount of air that leaks from the mask.

Who Gets the Info?

The data may be transmitted to the makers or suppliers of the machines. Doctors may use it to assess whether the therapy is effective. Health insurers may receive the data to track whether patients are using their CPAP machines as directed. They may refuse to reimburse the costs of the machine if the patient doesn’t use it enough. The device maker ResMed said in a statement that patients may withdraw their consent to have their data shared.

Heart Monitors

What Are They?

Heart monitors, oftentimes small, battery-powered devices worn on the body and attached to the skin with electrodes, measure and record the heart’s electrical signals, typically over a few days or weeks, to detect things like irregular heartbeats or abnormal heart rhythms. Some devices implanted under the skin can last up to five years.

What Do They Collect?

Wearable ones include Holter monitors, wired external devices that attach to the skin, and event recorders, which can track slow or fast heartbeats and fainting spells. Data can also be shared from implanted pacemakers, which keep the heart beating properly for those with arrhythmias.

Who Gets the Info?

Low resting heart rates or other abnormal heart conditions are commonly used by insurance companies to place patients in more expensive rate classes. Children undergoing genetic testing are sometimes outfitted with heart monitors before their diagnosis, increasing the odds that their data is used by insurers. This sharing is the most common complaint cited by the World Privacy Forum, a consumer rights group.

Blood Glucose Monitors

What Are They?

Millions of Americans who have diabetes are familiar with blood glucose meters, or glucometers, which take a blood sample on a strip of paper and analyze it for glucose, or sugar, levels. This allows patients and their doctors to monitor their diabetes so they don’t have complications like heart or kidney disease. Blood glucose meters are used by the more the 1.2 million Americans with Type 1 diabetes, which is usually diagnosed in children, teens and young adults.

What Do They Collect?

Blood sugar monitors measure the concentration of glucose in a patient’s blood, a key indicator of proper diabetes management.

Who Gets the Info?

Diabetes monitoring equipment is sold directly to patients, but many still rely on insurer-provided devices. To get reimbursement for blood glucose meters, health insurers will typically ask for at least a month’s worth of blood sugar data.

Lifestyle Monitors

What Are They?

Step counters, medication alerts and trackers, and in-home cameras are among the devices in the increasingly crowded lifestyle health industry.

What Do They Collect?

Many health data research apps are made up of “donated data,” which is provided by consumers and falls outside of federal guidelines that require the sharing of personal health data be disclosed and anonymized to protect the identity of the patient. This data includes everything from counters for the number of steps you take, the calories you eat and the number of flights of stairs you climb to more traditional health metrics, such as pulse and heart rates.

Who Gets the Info?

It varies by device. But the makers of the Fitbit step counter, for example, say they never sell customer personal data or share personal information unless a user requests it; it is part of a legal process; or it is provided on a “confidential basis” to a third-party customer support or IT provider. That said, Fitbit allows users who give consent to share data “with a health insurer or wellness program,” according to a statement from the company.

Filed under:

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


You Snooze, You Lose: Insurers Make The Old Adage Literally True

[Editor's note: today's guest post, by reporters at ProPublica, is part of a series which explores data collection, data sharing, and privacy issues within the healthcare industry. It is reprinted with permission.]

By Marshall Allen, ProPublica

Last March, Tony Schmidt discovered something unsettling about the machine that helps him breathe at night. Without his knowledge, it was spying on him.

From his bedside, the device was tracking when he was using it and sending the information not just to his doctor, but to the maker of the machine, to the medical supply company that provided it and to his health insurer.

Schmidt, an information technology specialist from Carrollton, Texas, was shocked. “I had no idea they were sending my information across the wire.”

Schmidt, 59, has sleep apnea, a disorder that causes worrisome breaks in his breathing at night. Like millions of people, he relies on a continuous positive airway pressure, or CPAP, machine that streams warm air into his nose while he sleeps, keeping his airway open. Without it, Schmidt would wake up hundreds of times a night; then, during the day, he’d nod off at work, sometimes while driving and even as he sat on the toilet.

“I couldn’t keep a job,” he said. “I couldn’t stay awake.” The CPAP, he said, saved his career, maybe even his life.

As many CPAP users discover, the life-altering device comes with caveats: Health insurance companies are often tracking whether patients use them. If they aren’t, the insurers might not cover the machines or the supplies that go with them.

In fact, faced with the popularity of CPAPs, which can cost $400 to $800, and their need for replacement filters, face masks and hoses, health insurers have deployed a host of tactics that can make the therapy more expensive or even price it out of reach.

Patients have been required to rent CPAPs at rates that total much more than the retail price of the devices, or they’ve discovered that the supplies would be substantially cheaper if they didn’t have insurance at all.

Experts who study health care costs say insurers’ CPAP strategies are part of the industry’s playbook of shifting the costs of widely used therapies, devices and tests to unsuspecting patients.

“The doctors and providers are not in control of medicine anymore,” said Harry Lawrence, owner of Advanced Oxy-Med Services, a New York company that provides CPAP supplies. “It’s strictly the insurance companies. They call the shots.”

Insurers say their concerns are legitimate. The masks and hoses can be cumbersome and noisy, and studies show that about third of patients don’t use their CPAPs as directed.

But the companies’ practices have spawned lawsuits and concerns by some doctors who say that policies that restrict access to the machines could have serious, or even deadly, consequences for patients with severe conditions. And privacy experts worry that data collected by insurers could be used to discriminate against patients or raise their costs.

Schmidt’s privacy concerns began the day after he registered his new CPAP unit with ResMed, its manufacturer. He opted out of receiving any further information. But he had barely wiped the sleep out of his eyes the next morning when a peppy email arrived in his inbox. It was ResMed, praising him for completing his first night of therapy. “Congratulations! You’ve earned yourself a badge!” the email said.

Then came this exchange with his supply company, Medigy: Schmidt had emailed the company to praise the “professional, kind, efficient and competent” technician who set up the device. A Medigy representative wrote back, thanking him, then adding that Schmidt’s machine “is doing a great job keeping your airway open.” A report detailing Schmidt’s usage was attached.

Alarmed, Schmidt complained to Medigy and learned his data was also being shared with his insurer, Blue Cross Blue Shield. He’d known his old machine had tracked his sleep because he’d taken its removable data card to his doctor. But this new invasion of privacy felt different. Was the data encrypted to protect his privacy as it was transmitted? What else were they doing with his personal information?

He filed complaints with the Better Business Bureau and the federal government to no avail. “My doctor is the ONLY one that has permission to have my data,” he wrote in one complaint.

In an email, a Blue Cross Blue Shield spokesperson said that it’s standard practice for insurers to monitor sleep apnea patients and deny payment if they aren’t using the machine. And privacy experts said that sharing the data with insurance companies is allowed under federal privacy laws. A ResMed representative said once patients have given consent, it may share the data it gathers, which is encrypted, with the patients’ doctors, insurers and supply companies.

Schmidt returned the new CPAP machine and went back to a model that allowed him to use a removable data card. His doctor can verify his compliance, he said.

Luke Petty, the operations manager for Medigy, said a lot of CPAP users direct their ire at companies like his. The complaints online number in the thousands. But insurance companies set the prices and make the rules, he said, and suppliers follow them, so they can get paid.

“Every year it’s a new hurdle, a new trick, a new game for the patients,” Petty said.

A Sleep Saving Machine Gets Popular

The American Sleep Apnea Association estimates about 22 million Americans have sleep apnea, although it’s often not diagnosed. The number of people seeking treatment has grown along with awareness of the disorder. It’s a potentially serious disorder that left untreated can lead to risks for heart disease, diabetes, cancer and cognitive disorders. CPAP is one of the only treatments that works for many patients.

Exact numbers are hard to come by, but ResMed, the leading device maker, said it’s monitoring the CPAP use of millions of patients.

Sleep apnea specialists and health care cost experts say insurers have countered the deluge by forcing patients to prove they’re using the treatment.

Medicare, the government insurance program for seniors and the disabled, began requiring CPAP “compliance” after a boom in demand. Because of the discomfort of wearing a mask, hooked up to a noisy machine, many patients struggle to adapt to nightly use. Between 2001 and 2009, Medicare payments for individual sleep studies almost quadrupled to $235 million. Many of those studies led to a CPAP prescription. Under Medicare rules, patients must use the CPAP for four hours a night for at least 70 percent of the nights in any 30-day period within three months of getting the device. Medicare requires doctors to document the adherence and effectiveness of the therapy.

Sleep apnea experts deemed Medicare’s requirements arbitrary. But private insurers soon adopted similar rules, verifying usage with data from patients’ machines — with or without their knowledge.

Kristine Grow, spokeswoman for the trade association America’s Health Insurance Plans, said monitoring CPAP use is important because if patients aren’t using the machines, a less expensive therapy might be a smarter option. Monitoring patients also helps insurance companies advise doctors about the best treatment for patients, she said. When asked why insurers don’t just rely on doctors to verify compliance, Grow said she didn’t know.

Many insurers also require patients to rack up monthly rental fees rather than simply pay for a CPAP.

Dr. Ofer Jacobowitz, a sleep apnea expert at ENT and Allergy Associates and assistant professor at The Mount Sinai Hospital in New York, said his patients often pay rental fees for a year or longer before meeting the prices insurers set for their CPAPs. But since patients’ deductibles — the amount they must pay before insurance kicks in — reset at the beginning of each year, they may end up covering the entire cost of the rental for much of that time, he said.

The rental fees can surpass the retail cost of the machine, patients and doctors say. Alan Levy, an attorney who lives in Rahway, New Jersey, bought an individual insurance plan through the now-defunct Health Republic Insurance of New Jersey in 2015. When his doctor prescribed a CPAP, the company that supplied his device, At Home Medical, told him he needed to rent the device for $104 a month for 15 months. The company told him the cost of the CPAP was $2,400.

Levy said he wouldn’t have worried about the cost if his insurance had paid it. But Levy’s plan required him to reach a $5,000 deductible before his insurance plan paid a dime. So Levy looked online and discovered the machine actually cost about $500.

Levy said he called At Home Medical to ask if he could avoid the rental fee and pay $500 up front for the machine, and a company representative said no. “I’m being overcharged simply because I have insurance,” Levy recalled protesting.

Levy refused to pay the rental fees. “At no point did I ever agree to enter into a monthly rental subscription,” he wrote in a letter disputing the charges. He asked for documentation supporting the cost. The company responded that he was being billed under the provisions of his insurance carrier.

Levy’s law practice focuses, ironically, on defending insurance companies in personal injury cases. So he sued At Home Medical, accusing the company of violating the New Jersey Consumer Fraud Act. Levy didn’t expect the case to go to trial. “I knew they were going to have to spend thousands of dollars on attorney’s fees to defend a claim worth hundreds of dollars,” he said.

Sure enough, At Home Medical, agreed to allow Levy to pay $600 — still more than the retail cost — for the machine.

The company declined to comment on the case. Suppliers said that Levy’s case is extreme, but acknowledged that patients’ rental fees often add up to more than the device is worth.

Levy said that he was happy to abide by the terms of his plan, but that didn’t mean the insurance company could charge him an unfair price. “If the machine’s worth $500, no matter what the plan says, or the medical device company says, they shouldn’t be charging many times that price,” he said.

Dr. Douglas Kirsch, president of the American Academy of Sleep Medicine, said high rental fees aren’t the only problem. Patients can also get better deals on CPAP filters, hoses, masks and other supplies when they don’t use insurance, he said.

Cigna, one of the largest health insurers in the country, currently faces a class-action suit in U.S. District Court in Connecticut over its billing practices, including for CPAP supplies. One of the plaintiffs, Jeffrey Neufeld, who lives in Connecticut, contends that Cigna directed him to order his supplies through a middleman who jacked up the prices.

Neufeld declined to comment for this story. But his attorney, Robert Izard, said Cigna contracted with a company called CareCentrix, which coordinates a network of suppliers for the insurer. Neufeld decided to contact his supplier directly to find out what it had been paid for his supplies and compare that to what he was being charged. He discovered that he was paying substantially more than the supplier said the products were worth. For instance, Neufeld owed $25.68 for a disposable filter under his Cigna plan, while the supplier was paid $7.50. He owed $147.78 for a face mask through his Cigna plan while the supplier was paid $95.

ProPublica found all the CPAP supplies billed to Neufeld online at even lower prices than those the supplier had been paid. Longtime CPAP users say it’s well known that supplies are cheaper when they are purchased without insurance.

Neufeld’s cost “should have been based on the lower amount charged by the actual provider, not the marked-up bill from the middleman,” Izard said. Patients covered by other insurance companies may have fallen victim to similar markups, he said.

Cigna would not comment on the case. But in documents filed in the suit, it denied misrepresenting costs or overcharging Neufeld. The supply company did not return calls for comment.

In a statement, Stephen Wogen, CareCentrix’s chief growth officer, said insurers may agree to pay higher prices for some services, while negotiating lower prices for others, to achieve better overall value. For this reason, he said, isolating select prices doesn’t reflect the overall value of the company’s services. CareCentrix declined to comment on Neufeld’s allegations.

Izard said Cigna and CareCentrix benefit from such behind-the-scenes deals by shifting the extra costs to patients, who often end up covering the marked-up prices out of their deductibles. And even once their insurance kicks in, the amount the patients must pay will be much higher.

The ubiquity of CPAP insurance concerns struck home during the reporting of this story, when a ProPublica colleague discovered how his insurer was using his data against him.

Sleep Aid or Surveillance Device?

Without his CPAP, Eric Umansky, a deputy managing editor at ProPublica, wakes up repeatedly through the night and snores so insufferably that he is banished to the living room couch. “My marriage depends on it.”

In September, his doctor prescribed a new mask and airflow setting for his machine. Advanced Oxy-Med Services, the medical supply company approved by his insurer, sent him a modem that he plugged into his machine, giving the company the ability to change the settings remotely if needed.

But when the mask hadn’t arrived a few days later, Umansky called Advanced Oxy-Med. That’s when he got a surprise: His insurance company might not pay for the mask, a customer service representative told him, because he hadn’t been using his machine enough. “On Tuesday night, you only used the mask for three-and-a-half hours,” the representative said. “And on Monday night, you only used it for three hours.”

“Wait — you guys are using this thing to track my sleep?” Umansky recalled saying. “And you are using it to deny me something my doctor says I need?”

Umansky’s new modem had been beaming his personal data from his Brooklyn bedroom to the Newburgh, New York-based supply company, which, in turn, forwarded the information to his insurance company, UnitedHealthcare.

Umansky was bewildered. He hadn’t been using the machine all night because he needed a new mask. But his insurance company wouldn’t pay for the new mask until he proved he was using the machine all night — even though, in his case, he, not the insurance company, is the owner of the device.

“You view it as a device that is yours and is serving you,” Umansky said. “And suddenly you realize it is a surveillance device being used by your health insurance company to limit your access to health care.”

Privacy experts said such concerns are likely to grow as a host of devices now gather data about patients, including insertable heart monitors and blood glucose meters, as well as Fitbits, Apple Watches and other lifestyle applications. Privacy laws have lagged behind this new technology, and patients may be surprised to learn how little control they have over how the data is used or with whom it is shared, said Pam Dixon, executive director of the World Privacy Forum.

“What if they find you only sleep a fitful five hours a night?” Dixon said. “That’s a big deal over time. Does that affect your health care prices?”

UnitedHealthcare said in a statement that it only uses the data from CPAPs to verify patients are using the machines.

Lawrence, the owner of Advanced Oxy-Med Services, conceded that his company should have told Umansky his CPAP use would be monitored for compliance, but it had to follow the insurers’ rules to get paid.

As for Umansky, it’s now been two months since his doctor prescribed him a new airflow setting for his CPAP machine. The supply company has been paying close attention to his usage, Umansky said, but it still hasn’t updated the setting.

The irony is not lost on Umansky: “I wish they would spend as much time providing me actual care as they do monitoring whether I’m ‘compliant.’”

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.

 


Data Breach Affects 75,000 Healthcare.gov Users

On Friday, the Centers For Medicare and Medicaid Services (CMS) announced a data breach at a computer system which interacts with the Healthcare.gov site. Files for about 75,000 users -- agents and brokers -- were accessed by unauthorized persons. The announcement stated:

"Earlier this week, CMS staff detected anomalous activity in the Federally Facilitated Exchanges, or FFE’s Direct Enrollment pathway for agents and brokers. The Direct Enrollment pathway, first launched in 2013, allows agents and brokers to assist consumers with applications for coverage in the FFE... CMS began the initial investigation of anomalous system activity in the Direct Enrollment pathway for agents and brokers on October 13, 2018 and a breach was declared on October 16, 2018. The agent and broker accounts that were associated with the anomalous activity were deactivated, and – out of an abundance of caution – the Direct Enrollment pathway for agents and brokers was disabled."

CMS has notified and is working with Federal law enforcement. It expects to restore the Direct Enrollment pathway for agents and brokers within the next 7 days, before the start of the sign-up period on November 1st for health care coverage under the Affordable Care Act.

CMS Administrator Seema Verma said:

"I want to make clear to the public that HealthCare.gov and the Marketplace Call Center are still available, and open enrollment will not be negatively impacted. We are working to identify the individuals potentially impacted as quickly as possible so that we can notify them and provide resources such as credit protection."

Sadly, data breaches happen -- all too often within government agencies and corporations. It should be noted that this breach was detected quickly -- within 3 days. Other data breaches have gone undetected for weeks or months; and too many corporate data breaches affected millions.

 


Aetna To Pay More Than $17 Million To Resolve 2 Privacy Breaches

Aetna logo Aetna inked settlement agreements with several states, including New Jersey, to resolve disclosures of sensitive patient information. According to an announcement by the Attorney General for New Jersey, the settlement agreements resolve:

"... a multi-state investigation focused on two separate privacy breaches by Aetna that occurred in 2017 – one involving a mailing that potentially revealed information about addressees’ HIV/AIDS status, the other involving a mailing that potentially revealed individuals’ involvement in a study of patients with atrial fibrillation (or AFib)..."

Connecticut, Washington, and the District of Columbia joined with New Jersey for both the  investigation and settlement agreements. The multi-state investigation found:

"... that Aetna inadvertently disclosed HIV/AIDS-related information about thousands of individuals across the U.S. – including approximately 647 New Jersey residents – through a third-party mailing on July 28, 2017. The envelopes used in the mailing had an over-sized, transparent glassine address window, which revealed not only the recipients’ names and addresses, but also text that included the words “HIV Medications"... The second breach occurred in September 2017 and involved a mailing sent to 1,600 individuals concerning a study of patients with AFib. The envelopes for the mailing included the name and logo for the study – IMPACT AFib – which could have been interpreted as indicating that the addressee had an AFib diagnosis... Aetna not only violated the federal Health Insurance Portability and Accountability Act (HIPAA), but also state laws pertaining to the protected health information of individuals in general, and of persons with AIDS or HIV infection in particular..."

A class-action lawsuit filed on behalf of affected HIV/AIDS patients has been settled, pending approval from a federal court, which requires Aetna to pay about $17 million to resolve allegations. Terms of the multi-state settlement agreement require Aetna to pay a $365,211.59 civil penalty to New Jersey, and:

  • Implement policy, processes, and employee training reforms to both better protect persons' protected health information, and ensure mailings maintain persons' privacy; and
  • Hire an independent consultant to evaluate and report on its privacy protection practices, and to monitor its compliance with the terms of the settlement agreements.

CVS Health logo In December of last year, CVS Health and Aetna announced a merger agreement where CVS Health acquired Aetna for about $69 billion. Last week, CVS Health announced an expansion of its board of directors to include the addition of three directors from its Aetna unit. At press time, neither company's website mentioned the multi-state settlement agreement.


Health Insurers Are Vacuuming Up Details About You — And It Could Raise Your Rates

[Editor's note: today's guest post, by reporters at ProPublica, explores privacy and data collection issues within the healthcare industry. It is reprinted with permission.]

By Marshall Allen, ProPublica

To an outsider, the fancy booths at last month’s health insurance industry gathering in San Diego aren’t very compelling. A handful of companies pitching “lifestyle” data and salespeople touting jargony phrases like “social determinants of health.”

But dig deeper and the implications of what they’re selling might give many patients pause: A future in which everything you do — the things you buy, the food you eat, the time you spend watching TV — may help determine how much you pay for health insurance.

With little public scrutiny, the health insurance industry has joined forces with data brokers to vacuum up personal details about hundreds of millions of Americans, including, odds are, many readers of this story. The companies are tracking your race, education level, TV habits, marital status, net worth. They’re collecting what you post on social media, whether you’re behind on your bills, what you order online. Then they feed this information into complicated computer algorithms that spit out predictions about how much your health care could cost them.

Are you a woman who recently changed your name? You could be newly married and have a pricey pregnancy pending. Or maybe you’re stressed and anxious from a recent divorce. That, too, the computer models predict, may run up your medical bills.

Are you a woman who’s purchased plus-size clothing? You’re considered at risk of depression. Mental health care can be expensive.

Low-income and a minority? That means, the data brokers say, you are more likely to live in a dilapidated and dangerous neighborhood, increasing your health risks.

“We sit on oceans of data,” said Eric McCulley, director of strategic solutions for LexisNexis Risk Solutions, during a conversation at the data firm’s booth. And he isn’t apologetic about using it. “The fact is, our data is in the public domain,” he said. “We didn’t put it out there.”

Insurers contend they use the information to spot health issues in their clients — and flag them so they get services they need. And companies like LexisNexis say the data shouldn’t be used to set prices. But as a research scientist from one company told me: “I can’t say it hasn’t happened.”

At a time when every week brings a new privacy scandal and worries abound about the misuse of personal information, patient advocates and privacy scholars say the insurance industry’s data gathering runs counter to its touted, and federally required, allegiance to patients’ medical privacy. The Health Insurance Portability and Accountability Act, or HIPAA, only protects medical information.

“We have a health privacy machine that’s in crisis,” said Frank Pasquale, a professor at the University of Maryland Carey School of Law who specializes in issues related to machine learning and algorithms. “We have a law that only covers one source of health information. They are rapidly developing another source.”

Patient advocates warn that using unverified, error-prone “lifestyle” data to make medical assumptions could lead insurers to improperly price plans — for instance raising rates based on false information — or discriminate against anyone tagged as high cost. And, they say, the use of the data raises thorny questions that should be debated publicly, such as: Should a person’s rates be raised because algorithms say they are more likely to run up medical bills? Such questions would be moot in Europe, where a strict law took effect in May that bans trading in personal data.

This year, ProPublica and NPR are investigating the various tactics the health insurance industry uses to maximize its profits. Understanding these strategies is important because patients — through taxes, cash payments and insurance premiums — are the ones funding the entire health care system. Yet the industry’s bewildering web of strategies and inside deals often have little to do with patients’ needs. As the series’ first story showed, contrary to popular belief, lower bills aren’t health insurers’ top priority.

Inside the San Diego Convention Center last month, there were few qualms about the way insurance companies were mining Americans’ lives for information — or what they planned to do with the data.

The sprawling convention center was a balmy draw for one of America’s Health Insurance Plans’ marquee gatherings. Insurance executives and managers wandered through the exhibit hall, sampling chocolate-covered strawberries, champagne and other delectables designed to encourage deal-making.

Up front, the prime real estate belonged to the big guns in health data: The booths of Optum, IBM Watson Health and LexisNexis stretched toward the ceiling, with flat screen monitors and some comfy seating. (NPR collaborates with IBM Watson Health on national polls about consumer health topics.)

To understand the scope of what they were offering, consider Optum. The company, owned by the massive UnitedHealth Group, has collected the medical diagnoses, tests, prescriptions, costs and socioeconomic data of 150 million Americans going back to 1993, according to its marketing materials. (UnitedHealth Group provides financial support to NPR.) The company says it uses the information to link patients’ medical outcomes and costs to details like their level of education, net worth, family structure and race. An Optum spokesman said the socioeconomic data is de-identified and is not used for pricing health plans.

Optum’s marketing materials also boast that it now has access to even more. In 2016, the company filed a patent application to gather what people share on platforms like Facebook and Twitter, and link this material to the person’s clinical and payment information. A company spokesman said in an email that the patent application never went anywhere. But the company’s current marketing materials say it combines claims and clinical information with social media interactions.

I had a lot of questions about this and first reached out to Optum in May, but the company didn’t connect me with any of its experts as promised. At the conference, Optum salespeople said they weren’t allowed to talk to me about how the company uses this information.

It isn’t hard to understand the appeal of all this data to insurers. Merging information from data brokers with people’s clinical and payment records is a no-brainer if you overlook potential patient concerns. Electronic medical records now make it easy for insurers to analyze massive amounts of information and combine it with the personal details scooped up by data brokers.

It also makes sense given the shifts in how providers are getting paid. Doctors and hospitals have typically been paid based on the quantity of care they provide. But the industry is moving toward paying them in lump sums for caring for a patient, or for an event, like a knee surgery. In those cases, the medical providers can profit more when patients stay healthy. More money at stake means more interest in the social factors that might affect a patient’s health.

Some insurance companies are already using socioeconomic data to help patients get appropriate care, such as programs to help patients with chronic diseases stay healthy. Studies show social and economic aspects of people’s lives play an important role in their health. Knowing these personal details can help them identify those who may need help paying for medication or help getting to the doctor.

But patient advocates are skeptical health insurers have altruistic designs on people’s personal information.

The industry has a history of boosting profits by signing up healthy people and finding ways to avoid sick people — called “cherry-picking” and “lemon-dropping,” experts say. Among the classic examples: A company was accused of putting its enrollment office on the third floor of a building without an elevator, so only healthy patients could make the trek to sign up. Another tried to appeal to spry seniors by holding square dances.

The Affordable Care Act prohibits insurers from denying people coverage based on pre-existing health conditions or charging sick people more for individual or small group plans. But experts said patients’ personal information could still be used for marketing, and to assess risks and determine the prices of certain plans. And the Trump administration is promoting short-term health plans, which do allow insurers to deny coverage to sick patients.

Robert Greenwald, faculty director of Harvard Law School’s Center for Health Law and Policy Innovation, said insurance companies still cherry-pick, but now they’re subtler. The center analyzes health insurance plans to see if they discriminate. He said insurers will do things like failing to include enough information about which drugs a plan covers — which pushes sick people who need specific medications elsewhere. Or they may change the things a plan covers, or how much a patient has to pay for a type of care, after a patient has enrolled. Or, Greenwald added, they might exclude or limit certain types of providers from their networks — like those who have skill caring for patients with HIV or hepatitis C.

If there were concerns that personal data might be used to cherry-pick or lemon-drop, they weren’t raised at the conference.

At the IBM Watson Health booth, Kevin Ruane, a senior consulting scientist, told me that the company surveys 80,000 Americans a year to assess lifestyle, attitudes and behaviors that could relate to health care. Participants are asked whether they trust their doctor, have financial problems, go online, or own a Fitbit and similar questions. The responses of hundreds of adjacent households are analyzed together to identify social and economic factors for an area.

Ruane said he has used IBM Watson Health’s socioeconomic analysis to help insurance companies assess a potential market. The ACA increased the value of such assessments, experts say, because companies often don’t know the medical history of people seeking coverage. A region with too many sick people, or with patients who don’t take care of themselves, might not be worth the risk.

Ruane acknowledged that the information his company gathers may not be accurate for every person. “We talk to our clients and tell them to be careful about this,” he said. “Use it as a data insight. But it’s not necessarily a fact.”

In a separate conversation, a salesman from a different company joked about the potential for error. “God forbid you live on the wrong street these days,” he said. “You’re going to get lumped in with a lot of bad things.”

The LexisNexis booth was emblazoned with the slogan “Data. Insight. Action.” The company said it uses 442 non-medical personal attributes to predict a person’s medical costs. Its cache includes more than 78 billion records from more than 10,000 public and proprietary sources, including people’s cellphone numbers, criminal records, bankruptcies, property records, neighborhood safety and more. The information is used to predict patients’ health risks and costs in eight areas, including how often they are likely to visit emergency rooms, their total cost, their pharmacy costs, their motivation to stay healthy and their stress levels.

People who downsize their homes tend to have higher health care costs, the company says. As do those whose parents didn’t finish high school. Patients who own more valuable homes are less likely to land back in the hospital within 30 days of their discharge. The company says it has validated its scores against insurance claims and clinical data. But it won’t share its methods and hasn’t published the work in peer-reviewed journals.

McCulley, LexisNexis’ director of strategic solutions, said predictions made by the algorithms about patients are based on the combination of the personal attributes. He gave a hypothetical example: A high school dropout who had a recent income loss and doesn’t have a relative nearby might have higher than expected health costs.

But couldn’t that same type of person be healthy? I asked.

“Sure,” McCulley said, with no apparent dismay at the possibility that the predictions could be wrong.

McCulley and others at LexisNexis insist the scores are only used to help patients get the care they need and not to determine how much someone would pay for their health insurance. The company cited three different federal laws that restricted them and their clients from using the scores in that way. But privacy experts said none of the laws cited by the company bar the practice. The company backed off the assertions when I pointed that the laws did not seem to apply.

LexisNexis officials also said the company’s contracts expressly prohibit using the analysis to help price insurance plans. They would not provide a contract. But I knew that in at least one instance a company was already testing whether the scores could be used as a pricing tool.

Before the conference, I’d seen a press release announcing that the largest health actuarial firm in the world, Milliman, was now using the LexisNexis scores. I tracked down Marcos Dachary, who works in business development for Milliman. Actuaries calculate health care risks and help set the price of premiums for insurers. I asked Dachary if Milliman was using the LexisNexis scores to price health plans and he said: “There could be an opportunity.”

The scores could allow an insurance company to assess the risks posed by individual patients and make adjustments to protect themselves from losses, he said. For example, he said, the company could raise premiums, or revise contracts with providers.

It’s too early to tell whether the LexisNexis scores will actually be useful for pricing, he said. But he was excited about the possibilities. “One thing about social determinants data — it piques your mind,” he said.

Dachary acknowledged the scores could also be used to discriminate. Others, he said, have raised that concern. As much as there could be positive potential, he said, “there could also be negative potential.”

It’s that negative potential that still bothers data analyst Erin Kaufman, who left the health insurance industry in January. The 35-year-old from Atlanta had earned her doctorate in public health because she wanted to help people, but one day at Aetna, her boss told her to work with a new data set.

To her surprise, the company had obtained personal information from a data broker on millions of Americans. The data contained each person’s habits and hobbies, like whether they owned a gun, and if so, what type, she said. It included whether they had magazine subscriptions, liked to ride bikes or run marathons. It had hundreds of personal details about each person.

The Aetna data team merged the data with the information it had on patients it insured. The goal was to see how people’s personal interests and hobbies might relate to their health care costs. But Kaufman said it felt wrong: The information about the people who knitted or crocheted made her think of her grandmother. And the details about individuals who liked camping made her think of herself. What business did the insurance company have looking at this information? “It was a dataset that really dug into our clients’ lives,” she said. “No one gave anyone permission to do this.”

In a statement, Aetna said it uses consumer marketing information to supplement its claims and clinical information. The combined data helps predict the risk of repeat emergency room visits or hospital admissions. The information is used to reach out to members and help them and plays no role in pricing plans or underwriting, the statement said.

Kaufman said she had concerns about the accuracy of drawing inferences about an individual’s health from an analysis of a group of people with similar traits. Health scores generated from arrest records, home ownership and similar material may be wrong, she said.

Pam Dixon, executive director of the World Privacy Forum, a nonprofit that advocates for privacy in the digital age, shares Kaufman’s concerns. She points to a study by the analytics company SAS, which worked in 2012 with an unnamed major health insurance company to predict a person’s health care costs using 1,500 data elements, including the investments and types of cars people owned.

The SAS study said higher health care costs could be predicted by looking at things like ethnicity, watching TV and mail order purchases.

“I find that enormously offensive as a list,” Dixon said. “This is not health data. This is inferred data.”

Data scientist Cathy O’Neil said drawing conclusions about health risks on such data could lead to a bias against some poor people. It would be easy to infer they are prone to costly illnesses based on their backgrounds and living conditions, said O’Neil, author of the book “Weapons of Math Destruction,” which looked at how algorithms can increase inequality. That could lead to poor people being charged more, making it harder for them to get the care they need, she said. Employers, she said, could even decide not to hire people with data points that could indicate high medical costs in the future.

O’Neil said the companies should also measure how the scores might discriminate against the poor, sick or minorities.

American policymakers could do more to protect people’s information, experts said. In the United States, companies can harvest personal data unless a specific law bans it, although California just passed legislation that could create restrictions, said William McGeveran, a professor at the University of Minnesota Law School. Europe, in contrast, passed a strict law called the General Data Protection Regulation, which went into effect in May.

“In Europe, data protection is a constitutional right,” McGeveran said.

Pasquale, the University of Maryland law professor, said health scores should be treated like credit scores. Federal law gives people the right to know their credit scores and how they’re calculated. If people are going to be rated by whether they listen to sad songs on Spotify or look up information about AIDS online, they should know, Pasquale said. “The risk of improper use is extremely high. And data scores are not properly vetted and validated and available for scrutiny.”

As I reported this story I wondered how the data vendors might be using my personal information to score my potential health costs. So, I filled out a request on the LexisNexis website for the company to send me some of the personal information it has on me. A week later a somewhat creepy, 182-page walk down memory lane arrived in the mail. Federal law only requires the company to provide a subset of the information it collected about me. So that’s all I got.

LexisNexis had captured details about my life going back 25 years, many that I’d forgotten. It had my phone numbers going back decades and my home addresses going back to my childhood in Golden, Colorado. Each location had a field to show whether the address was “high risk.” Mine were all blank. The company also collects records of any liens and criminal activity, which, thankfully, I didn’t have.

My report was boring, which isn’t a surprise. I’ve lived a middle-class life and grown up in good neighborhoods. But it made me wonder: What if I had lived in “high risk” neighborhoods? Could that ever be used by insurers to jack up my rates — or to avoid me altogether?

I wanted to see more. If LexisNexis had health risk scores on me, I wanted to see how they were calculated and, more importantly, whether they were accurate. But the company told me that if it had calculated my scores it would have done so on behalf of their client, my insurance company. So, I couldn’t have them.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.

 


The DIY Revolution: Consumers Alter Or Build Items Previously Not Possible. Is It A Good Thing?

Recent advances in technology allow consumers to alter, customize, or build locally items previously not possible. These items are often referred to as Do-It-Yourself (DIY) products. You've probably heard DIY used in home repair and renovation projects on television. DIY now happens in some unexpected areas. Today's blog post highlights two areas.

DIY Glucose Monitors

Earlier this year, CNet described the bag an eight-year-old patient carries with her everywhere daily:

"... It houses a Dexcom glucose monitor and a pack of glucose tablets, which work in conjunction with the sensor attached to her arm and the insulin pump plugged into her stomach. The final item in her bag was an iPhone 5S. It's unusual for such a young child to have a smartphone. But Ruby's iPhone, which connects via Bluetooth to her Dexcom monitor, allowing [her mother] to read it remotely, illustrates the way technology has transformed the management of diabetes from an entirely manual process -- pricking fingers to measure blood sugar, writing down numbers in a notebook, calculating insulin doses and injecting it -- to a semi-automatic one..."

Some people have access to these new technologies, but many don't. Others want more connectivity and better capabilities. So, some creative "hacking" has resulted:

"There are people who are unwilling to wait, and who embrace unorthodox methods. (You can find them on Twitter via the hashtag #WeAreNotWaiting.) The Nightscout Foundation, an online diabetes community, figured out a workaround for the Pebble Watch. Groups such as Nightscout, Tidepool and OpenAPS are developing open-source fixes for diabetes that give major medical tech companies a run for their money... One major gripe of many tech-enabled diabetes patients is that the two devices they wear at all times -- the monitor and the pump -- don't talk to each other... diabetes will never be a hands-off disease to manage, but an artificial pancreas is basically as close as it gets. The FDA approved the first artificial pancreas -- the Medtronic 670G -- in October 2017. But thanks to a little DIY spirit, people have had them for years."

CNet shared the experience of another tech-enabled patient:

"Take Dana Lewis, founder of the open-source artificial pancreas system, or OpenAPS. Lewis started hacking her glucose monitor to increase the volume of the alarm so that it would wake her in the night. From there, Lewis tinkered with her equipment until she created a closed-loop system, which she's refined over time in terms of both hardware and algorithms that enable faster distribution of insulin. It has massively reduced the "cognitive burden" on her everyday life... JDRF, one of the biggest global diabetes research charities, said in October that it was backing the open-source community by launching an initiative to encourage rival manufacturers like Dexcom and Medtronic to open their protocols and make their devices interoperable."

Convenience and affordability are huge drivers. As you might have guessed, there are risks:

"Hacking a glucose monitor is not without risk -- inaccurate readings, failed alarms or the wrong dose of insulin distributed by the pump could have fatal consequences... Lewis and the OpenAPS community encourage people to embrace the build-your-own-pancreas method rather than waiting for the tech to become available and affordable."

Are DIY glucose monitors a good thing? Some patients think so as a way to achieve convenient and affordable healthcare solutions. That might lead you to conclude anything DIY is an improvement. Right? Keep reading.

DIY Guns

Got a 3-D printer? If so, then you can print your own DIY gun. How did this happen? How did the USA get to here? Wired explained:

"Five years ago, 25-year-old radical libertarian Cody Wilson stood on a remote central Texas gun range and pulled the trigger on the world’s first fully 3-D-printed gun... he drove back to Austin and uploaded the blueprints for the pistol to his website, Defcad.com... In the days after that first test-firing, his gun was downloaded more than 100,000 times. Wilson made the decision to go all in on the project, dropping out of law school at the University of Texas, as if to confirm his belief that technology supersedes law..."

The law intervened. Wilson stopped, took down his site, and then pursued a legal remedy:

"Two months ago, the Department of Justice quietly offered Wilson a settlement to end a lawsuit he and a group of co-plaintiffs have pursued since 2015 against the United States government. Wilson and his team of lawyers focused their legal argument on a free speech claim: They pointed out that by forbidding Wilson from posting his 3-D-printable data, the State Department was not only violating his right to bear arms but his right to freely share information. By blurring the line between a gun and a digital file, Wilson had also successfully blurred the lines between the Second Amendment and the First."

So, now you... anybody with an internet connection and a 3-D printer (and a computer-controlled milling machine for some advanced parts)... can produce their own DIY gun. No registration required. No licenses nor permits. No training required. And, that's anyone anywhere in the world.

Oh, there's more:

"The Department of Justice's surprising settlement, confirmed in court documents earlier this month, essentially surrenders to that argument. It promises to change the export control rules surrounding any firearm below .50 caliber—with a few exceptions like fully automatic weapons and rare gun designs that use caseless ammunition—and move their regulation to the Commerce Department, which won't try to police technical data about the guns posted on the public internet. In the meantime, it gives Wilson a unique license to publish data about those weapons anywhere he chooses."

As you might have guessed, Wilson is re-launching his website, but this time with blueprints for more DIY weaponry besides pistols: AR-15 rifles and semi-automatic weaponry. So, it will be easier for people to skirt federal and state gun laws. Is that a good thing?

You probably have some thoughts and concerns. I do. There are plenty of issues and questions. Are DIY products a good thing? Who is liable? How should laws be upgraded? How can society facilitate one set of DIY products and not the other? What related issues do you see? Any other notable DIY products?


New Jersey to Suspend Prominent Psychologist for Failing to Protect Patient Privacy

[Editor's note: today's guest blog post, by reporters at ProPublica, explores privacy issues within the healthcare industry. The post is reprinted with permission.]

By Charles Ornstein, ProPublica

A prominent New Jersey psychologist is facing the suspension of his license after state officials concluded that he failed to keep details of mental health diagnoses and treatments confidential when he sued his patients over unpaid bills.

The state Board of Psychological Examiners last month upheld a decision by an administrative law judge that the psychologist, Barry Helfmann, “did not take reasonable measures to protect the confidentiality of his patients’ protected health information,” Lisa Coryell, a spokeswoman for the state attorney general’s office, said in an e-mail.

The administrative law judge recommended that Helfmann pay a fine and a share of the investigative costs. The board went further, ordering that Helfmann’s license be suspended for two years, Coryell wrote. During the first year, he will not be able to practice; during the second, he can practice, but only under supervision. Helfmann also will have to pay a $10,000 civil penalty, take an ethics course and reimburse the state for some of its investigative costs. The suspension is scheduled to begin in September.

New Jersey began to investigate Helfmann after a ProPublica article published in The New York Times in December 2015 that described the lawsuits and the information they contained. The allegations involved Helfmann’s patients as well as those of his colleagues at Short Hills Associates in Clinical Psychology, a New Jersey practice where he has been the managing partner.

Helfmann is a leader in his field, serving as president of the American Group Psychotherapy Association, and as a past president of the New Jersey Psychological Association.

ProPublica identified 24 court cases filed by Short Hills Associates from 2010 to 2014 over unpaid bills in which patients’ names, diagnoses and treatments were listed in documents. The defendants included lawyers, business people and a manager at a nonprofit. In cases involving patients who were minors, the lawsuits included children’s names and diagnoses.

The information was subsequently redacted from court records after a patient counter-sued Helfmann and his partners, the psychology group and the practice’s debt collection lawyers. The patient’s lawsuit was settled.

Helfmann has denied wrongdoing, saying his former debt collection lawyers were responsible for attaching patients’ information to the lawsuits. His current lawyer, Scott Piekarsky, said he intends to file an immediate appeal before the discipline takes effect.

"The discipline imposed is ‘so disproportionate as to be shocking to one’s sense of fairness’ under New Jersey case law," Piekarsky said in a statement.

Piekarsky also noted that the administrative law judge who heard the case found no need for any license suspension and raised questions about the credibility of the patient who sued Helfmann. "We feel this is a political decision due to Dr. Helfmann’s aggressive stance" in litigation, he said.

Helfmann sued the state of New Jersey and Joan Gelber, a senior deputy attorney general, claiming that he was not provided due process and equal protection under the law. He and Short Hills Associates sued his prior debt collection firm for legal malpractice. Those cases have been dismissed, though Helfmann has appealed.

Helfmann and Short Hills Associates also are suing the patient who sued him, as well as the man’s lawyer, claiming the patient and lawyer violated a confidential settlement agreement by talking to a ProPublica reporter and sharing information with a lawyer for the New Jersey attorney general’s office without providing advance notice. In court pleadings, the patient and his lawyer maintain that they did not breach the agreement. Helfmann brought all three of these lawsuits in state court in Union County.

Throughout his career, Helfmann has been an advocate for patient privacy, helping to push a state law limiting the information an insurance company can seek from a psychologist to determine the medical necessity of treatment. He also was a plaintiff in a lawsuit against two insurance companies and a New Jersey state commission, accusing them of requiring psychologists to turn over their treatment notes in order to get paid.

"It is apparent that upholding the ethical standards of his profession was very important to him," Carol Cohen, the administrative law judge, wrote. "Having said that, it appears that in the case of the information released to his attorney and eventually put into court papers, the respondent did not use due diligence in being sure that confidential information was not released and his patients were protected."

Filed under:

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Several States Updated Their Existing Breach Notification Laws, Or Introduced New Laws

Given the increased usage of data in digital formats, new access methods, and continual data breaches within corporations and governments, several state governments have updated their data breach notification laws, and/or passed new laws:

Alabama

The last state without any breach notification laws, Governor Kay Ivey signed in March the state's first data breach law: the Alabama Data Breach Notification Act of 2018 (SB 318), which became effective on June 1, 2018. Some of the key modifications: a) similar to other states, the law defined the format and types of data elements which must be protected, including health information; b) defined "covered entities" including state government agencies and "third-party agents" contracted to maintain, store, process and/or access protected data; c) requires notification of affected individuals within 45 days, and to the state Attorney General; and d) while penalties aren't mandatory, the law allows civil penalties up to $5,000 per day for, "each consecutive day that the covered entity fails to take reasonable action to comply with the notice provisions of this act."

Arizona

Earlier this year, Arizona Governor Doug Ducey signed legislation updating the state's breach notification laws. Some of the key modifications: a) expanded definitions of personal information to include medical or mental health treatment/diagnosis, passport numbers, taxpayer ID numbers, biometric data, e-mail addresses in combination with online passwords and security questions; b) set the notification window for affected persons at 45 days; c) allows e-mail notification of affected persons; d) and if the breach affected more than 1,000 persons, then notification must provided to the three national credit-reporting agencies and to the state Attorney General.

Colorado

Colorado Governor John Hickenloope signed on May 29th several laws including HB-1128, which will go into effect on september 1, 2018. Some experts view HB-1128 as the strongest protections in the country. Some of the key modifications: a) expanded "covered entities" to include certain "third-party service providers" contracted to maintain, store, process and/or access protected data; b) expanded definitions of "personal information" to include biometric data, plus e-mail addresses in combination with online passwords and security questions; c) allows substitute notification methods (e.g., e-mail, post on website, statewide news media) if the cost of basic notification would exceed $250,000; d) allows e-mail notification of affected persons; e) sets the notification window at 30 days, if the breach affected more than 500 Colorado residents; and f) expanded requirements for companies to protected personal information.

Louisiana

Louisiana Governor John Edwards signed in May 2018 an amendment to the state’s Database Security Breach Notification Law (Act 382) which will take effect August 1, 2018. Some of the key modifications: a) expanded definition of ‘personal information’ to include a state identification card number, passport number, and “biometric data” (e.g., fingerprints, voice prints, eye retina or iris, or other unique biological characteristics used to access systems); b) removed vagueness and defined the notification window as within 60 days; c) allows substitute notification methods (e.g., e-mail, posts on affected company's website, statewide news media); and d) tightened required that companies utilizing "computerized data" better protect the information they archive.

South Dakota

The next-to-last state without any breach notification laws, Governor Dennis Daugaard signed into law in March the state’s first breach notification law (SB 62). Like breach laws in other states, it provides definitions of what a breach is, personal information which must be protected, covered entities (e.g., companies, government agencies) subject to the law, notification requirements, and conditions when substitute notification methods (e.g., e-mail, posts on the affected entity's website, statewide news media) are allowed.

To Summarize

New Mexico enacted its new breach notification law (HB 15) in March, 2017. With the additions of Alabama and South Dakota, finally every state has a breach notification law. Sadly, it has taken 16 years. California was the first state to enact a breach notification law in 2002. It has taken that long for other states to catch up... not only catch up with California, but also catch up with technological changes driven by the internet.

California has led the way for a long time. It banned RFID skimming in 2008, co-hosted privacy workshops with the U.S. Federal Trade Commission in 2008, strengthened its existing breach law in 2011, and introduced in 2013 privacy guidelines for mobile app developers. Other states' legislatures can learn from this leadership.

Want to learn more? Detailed reviews of new and updated breach laws are available in the National Law Review website.


Why Your Health Insurer Doesn’t Care About Your Big Bills

[Editor's note: today's guest post, by the reporters at ProPublica, discusses pricing and insurance problems within the healthcare industry, and a resource most consumers probably are unaware of. It is reprinted with permission.]

By Marshall Allen, ProPublica

Michael Frank ran his finger down his medical bill, studying the charges and pausing in disbelief. The numbers didn’t make sense.

His recovery from a partial hip replacement had been difficult. He’d iced and elevated his leg for weeks. He’d pushed his 49-year-old body, limping and wincing, through more than a dozen physical therapy sessions.

NYU Langone Health logo The last thing he needed was a botched bill.

His December 2015 surgery to replace the ball in his left hip joint at NYU Langone Medical Center in New York City had been routine. One night in the hospital and no complications.

Aetna Inc. logoHe was even supposed to get a deal on the cost. His insurance company, Aetna, had negotiated an in-network “member rate” for him. That’s the discounted price insured patients get in return for paying their premiums every month.

But Frank was startled to see that Aetna had agreed to pay NYU Langone $70,000. That’s more than three times the Medicare rate for the surgery and more than double the estimate of what other insurance companies would pay for such a procedure, according to a nonprofit that tracks prices.

Fuming, Frank reached for the phone. He couldn’t see how NYU Langone could justify these fees. And what was Aetna doing? As his insurer, wasn’t its duty to represent him, its “member”? So why had it agreed to pay a grossly inflated rate, one that stuck him with a $7,088 bill for his portion?

Frank wouldn’t be the first to wonder. The United States spends more per person on health care than any other country. A lot more. As a country, by many measures, we are not getting our money’s worth. Tens of millions remain uninsured. And millions are in financial peril: About 1 in 5 is currently being pursued by a collection agency over medical debt. Health care costs repeatedly top the list of consumers’ financial concerns.

Experts frequently blame this on the high prices charged by doctors and hospitals. But less scrutinized is the role insurance companies — the middlemen between patients and those providers — play in boosting our health care tab. Widely perceived as fierce guardians of health care dollars, insurers, in many cases, aren’t. In fact, they often agree to pay high prices, then, one way or another, pass those high prices on to patients — all while raking in healthy profits.

ProPublica and NPR are examining the bewildering, sometimes enraging ways the health insurance industry works, by taking an inside look at the games, deals and incentives that often result in higher costs, delays in care or denials of treatment. The misunderstood relationship between insurers and hospitals is a good place to start.

Today, about half of Americans get their health care benefits through their employers, who rely on insurance companies to manage the plans, restrain costs and get them fair deals.

But as Frank eventually discovered, once he’d signed on for surgery, a secretive system of pre-cut deals came into play that had little to do with charging him a reasonable fee.

After Aetna approved the in-network payment of $70,882 (not including the fees of the surgeon and anesthesiologist), Frank’s coinsurance required him to pay the hospital 10 percent of the total.

When Frank called NYU Langone to question the charges, the hospital punted him to Aetna, which told him it paid the bill according to its negotiated rates. Neither Aetna nor the hospital would answer his questions about the charges.

Frank found himself in a standoff familiar to many patients. The hospital and insurance company had agreed on a price and he was required to help pay it. It’s a three-party transaction in which only two of the parties know how the totals are tallied.

Frank could have paid the bill and gotten on with his life. But he was outraged by what his insurance company agreed to pay. “As bad as NYU is,” Frank said, “Aetna is equally culpable because Aetna’s job was to be the checks and balances and to be my advocate.”

And he also knew that Aetna and NYU Langone hadn’t double-teamed an ordinary patient. In fact, if you imagined the perfect person to take on insurance companies and hospitals, it might be Frank.

For three decades, Frank has worked for insurance companies like Aetna, helping to assess how much people should pay in monthly premiums. He is a former president of the Actuarial Society of Greater New York and has taught actuarial science at Columbia University. He teaches courses for insurance regulators and has even served as an expert witness for insurance companies.

The hospital and insurance company may have expected him to shut up and pay. But Frank wasn’t going away.

Patients fund the entire health care industry through taxes, insurance premiums and cash payments. Even the portion paid by employers comes out of an employee’s compensation. Yet when the health care industry refers to “payers,” it means insurance companies or government programs like Medicare.

Patients who want to know what they’ll be paying — let alone shop around for the best deal — usually don’t have a chance. Before Frank’s hip operation he asked NYU Langone for an estimate. It told him to call Aetna, which referred him back to the hospital. He never did get a price.

Imagine if other industries treated customers this way. The price of a flight from New York to Los Angeles would be a mystery until after the trip. Or, while digesting a burger, you’d learn it cost 50 bucks.

A decade ago, the opacity of prices was perhaps less pressing because medical expenses were more manageable. But now patients pay more and more for monthly premiums, and then, when they use services, they pay higher co-pays, deductibles and coinsurance rates.

Employers are equally captive to the rising prices. They fund benefits for more than 150 million Americans and see health care expenses eating up more and more of their budgets.

Richard Master, the founder and CEO of MCS Industries Inc. in Easton, Pennsylvania, offered to share his numbers. By most measures MCS is doing well. Its picture frames and decorative mirrors are sold at Walmart, Target and other stores and, Master said, the company brings in more than $200 million a year.

But the cost of health care is a growing burden for MCS and its 170 employees. A decade ago, Master said, an MCS family policy cost $1,000 a month with no deductible. Now it’s more than $2,000 a month with a $6,000 deductible. MCS covers 75 percent of the premium and the entire deductible. Those rising costs eat into every employee’s take-home pay.

Economist Priyanka Anand of George Mason University said employers nationwide are passing rising health care costs on to their workers by asking them to absorb a larger share of higher premiums. Anand studied Bureau of Labor Statistics data and found that every time health care costs rose by a dollar, an employee’s overall compensation got cut by 52 cents.

Master said his company hops between insurance providers every few years to find the best benefits at the lowest cost. But he still can’t get a breakdown to understand what he’s actually paying for.

“You pay for everything, but you can’t see what you pay for,” he said.

Master is a CEO. If he can’t get answers from the insurance industry, what chance did Frank have?

Frank’s hospital bill and Aetna’s “explanation of benefits” arrived at his home in Port Chester, New York, about a month after his operation. Loaded with an off-putting array of jargon and numbers, the documents were a natural playing field for an actuary like Frank.

Under the words, “DETAIL BILL,” Frank saw that NYU Langone’s total charges were more than $117,000, but that was the sticker price, and those are notoriously inflated. Insurance companies negotiate an in-network rate for their members. But in Frank’s case at least, the “deal” still cost $70,882.

With a practiced eye, Frank scanned the billing codes hospitals use to get paid and immediately saw red flags: There were charges for physical therapy sessions that never took place, and drugs he never received. One line stood out — the cost of the implant and related supplies. Aetna said NYU Langone paid a “member rate” of $26,068 for “supply/implants.” But Frank didn’t see how that could be accurate. He called and emailed Smith & Nephew, the maker of his implant, until a representative told him the hospital would have paid about $1,500. His NYU Langone surgeon confirmed the amount, Frank said. The device company and surgeon did not respond to ProPublica’s requests for comment.

Frank then called and wrote Aetna multiple times, sure it would want to know about the problems. “I believe that I am a victim of excessive billing,” he wrote. He asked Aetna for copies of what NYU Langone submitted so he could review it for accuracy, stressing he wanted “to understand all costs.”

Aetna reviewed the charges and payments twice — both times standing by its decision to pay the bills. The payment was appropriate based on the details of the insurance plan, Aetna wrote.

Frank also repeatedly called and wrote NYU Langone to contest the bill. In its written reply, the hospital didn’t explain the charges. It simply noted that they “are consistent with the hospital’s pricing methodology.”

Increasingly frustrated, Frank drew on his decades of experience to essentially serve as an expert witness on his own case. He gathered every piece of relevant information to understand what happened, documenting what Medicare, the government’s insurance program for the disabled and people over age 65, would have paid for a partial hip replacement at NYU Langone — about $20,491 — and what FAIR Health, a New York nonprofit that publishes pricing benchmarks, estimated as the in-network price of the entire surgery, including the surgeon fees — $29,162.

He guesses he spent about 300 hours meticulously detailing his battle plan in two inches-thick binders with bills, medical records and correspondence.

ProPublica sent the Medicare and FAIR Health estimates to Aetna and asked why they had paid so much more. The insurance company declined an interview and said in an emailed statement that it works with hospitals, including NYU Langone, to negotiate the “best rates” for members. The charges for Frank's procedure were correct given his coverage, the billed services and the Aetna contract with NYU Langone, the insurer wrote.

NYU Langone also declined ProPublica’s interview request. The hospital said in an emailed statement it billed Frank according to the contract Aetna had negotiated on his behalf. Aetna, it wrote, confirmed the bills were correct.

After seven months, NYU Langone turned Frank’s $7,088 bill over to a debt collector, putting his credit rating at risk. “They upped the ante,” he said.

Frank sent a new flurry of letters to Aetna and to the debt collector and complained to the New York State Department of Financial Services, the insurance regulator, and to the New York State Office of the Attorney General. He even posted his story on LinkedIn.

But no one came to the rescue. A year after he got the first bills, NYU Langone sued him for the unpaid sum. He would have to argue his case before a judge.

You’d think that health insurers would make money, in part, by reducing how much they spend.

Turns out, insurers don’t have to decrease spending to make money. They just have to accurately predict how much the people they insure will cost. That way they can set premiums to cover those costs — adding about 20 percent to for their administration and profit. If they’re right, they make money. If they’re wrong, they lose money. But, they aren’t too worried if they guess wrong. They can usually cover losses by raising rates the following year.

Frank suspects he got dinged for costing Aetna too much with his surgery. The company raised the rates on his small group policy — the plan just includes him and his partner — by 18.75 percent the following year.

The Affordable Care Act kept profit margins in check by requiring companies to use at least 80 percent of the premiums for medical care. That’s good in theory but it actually contributes to rising health care costs. If the insurance company has accurately built high costs into the premium, it can make more money. Here’s how: Let’s say administrative expenses eat up about 17 percent of each premium dollar and around 3 percent is profit. Making a 3 percent profit is better if the company spends more.

It’s like if a mom told her son he could have 3 percent of a bowl of ice cream. A clever child would say, “Make it a bigger bowl.”

Wonks call this a “perverse incentive.”

“These insurers and providers have a symbiotic relationship,” said Wendell Potter, who left a career as a public relations executive in the insurance industry to become an author and patient advocate. “There’s not a great deal of incentive on the part of any players to bring the costs down.”

Insurance companies may also accept high prices because often they aren’t always the ones footing the bill. Nowadays about 60 percent of the employer benefits are “self-funded.” That means the employer pays the bills. The insurers simply manage the benefits, processing claims and giving employers access to their provider networks. These management deals are often a large, and lucrative, part of a company’s business. Aetna, for example, insured 8 million people in 2017, but provided administrative services only to considerably more — 14 million.

To woo the self-funded plans, insurers need a strong network of medical providers. A brand-name system like NYU Langone can demand — and get — the highest payments, said Manuel Jimenez, a longtime negotiator for insurers including Aetna. “They tend to be very aggressive in their negotiations.”

On the flip side, insurers can dictate the terms to the smaller hospitals, Jimenez said. The little guys, “get the short end of the stick,” he said. That’s why they often merge with the bigger hospital chains, he said, so they can also increase their rates.

Other types of horse-trading can also come into play, experts say. Insurance companies may agree to pay higher prices for some services in exchange for lower rates on others.

Patients, of course, don’t know how the behind-the-scenes haggling affects what they pay. By keeping costs and deals secret, hospitals and insurers dodge questions about their profits, said Dr. John Freedman, a Massachusetts health care consultant. Cases like Frank’s “happen every day in every town across America. Only a few of them come up for scrutiny.”

In response, a Tennessee company is trying to expose the prices and steer patients to the best deals. Healthcare Bluebook aims to save money for both employers who self-pay, and their workers. Bluebook used payment information from self-funded employers to build a searchable online pricing database that shows the low-, medium- and high-priced facilities for certain common procedures, like MRIs. The company, which launched in 2008, now has more than 4,500 companies paying for its services. Patients can get a $50 bonus for choosing the best deal.

Bluebook doesn’t have price information for Frank’s operation — a partial hip replacement. But its price range in the New York City area for a full hip replacement is from $28,000 to $77,000, including doctor fees. Its “fair price” for these services tops out at about two-thirds of what Aetna agreed to pay on Frank’s behalf.

Frank, who worked with mainstream insurers, didn’t know about Bluebook. If he had used its data, he would have seen that there were facilities that were both high quality and offered a fair price near his home, including Holy Name Medical Center in Teaneck, New Jersey, and Greenwich Hospital in Connecticut. NYU Langone is one of Bluebook’s highest-priced, high-quality hospitals in the area for hip replacements. Others on Bluebook’s pricey list include Montefiore New Rochelle Hospital in New Rochelle, New York, and Hospital for Special Surgery in Manhattan.

ProPublica contacted Hospital for Special Surgery to see if it would provide a price for a partial hip replacement for a patient with an Aetna small-group plan like Frank’s. The hospital declined, citing its confidentiality agreements with insurance companies.

Frank arrived at the Manhattan courthouse on April 2 wearing a suit and fidgeted in his seat while he waited for his hearing to begin. He had never been sued for anything, he said. He and his attorney, Gabriel Nugent, made quiet conversation while they waited for the judge.

In the back of the courtroom, NYU Langone’s attorney, Anton Mikofsky, agreed to talk about the lawsuit. The case is simple, he said. “The guy doesn’t understand how to read a bill.”

The high price of the operation made sense because NYU Langone has to pay its staff, Mikofsky said. It also must battle with insurance companies who are trying to keep costs down, he said. “Hospitals all over the country are struggling,” he said.

“Aetna reviewed it twice,” Mikofsky added. “Didn’t the operation go well? He should feel blessed.”

When the hearing started, the judge gave each side about a minute to make its case, then pushed them to settle.

Mikofsky told the judge Aetna found nothing wrong with the billing and had already taken care of most of the charges. The hospital’s position was clear. Frank owed $7,088.

Nugent argued that the charges had not been justified and Frank felt he owed about $1,500.

The lawyers eventually agreed that Frank would pay $4,000 to settle the case.

Frank said later that he felt compelled to settle because going to trial and losing carried too many risks. He could have been hit with legal fees and interest. It would have also hurt his credit at a time he needs to take out college loans for his kids.

After the hearing, Nugent said a technicality might have doomed their case. New York defendants routinely lose in court if they have not contested a bill in writing within 30 days, he said. Frank had contested the bill over the phone with NYU Langone, and in writing within 30 days with Aetna. But he did not dispute it in writing to the hospital within 30 days.

Frank paid the $4,000, but held on to his outrage. “The system,” he said, “is stacked against the consumer.”

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.

 


Medicare Scams Still Operate. How To Avoid Getting Your Identity Information Stolen

To minimize fraud, the new Medicare cards display a unique 11-digit identification number instead of patients' Social Security numbers. However, scammers have created a new tactic to trick patients into revealing their sensitive Medicare information. The Oregon Department of Justice warned:

"If someone calls and asks you for your personal information, money to activate the new card, or threatens to cancel your Medicare benefits if you don’t share your personal information, just hang up! It is a scam," said Attorney General Ellen Rosenblum.

Medicare will not call you nor ask for your Social Security number or bank information. That's good advice for patients nationwide. Experts estimate that Medicare loses about $60 billion yearly to con artists via a variety of scams.

Oregon residents suspecting healthcare fraud or wanting to report scammers, should contact Oregon's Department of Justice’s Consumer Protection (hotline: 1-877-877-9392 or www.oregonconsumer.gov). Consumers in other states should contact their state's attorney general, and/or report suspected fraud directly to Medicare.

The video below from 2017 includes advice about how patients should protect their Medicare cards.


Connecticut And Federal Regulators Announce $1.3 Million Settlement With Substance Abuse Healthcare Provider

Connecticut and federal regulators recently announced a settlement agreement to resolve allegations that New Era Rehabilitation Center (New Era), operating in New Haven and Bridgeport, submitted false claims to both state and federal healthcare programs. The office of George Jepsen, Connecticut Attorney General, announced that New Era:

"... and its co-founders and owners – Dr. Ebenezer Kolade and Dr. Christina Kolade – are enrolled as providers in the Connecticut Medical Assistance Program (CMAP), which includes the state's Medicaid program. As part of their practice, they provide methadone treatment services for patients dealing with opioid addiction. Most of their patients are CMAP beneficiaries.

During the relevant time period, CMAP reimbursed methadone clinics by paying a weekly bundled rate that included all of the services associated with methadone maintenance, including the patient's doses of methadone; the initial intake evaluation; a physical examination; periodic drug testing; and individual, group and family drug counseling... The state and federal governments alleged that, from October 2009 to November 2013, New Era and the Kolades engaged in a pattern and practice of billing CMAP weekly for the methadone bundled service rate and then also submitting a separate claim to the CMAP for virtually every drug counseling session provided to clients by using a billing code for outpatient psychotherapy. The state and federal governments further alleged that those psychotherapy sessions were actually the drug counseling sessions already included and reimbursed through the bundled rate."

These actions were part of the State of Connecticut's Inter-agency Fraud Task Force created in 2013 to investigate and prosecute healthcare fraud. The joint investigation included the Connecticut AT's office, the office of Connecticut U.S. Attorney John H. Durham, and the U.S. Health and Human Services, Office of Inspector General – Office of Investigations.

Connecticut Fight Fraud logo Terms of the settlement agreement require NERC to pay $1,378,533 in settlement funds. Of that amount, $881,945 will be returned to CMAP.

Connecticut residents suspecting healthcare fraud or abuse should contact the Attorney General’s Antitrust and Government Program Fraud Department (phone at 860-808-5040, or email at ag.fraud@ct.gov), or the Department of Social Services fraud (hotline at 1-800-842-2155, online at www.ct.gov/dss/reportingfraud, or email at providerfraud.dss@ct.gov). Residents in other states can contact their state's attorney general's office.


Fresenius Medical Care To Pay $3.5 Million For 5 Small Data Breaches During 2012

Logo-fresenius-medical-careFresenius Medical Care Holdings, Inc. has agreed to a $3.5 million settlement agreement regarding five small data breaches the Massachusetts-based healthcare organization experienced during 2012. Fresenius Medical Care Holdings, Inc. does business under the name Fresenius Medical Care North America (FMCNA). This represents one of the largest HIPAA settlements ever by the U.S. Department of Health & Human Services (HHS).

The five small data breaches, at different locations across the United States, affected about 521 persons:

  1. Bio-Medical Applications of Florida, Inc. d/b/a Fresenius Medical Care Duval Facility: On February 23, 2012, two desktop computers were stolen during a break-in. One of the computers contained the electronic Protected Health Information (ePHI) of 200 persons, including patient name, admission date, date of first dialysis, days and times of treatments, date of birth, and Social Security number
  2. Bio-Medical Applications of Alabama, Inc. d/b/a Fresenius Medical Care Magnolia Grove: On April 3, 2012, an unencrypted USB drive was stolen from a worker's car while parked in the organization's parking lot. The USB device contained the ePHI of 245 persons, including patient name, address, date of birth, telephone number, insurance company, insurance account number (a potential social security number derivative for some patients) and the covered entity location where each patient was seen.
  3. Renal Dimensions, LLC d/b/a Fresenius Medical Care Ak-Chin: On June 18, 2012, an anonymous phone tip reported that a hard drive was missing from a desktop computer, which had been taken out of service. The hard drive contained the ePHI of 35 persons, including name, date of birth, Social Security number and Zip code. While the worker notified a manager about the missing hard drive, the manager failed t notify the FMCNA Corporate Risk Management Department.
  4. Fresenius Vascular Care Augusta, LLC: On June 16, 2012, a worker's unencrypted laptop was stolen from her car while parked overnight at home. The laptop bag also include a list of her passwords. The laptop contained the ePHI of 10 persons, including patient name, insurance account number (which could be a social security number derivative) and other insurance information.
  5. WSKC Dialysis Services, Inc. d/b/a Fresenius Medical Care Blue Island Dialysis: On or about June 17 - 18, 2012, three desktop computers and one encrypted laptop were stolen from the office. One of the desktop computers contained the ePHI of 31 persons, including patient name, dates of birth, address, telephone number, and either full or partial Social Security numbers.

Besides the hefty payment, terms of the settlement agreement (Adobe PDF) require FMCNA to implement and complete a Corrective Action Plan:

  • Conduct a risk analysis,
  • Develop and implement a risk management plan,
  • Implement a process for evaluating workplace operational changes,
  • Develop an Encryption Report,
  • Review and revise internal policies and procedures to control devices and storage media,
  • Review and revise policies to control access to facilities,
  • Develop a privacy and security awareness training program for workers, and
  • Submit progress reports at regular intervals to HHS.

The Encryption report identifies and describes the devices and equipment (e.g., desktops, laptops, tables smartphones, etc.) that may be used to access, store, and transmit patients' ePHI information; records the number of devices including which utilize encrypted information; and provides a detailed plan for implementing encryption on devices and media which should contain encrypted information and currently don't.

Some readers may wonder why a large fine for relatively small data breaches, since news reports often cite data breaches affecting thousands or millions of persons. HHS explained that the investigation by its Office For Civil Rights (OCR) unit:

"... revealed FMCNA covered entities failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI. The FMCNA covered entities impermissibly disclosed the ePHI of patients by providing unauthorized access for a purpose not permitted by the Privacy Rule... Five breaches add up to millions in settlement costs for entity that failed to heed HIPAA’s risk analysis and risk management rules.."

OCR Director Roger Severino added:

"The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity... Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law."


Health Experts To Facebook: Turn Off Messenger Kids

Facebook logo In December 2017, Facebook launched its Messenger Kids service for children ages six to 13. The service includes a free video calling and messaging app where children can connect only with parent-approved contacts. The ad-free service includes masks, frames, stickers and GIFs for children to, "ids can create fun videos and decorate photos to share moments with loved ones."

Pediatricians and health experts are very concerned. Earlier today, dozens of health professionals sent a letter to Facebook (Adobe PDF) urging the social networking giant to terminate Messenger Kids. The letter stated in part:

"Given Facebook’s enormous reach and marketing prowess, Messenger Kids will likely be the first social media platform widely used by elementary school children. But a growing body of research demonstrates that excessive use of digital devices and social media is harmful to children and teens, making it very likely this new app will undermine children’s healthy development.

Younger children are simply not ready to have social media accounts. They are not old enough to navigate the complexities of online relationships, which often lead to misunderstandings and conflicts even among more mature users. They also do not have a fully developed understanding of privacy, including what’s appropriate to share with others and who has access to their conversations, pictures, and videos.

At a time when there is mounting concern about how social media use affects adolescents’ well being, it is particularly irresponsible to encourage children as young as preschoolers to start using a Facebook product. Social media use by teens is linked to significantly higher rates of depression, and adolescents who spend an hour a day chatting on social networks report less satisfaction with nearly every aspect of their lives. Eighth graders who use social media for 6 - 9 hours per week are 47% more likely to report they are unhappy than their peers who use social media less often. A study of girls between the ages of 10 and 12 found the more they used social networking sites like Facebook, the more likely they were to idealize thinness, have concerns about their bodies, and to have dieted. Teen social media use is also linked to unhealthy sleep habits. Messenger Kids is likely to increase the amount of time pre-school and elementary age kids spend with digital devices. Already, adolescents report difficulty moderating their own social media use: 78% check their phones at least hourly, and 50% say they feel addicted to their phones. Almost half of parents say that regulating their child’s screen time is a constant battle. Messenger Kids will exacerbate this problem... Encouraging kids to move their friendships online will interfere with and displace the face-to-face interactions and play that are crucial for building healthy developmental skills, including the ability to read human emotion, delay gratification, and engage with the physical world..."

The letter contains footnotes to citations with supporting research about the above health concerns. Reportedly, Facebook consulted with the National PTA and several academics before introducing the app. Messenger Kids is a separate service, so children using it can't be found using Facebook's search mechanism.

The letter from health professionals to Facebook also addressed safety concerns:

"Facebook claims that Messenger Kids will provide a safe alternative for the children who have lied their way onto social media platforms designed for teens and adults. But the 11- and 12-year-olds who currently use Snapchat, Instagram, or Facebook are unlikely to switch to an app that is clearly designed for younger children. Messenger Kids is not responding to a need – it is creating one. It appeals primarily to children who otherwise would not have their own social media accounts. It is disingenuous to use Facebook’s failure to keep underage users off their platforms as a rationale for targeting younger children with a new product."

Earlier this month, Facebook's CEO acknowledged problems and promised to do better. We shall see if Facebook's management listens to the documented concerns of pediatricians and health professionals.

What are your opinions about children ages 6 to 13 using social media? About Messenger Kids? Should Facebook terminate Messenger Kids?

Facebook-messenger-kids-how-to


Some U.S. Hospitals Don’t Put Americans First for Liver Transplants

[Editor's note: today's guest blog post, by the reporters at ProPublica, discusses a largely unknown practice by some hospitals in the health care industry. Is this practice right? Ethical? Today's post is reprinted with permission.]

By Charles Ornstein, ProPublica

Earlier this fall, a leader of the busiest hospital for organ transplants in New York state — where livers are particularly scarce — pleaded for fairer treatment for ailing New Yorkers.

“Patients in equal need of a liver transplant should not have to wait and suffer differently because of the U.S. state where they reside,” wrote Dr. Herbert Pardes, former chief executive and now executive vice president of the board at NewYork-Presbyterian Hospital.

But Pardes left out his hospital’s own contribution to the shortage: From 2013 to 2016, it gave 20 livers to foreign nationals who came to the United States solely for a transplant — essentially exporting the organs and removing them from the pool available to New Yorkers.

That represented 5.2 percent of the hospital’s liver transplants during that time, one of the highest ratios in the country.

Little known to the public, or to sick patients and their families, organs donated domestically are sometimes given to patients flying in from other countries, who often pay a premium. Some hospitals even seek out foreign patients in need of a transplant. A Saudi Arabian company, Ansaq Medical Co., whose stated aim is to “facilitate the procedures and mechanisms of ‘medical tourism,’” said it signed an agreement with Ochsner Medical Center in New Orleans in 2015.

The practice is legal, and foreign nationals must wait their turn for an organ in the same way as domestic patients. Transplant centers justify it on medical and humanitarian grounds. But at a time when President Donald Trump is espousing an “America First” policy and seeking to ban visitors and refugees from certain countries, allocating domestic organs to foreigners may run counter to the national mood.

Even beyond the realm of health care, some are questioning whether foreigners should be able to access limited spots that might otherwise be available to U.S. citizens. For instance, public colleges compensate for reductions in state funding by accepting more foreign students paying higher tuition, and critics say in-state students are being denied opportunities as a result.

Dr. Sander Florman, director of the transplant institute at the Mount Sinai Hospital in New York, said he struggles with “in essence, selling the organs we do have to foreign nationals with bushels of money.”

Mount Sinai has not performed any transplants on patients who came to this country specifically for that purpose, but it has done so for international patients here for other reasons.

Between 2013 and 2016, 252 foreigners came to the U.S. purely to receive livers at American hospitals. In 2016, the most recent year for which data is available, the majority of foreign recipients were from countries in the Middle East, including Saudi Arabia, Kuwait, Israel and United Arab Emirates. Another 100 foreigners staying in the U.S. as non-residents also received livers.

All the while, more than 14,000 people, nearly all of them American citizens, are waiting for liver transplants, a figure that has remained stubbornly high for decades. By comparison, fewer than 8,000 liver transplants were performed last year in the United States — and that was an all-time high. The national median wait time for a liver is more than 14 months, and in states like New York, the wait is far longer. (The wait for livers varies from one state to the next, depending on such factors as the number of organ donors, and the resourcefulness of organ procurement agencies.)

Many patients die before reaching the front of the line. In 2016, more than 2,600 patients were removed from waiting lists nationally because they either died or were too sick to receive a liver transplant.

Most transplant centers only serve American citizens or residents, either by happenstance or by design. Foreign transplants are concentrated among a handful of centers, including NewYork-Presbyterian, Memorial Hermann-Texas Medical Center in Houston (31 such transplants from 2013 to 2016), Ochsner (30), and Cleveland Clinic in Ohio (21).

“When you take people from other parts of the world and provide an organ transplant to them rather than someone who’s here, there’s a real cost, there’s a real life that’s lost,” said Jane Hartsock, a visiting assistant professor of medical humanities and health studies at the Indiana University School of Liberal Arts. Hartsock and her colleagues wrote a journal article published last year saying foreigners should be last in line for a transplant.

NewYork-Presbyterian said it does not advertise its transplant program to foreign patients and that the majority of the transplants it performed on foreign nationals traveling to New York for that reason — 11 of the 20 — were on children under 18.

In a statement, the hospital and its academic partner Columbia University said they follow federal guidelines. “We strongly support efforts that aim to address the critical issue of equitable distribution of livers for transplant and are working closely with a wide range of stakeholders to help increase the number of organ donor registrations in New York State.”

A spokeswoman for the Cleveland Clinic, Eileen Sheil, said her hospital does not actively seek out foreign national business and has a “thoughtful and ethical approach that is well within the rules and aligned with our overall mission for taking care of patients.” Ochsner similarly said, “patients seek out Ochsner’s expertise because of our relentless commitment to provide the highest-quality, complex care.” Memorial Hermann did not respond to requests for comment.

To be sure, the proportion of available livers that go to foreigners is tiny — slightly less than 1 percent of liver transplants nationwide from 2013 to 16. The figure appears to be dropping further in 2017. Even if all recipients were Americans, wait times would still be substantial. Moreover, foreigners queue up on the waitlist like everybody else — although it may be easier for them, since they aren’t rooted in any particular state, to choose a hospital in an area with a shorter wait, such as Ochsner. And some Americans discouraged by the lengthy wait in this country have gone abroad for transplants.

The transplant figures in this article do not include transplants involving living donors, meaning a relative or friend who donates part of his or her liver to a patient. No one interviewed for this story said it is inappropriate for a foreign national to come to the U.S. for a procedure with a living donor.

There’s also an important distinction between giving an organ to a foreigner who happens to be in the U.S. — someone on a student visa or even an undocumented immigrant — and giving one to someone flying over just for surgery. Someone in the first group would be eligible to donate an organ if something happened to them in this country; someone in the latter group would not because livers must be transplanted quickly and there wouldn’t be enough time to ship them.

“If you live in the United States, no matter what your [citizenship] status is, you could potentially be an organ donor if you get hit by a car or something happens to you,” said Dr. Gabriel M. Danovitch, medical director of the kidney and pancreas transplant program at Ronald Reagan UCLA Medical Center, who previously led the UNOS international relations committee. “But if your home is somewhere else, a long way away, there’s no way that you can be a donor or your family or your friends could be donors.

“And in some respects, when you then come to the United States, you are using up a valuable resource that is in great shortage here.”

Foreign patients generally are not entitled to the same discounts as those with private insurance or Medicare, the federal insurance program for seniors and the disabled. In 2015, for instance, the average sticker price for a liver transplant at NewYork-Presbyterian was $371,203, but the average payment for patients in Medicare was less than one-third of that, $112,469, according to data from the Centers for Medicare and Medicaid Services, which runs Medicare. In the case of Saudi Arabia, its embassy in Washington often guarantees payment for patients.

The topic is emerging now because the nation’s transplant leaders will meet next month to consider rewriting the rules governing how livers are distributed, giving programs in New York City, Los Angeles, Chicago and other areas greater access to organs from people who die in nearby regions. The proposal by a committee of the United Network for Organ Sharing, the federal contractor that runs the national transplant system, faces opposition from programs and regions that stand to lose organs. Pardes’ comments were posted in an online comment forum devoted to the proposal, which does not address the issue of transplants for foreigners.

UNOS said it has worked to get better data on foreigners that receive transplants in this country but ultimately, federal law doesn’t prohibit these transplants.

“This is an individual medical decision that the individual transplant hospital makes,” spokesman Joel Newman said. “If we addressed citizenship or residency as a particular reason for whether to accept a patient or not, then that would open up the door to lots of other nonmedical criteria — religion, race, political preference, any number of things that as a community we have decided from an ethical standpoint not to consider.”

UNOS has the authority to ask questions of transplant centers about surgeries on foreign nationals, but Newman said UNOS committees are still trying to figure out what information they would want, and, in any event, the transplant centers don’t have to answer the questions.

The federal rules governing the transplant system, written more than three decades ago, say organ allocation decisions must be based on medical criteria, which would exclude consideration of a person’s nationality or citizenship. While centers can perform as many transplants on foreigners as they want, many programs have tried to keep them below 5 percent of all transplants for each organ type. Until several years ago, 5 percent was the threshold above which UNOS could audit a program. No programs were ever formally audited, and the cutoff was eventually eliminated.

It’s time to revisit the rules, some lawmakers say.

“As a general rule, you’ve got to take care of Americans first as long as you have more demand than supply,” said Sen. John Kennedy, R-La., whose state is home to Ochsner, a leader in transplants for foreign nationals. Kennedy said he would favor curbing transplants for foreigners, while creating a national board that could make exceptions. “But what you don’t want to get into, it seems to me, is subjective areas like well, ‘If this person could live an extra few years, what could they contribute to society?’”

There have been scandals in the past about foreigners and organ transplants. In 2005, a liver transplant center in Los Angeles shut its doors after disclosing that its team had taken a liver that should have gone to a patient at another hospital and instead had implanted it in a Saudi national. The hospital said its staff members falsified documents to cover up the incident.

The University of California, Los Angeles, came under fire in 2008 for performing liver transplants on a powerful Japanese gang boss and other men linked to Japanese gangs, and then receiving donations afterward from at least two of the men. The hospital and its surgeon said they do not make moral judgments about patients.

Further complicating matters is a 2008 document endorsed by transplant organizations around the world, called the Declaration of Istanbul, which seeks to eliminate organ trafficking and reduce transplant tourism internationally. One concern was that patients went to China and received transplants using organs from prisoners. (China said it was stopping the practice in 2015, but experts question whether that has happened.) Another concern was that if a country’s wealthiest or most powerful residents could get transplants overseas, its leaders may not have an incentive to set up a system of their own.

The non-binding declaration also says that there should be a ban on “soliciting, or brokering for the purpose of transplant commercialism, organ trafficking, or transplant tourism.” It was endorsed by UNOS and other national transplant groups.

Former Ochsner employees say they recall Saudi nationals coming for transplants, some wealthy and some not. A New Orleans bar posted a photo on Facebook in 2015 of a young man who brought his mom from Saudi Arabia for a transplant.

Ochsner said in a statement that it was proud of its liver transplant program, which is the nation’s largest. It said that it is willing to accept donated organs that other centers turn down for medical reasons, expanding its ability to help patients while keeping its survival rate high. And it noted that the median waiting time for its patients is only 2.1 months, far below the national median.

“UNOS does not have any restrictions preventing transplant for international patients and they are subject to the same guidelines as domestic patients,” the statement said.

Still, many American candidates for livers don’t make Ochsner’s waiting list. It refused to put Brian “Bubba” Greenlee Jr. on its list right after Christmas in 2015, because of his “poor insight into his drinking and lack of proper social support,” his medical records show. He had cirrhosis and died weeks later at age 45.

His sister, Theresa Greenlee-Jeffers, said Ochsner led her brother to believe that he would get a new liver. Her brother had stopped drinking and she had volunteered to take care of him after a transplant, but then the hospital suddenly reversed course.

“His last Christmas, he was given false hope that he was going to get a transplant. That’s not OK. You don’t play with somebody’s emotions like that,” Greenlee-Jeffers said.

Ocshner did not answer questions about Greenlee’s care but said in its statement, “Not every patient is a candidate for transplant.” It said its criteria are similar to those of other liver transplant centers.

“At Ochsner, we are caregivers, dedicated to providing our patients with high-quality care, improved outcomes and the gift of a second chance at life,” its statement said.

Greenlee-Jeffers wonders if Ochsner excluded her brother and other Americans to make room for foreigners willing to pay more. “It’s not OK,” she said. “We need to take care of our people here at home first. We don’t have enough of this to go around.”

Filed under:

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.

 


Consequences And New Threats From The Massive Equifax Breach

Equifax logo To protect themselves and their sensitive information, many victims of the massive Equifax data breach have signed up for the free credit monitoring and fraud resolution services Equifax arranged. That's a good start. Some victims have gone a step further and placed Fraud Alerts or Security Freezes on their credit reports at Equifax, Experian, and TransUnion. That's good, too. But, is that enough?

The answer to that question requires an understanding of what criminals can do with the sensitive information accessed stolen during the Equifax breach. Criminals can commit types of fraud which credit monitoring, credit report alerts, and freezes cannot stop. Consumer Reports (CR) explained:

"Freezing your credit report specifically at Equifax will also prevent crooks from registering as you at the government website, my Social Security, and block them from attempting to steal your Social Security benefits. But taking these steps won't protect you against every identity fraud threat arising from the Equifax data breach."

Sadly, besides credit and loan fraud the Equifax breach exposed breach victims to tax refund fraud, health care fraud, and driver's license (identity) fraud. This is what makes the data breach particularly nasty. CR also listed the data elements criminals use with each type of fraud:

"With your Social Security number, crooks can file false income tax returns in your name, take bogus deductions, and steal the resulting refund. More than 14,000 fraudulent 2016 tax returns, with $92 million in unwarranted refunds, were detected and stopped by the Internal Revenue Service (IRS) as of last March... Data from the Equifax breach can be used to steal your benefits from private health insurance, Medicare, or Medicaid when the identity thief uses your coverage to pay for his own medical treatment and prescriptions... Using your driver’s license number, identity thieves can create bogus driver’s licenses and hang their moving violations on you...."

The CR article suggested several ways for consumers to protect themselves from each type of fraud: a) request an Identity Protection PIN number from the IRS; b) request copies of your medical file from your providers and review your MIB Consumer File each year; and c) request a copy of your driving license record and get your free annual consumer report from ChexSystemsCertegy, and TeleCheck -  the three major check verification companies.

Never considered reviewing your tax account with the IRS? You can. Never heard of a Consumer MIB File? I'm not surprised. Most people haven't. I encourage consumers to read the entire CR article. While at the CR site, read their review of TrustedID Premier service which Equifax arranged for breach victims. It's an eye-opener.

Do these solutions sound like a lot of preventative work? They are. You have Equifax to thank for that. Will Equifax help breach victims with the time and effort required to research and implement the solutions CR recommended? Will Equifax compensate breach victims for the costs incurred with these solutions? These are questions breach victims should ask Equifax and TrustedID Premier.

Consumers and breach victims are slowly learning the consequences of a data breach are extensive. The consequences include time, effort, money, and aggravation. You might say breach victims have been mugged. Worse, consumers are saddled the burden from the consequences. That isn't fair. The companies making money by selling consumers' credit reports and information should be responsible for the burdens. Things are out of balance.

What are your opinions?