110 posts categorized "Health Care/EHR" Feed

Update: FTC Complaint Against Weight-Loss Marketer For Allegedly Using "Gag Clauses"

Roca Labs Inc. logo After the U.S. Federal Trade Commission (FTC) filed a complaint against it for allegedly using gag clauses to silence negative online reviews by customers, Roca Labs, the weight-loss marketer, has responded. MediaPost's Daily Online Examiner reported:

"The company, which sells weight-loss products, argues in court papers filed earlier this month that the FTC lacks the power "to dictate the terms of private contracts between private parties." The company adds: "The FTC’s intention to ban all manner of anti disparagement clauses is overkill and appears to be a knee-jerk reaction to a particular practice of Roca Labs. ...The regulation of public comment through on-line reviews is a complicated and multi-faceted problem that must balance the rights of consumers and businesses in the ever-changing landscape of internet commerce." Roca filed its papers in response to the FTC's request for an injunction..."

Last Thursday, U.S. District Court Judge Mary Scriven in Florida issued an order granting the FTC's preliminary injunction to stop Roca labs from silencing customers' online reviews. Yelp and other review sites sided with the FTC in a friend-of-court brief.Some reviewers posted information about the FTC complaint on the Roca Labs page within the Yelp site.

For review sites to be trustworthy, they must include positive, negative, and neutral reviews of products and services. What are your opinions of gag clauses?

FTC Sues Weight-Loss Marketer For Alleged Use Of "Gag Clauses," Threats, And Lawsuits To Prevent Negative Reviews By Customers

Roca Labs Inc. logo The U.S. Federal Trade Commission (FTC) filed a complaint in Federal court against a weight-loss marketer alleging:

"...  that Roca Labs, Inc.; Roca Labs Nutraceutical USA, Inc.; and their principals have sued and threatened to sue consumers who shared their negative experiences online or complained to the Better Business Bureau, stating that the consumers violated the non-disparagement provisions of the “Terms and Conditions” they supposedly agreed to when they bought the products. The FTC alleges that these gag clause provisions, and the defendants’ related warnings, threats, and lawsuits, harm consumers by unfairly barring purchasers from sharing truthful, negative comments about the defendants and their products."

Roca labs Inc. is based in Sarasota, Florida. The complaint named both Don Juravin, President of Roca Labs Nutraceutical USA (RLNU) and owner of Roca Labs Inc. (RLI), and George C. Whiting, President, Secretary, treasurer, and Director at RLI, as a co-defendants. The websites operated by the defendants include RocaLabs.com, Mini-Gastric-Bypass.me, and GastricBypassNoSurgery.com.

I was curious what an alleged "gag clause" contains. The complaint listed one:

"You agree that regardless of your personal experience with RL, you will not disparage RL and/or any of its employees, products or services. This means that you will not speak, publish, cause to be published, print, review, blog, or otherwise write negatively about RL, or its products or employees in any way. This encompasses all forms of media, including and especially the internet. This paragraph is to protect RL and its current and future customers from the harm of libelous or slanderous content in any form, and thus, your acceptance of the [Terms] prohibits you from taking any action that negatively impacts RL, its reputation, products, services, management, or employees. We make it clear that RL and its Regimen may not be for everyone, and in that regard, the foregoing clause is meant to prevent “one person from ruining it for everyone.” Should any customer violate this provision, as determined by RL in its sole discretion, you will be provided with seventy-two (72) hours to retract the content in question. If the content remains, RL would be obliged to seek all legal remedies to protect its name, products, current customers, and future customers.

If you breach this Agreement, as determined by RL in its sole discretion, all discounts will be waived and you agree to pay the full price for your product. In addition, we retain all legal rights and remedies against the breaching customer for breach of contract and any other appropriate causes of action."

Wow! This is a stark reminder for consumers to read the terms and conditions policy at websites before purchasing online. And, it's always good to be aware of companies that allegedly uses monetary threats, lawsuits, and "gag clauses" to squash consumers from using their First Amendment rights. Some physicians have tried to squash patients' rights with a "mutual agreement to maintain privacy" document.

Download the complaint (Adobe PDF): FTC v. Roca Labs Inc. et. al.

Medical Informatics Engineering, Concentra, Employers, Data Sharing, And Privacy

Medical Informatics Engineering logo After receiving the breach notice from Medical Informatics Engineering (MIE) via postal mail, my wife and I wondered how MIE acquired her information. MIE's breach notice mentioned Concentra, a healthcare company we haven't and don't do business with. Today's blog post describes what we learned during our search for answers, and how consumers aren't in control of our sensitive personal information.


The breach was massive. The Journal Gazette reported 3.1 million breach notices sent to affected consumers nationwide. The U.S. Department of Health & Human Services listed 3.9 million consumers affected.  Readers of this blog have reported breach notices received via postal mail in Alabama, California, Colorado, Florida, Georgia, Idaho, Indiana, Kansas, Kentucky, Maryland, Massachusetts, New Hampshire, Tennessee, Texas, and the District of Columbia. Concentra was one of many health care providers involved.

During our search for answers, my wife contacted her employer and a local clinic. Neither does business with No More Clipboard (MIE's cloud-based service) or with Concentra. On her behalf I contacted Concentra's nearest office in Wilmington, Massachusetts. The office's administrative person searched for information about my wife in Concentra's database. No record. The administrator referred me to regional human resources representative, who confirmed the breach and suggested that Concentra may have obtained my wife's information from data-sharing during a sales pitch with employers. We continued to look for firmer answers.

Select Medical logo The HR representative referred me to Edwin Bodensiek, the Vice President of Public Relations at Select Medical, the corporation that acquired Concentra in May, 2015. Select Medical's First Quarter 2015 10-Q Filing (Adobe PDF) explained:

"[Select Medical Holdings] announced on March 23, 2015 that MJ Acquisition Corporation, a joint venture that the Company has created with Welsh, Carson, Anderson & Stowe XII, L.P. (“WCAS”), has entered into a stock purchase agreement, dated as of March 22, 2015 (the “Purchase Agreement”), as buyer with Concentra Inc. (“Concentra”) and Humana Inc. (“Humana”) to acquire all of the issued and outstanding equity securities of Concentra from Humana. Concentra, a subsidiary of Humana, is a national health care company that delivers a wide range of medical services to employers and patients, including urgent care, occupational medicine, physical therapy, primary care, and wellness programs... For all of the outstanding stock of Concentra, MJ Acquisition Corporation has agreed to pay a purchase price of $1.055 billion..."

Humana had acquired Concentra in 2010. Now, Concentra is part of Select Medical. i contacted Mr. Bodensiek asking when, why, and how Concentra obtained my wife's sensitive personal information. My wife and I weren't sure we'd get any answers, and if so how long it would take.

What We Learned

After about a month, Mr. Bodensiek called with some answers. My wife had taken a temporary part-time job in February 2014 and that second employer used the Humana Wellness (e.g., Concentra) health care services. Mr. Bodensiek explained that the second employer sent an "eligibility file" to Concentra with data about its employees that were eligible for the employer-sponsored health care plan. That's when my wife's name, address, phone, and Social Security Number were transmitted to Concentra; and then to MIE, the electronic medical records vendor for Humana Wellness. Mr. Bodensiek described this as standard business practice.

My wife and I have health care coverage elsewhere, so she never had any intentions nor did not register for health care through this second employer. My wife's situation is not unique since five percent of the U.S. workforce works two or more jobs. (Vermont, South Dakota, Nebraska, Kansas, and Maine lead the nation with people working two or more jobs.) It's great that this second employer offered health care to its employees, but not so great that employees' sensitive information was shared regardless of whether or not the employees expressed an interest in coverage.

I'd like to publicly thank Mr. Bodensiek for his hard work and diligence. He didn't have to help, but he did. It gave us a good first impression of Select Medical. Hopefully, other breach victims have had success getting answers.

Implications And Consequences

Our experience highlights a business practice consumers should know: your employer may share your information with their health care provider whether you subscribe or not, and maybe without your knowledge. Maybe this sharing was for employees' convenience (e.g., faster, easier sign-up for health care), or for the employer's convenience (e.g., minimize processing effort and expense) by sending one, massive eligibility file. Regardless, the business practice has implications and consequences.

First, when an employer's administrative process sends to their health care vendor data about all employees (without an opt-out mechanism), then more data is shared than otherwise, and the process is arguably less private. Why? The health care provider receives and archives information about both subscribers and non-subscribers; patients and non-patients. A process based upon opt-in would be better and more private, since the data shared includes employees who want to sign up for their employer's health care plan. Simply, fewer employee records with sensitive data (e.g., name, address, phone, Social Security Number) are shared, and less data for the health care provider to archive and protect (and further share with a cloud vendor).

Regarding the MIE breach, eligibility-file-sourced data about my wife was archived by MIE. That means MIE archived eligibility-file data about many other employees. So, MIE's database includes data about health-care subscribers and non-subscribers; patients and non-patients. When data breaches happen, the stolen archived data about non-subscribers opens those non-subscribers to identity theft and fraud risks. How long will this data about non-subscribers be archived? When will data about non-subscribers be deleted? Select Media didn't say. I can only assume the archiving will continue as long as they decide, either solely or in combination with their employer clients.

Second, costs matter. The more data shared, the more records the health care provider and electronic records vendor must archive and protect. When data breaches happen, more data is lost and data breach costs (e.g., investigation, breach notification, identity protection services) are greater. A 2015 study by IBM found that the average total cost of a data breach was $3.8 million, up 23 percent from 2013. Given this high cost, you'd think that employers and health care providers would work together to minimize data sharing. Probably not as long as consumers bear the risks.

Third, if my wife had signed up for health care services with Concentra, then much more sensitive information would have been stolen in the MIE breach. One may argue who is to blame for the data security failure (e.g., breach), but at the end of the day: the employer hired Concentra, and Concentra hired MIE. There is enough blame to go around.

Fourth, the MIE breach highlights some of the places employees' sensitive information can be shared without their knowledge (or consent). If the MIE breach hadn't happened, would employees know their medical records were stored in the cloud? Would employees know about the eligibility-file sharing? One wonders. Employees deserve to know upfront.

Your sensitive personal information also moves when companies (e.g., health care providers, employers, cloud vendors) buy, sell, and merge with other companies. that includes your medical records. Since eligibility-file sourced data is archived, you don't have to be a health care plan subscriber or patient.

Fifth, for information to be private there must be control. The eligibility-file sharing suggests that employers have the control and not employees. Consumers like my wife have been taken steps to protect themselves and their sensitive information by locking down their credit reports with Security Freezes. That data protection is largely undone by eligibility-file sharing with health care providers. Not good.

Consumers need a comparable mechanism to lock down their medical records and prevent eligibility-file sharing. Without a mechanism, then consumers have no control over both their medical and personal information. Without control, consumers lack privacy. You lack privacy.

It will be interesting to watch how Select Medical manages its new acquisition. The Select Medical website lists these core values:

"We deliver superior quality in all that we do. At Select Medical, we set high standards of performance for ourselves and for others. We provide superior services to our patients. We continually strive to uphold and improve our reputation for excellence.

We treat others as they would like to be treated. At Select Medical, we treat each other with respect and promote a positive environment where people feel valued. We are honest and open in our relationships and straightforward in our communications.

We are results-oriented and achieve our objectives. At Select Medical, we are focused and decisive in achieving our objectives and helping others achieve theirs. We accept responsibility for our decisions and actions. We are accountable for using our time, talents and resources effectively."

My wife and I know how we want to be treated. We wanted to be treated with respect. We know how we want our sensitive personal and health information treated:

  • Don't collect it unless we're patients,
  • Don't archive it unless we're patients,
  • Don't share it without notice and consent. Consent must be explicit, specific, for a stated duration, and for specific purposes,
  • Don't collect and archive it if you can't protect it,
  • Be transparent. Provide clear, honest answers about breach investigations and data-sharing practices,
  • Don't try to trick us with promises of convenience,
  • Hold your outsourcing vendors to the same standards,
  • Don't make consumers assume the risk. You benefited from data sharing, so you pay the costs, and
  • Two years of credit monitoring is insufficient since the risk is far longer.

What are your opinions? Does the data sharing by employers bother you?

Class-Action Lawsuits Filed Against Medical Informatics Engineering And Experian

Medical Informatics Engineering logo One result of the Medical Informatics Engineering (MIE) data breach has been a class-action lawsuit filed against MIE. The Journal Gazette reported on July 31:

"James Young, a patient whose medical information was compromised, filed the paperwork Wednesday in U.S. District Court in Fort Wayne. The Indianapolis man is seeking to create a class action, which would allow others who had personal information stolen in the data breach to join the lawsuit... Young alleges that MIE failed "to take adequate and reasonable measures to ensure its data systems were protected," failed to stop the breach and failed to notify customers ina timely manner."

In a Sunday, August 2 article, the Fort Wayne, Indiana-based Journal Gazette described the wide range of companies that access consumers' medical records:

"A lot more people than you realize, including your employer, your bank, state and federal agencies, insurance companies, drug companies, marketers, medical transcribers and the public, if your health records are subpoenaed as part of a court case. All those entities can access your records without getting special permission from you, according to Patient Privacy Rights."

Austin, Texas-based Patient Privacy Rights is an education, privacy, and advocacy organization dedicated to helping consumers regain control over their personal health information.

The Journal Gazette news article was the first report I've read disclosing the total number of breach victims. Reportedly, MIE sent 3.1 million breach notices to affected consumers nationwide. Help Net Security reported a total of nearly 5.5 million consumers in the U.S. affected. That includes 1.5 million consumers affected in Indiana, and 3.9 million consumers in other states. Compromised or stolen data goes as far back as 1997. Reportedly, the Indiana Attorney General's office has begun an investigation.

The Journal Gazette news article also discussed some of the ways stolen medical information can be misused:

"An unethical provider could bill an insurance company or the federal government for health care that it never gave you. Any amount not covered would then be billed directly to you, which could affect your credit score... Then there’s the issue of using sensitive medical information for marketing – or even for blackmail. Let’s say someone was treated for AIDS, hepatitis C or a sexually transmitted disease. A company selling prescription drugs or other products might like to target that patient for advertising. But sending brochures or coupons in the mail could tip off others about the condition. Someone with those or similar medical conditions could face discrimination in hiring..."

Experian logoIn a separate case, a class-action was filed against the credit reporting service Experian. The Krebs On Security blog reported on July 21:

"The suit alleges that Experian negligently violated consumer protection laws when it failed to detect for nearly 10 months that a customer of its data broker subsidiary was a scammer who ran a criminal service that resold consumer data to identity thieves... The lawsuit comes just days after a judge in New Hampshire handed down a 13-year jail sentence against Hieu Minh Ngo, a 25-year-old Vietnamese man who ran an ID theft service variously named Superget.info and findget.me. Ngo admitted hacking into or otherwise illegally gaining access to databases belonging to some of the world’s largest data brokers, including a Court Ventures— a company that Experian acquired in 2012. He got access to some 200 million consumer records by posing as a private investigator based in the United States... The class action lawsuit, filed July 17, 2015 in the U.S. District Court for the Central District of California, seeks statutory damages for Experian’s alleged violations of, among other statutes, the Fair Credit Reporting Act (FCRA)..."

I included information about both class-actions in a single blog post since both companies are of interest to consumers affected by MIE's data breach. MIE has offered breach victims two years of free credit monitoring services from Experian.

Medical Informatics Engineering Breach Highlights Breach Notice, Privacy, And Cloud-Storage Issues

Medical Informatics Engineering logo In early June,  Medical Informatics Engineering (MIE) announced a data breach where unauthorized persons accessed its systems. The breach at MIE, an electronic health records vendor used by many health providers, exposed the sensitive Protected Health Information (PHI) of an undisclosed number of patients in several states. MIE began to notify during June its corporate clients. MIE began notifying affected patients on July 17.

The July 24, 2015 MIE press release about the breach

"FORT WAYNE, Ind.--(BUSINESS WIRE--On behalf of itself, its NoMoreClipboard subsidiary and its affected clients, Medical Informatics Engineering is writing to provide updated notice of a data security compromise that has affected the security of some personal and protected health information relating to certain clients and individuals who have used a Medical Informatics Engineering electronic health record or a NoMoreClipboard personal health record or patient portal. We emphasize that the patients of only certain clients of Medical Informatics Engineering and NoMoreClipboard were affected by this compromise and those clients have all been notified."

No More Clipboard logo NoMoreClipboard.com (NMC) is a cloud-based service by MIE for storing patients' health records, and making the records easily accessible by a variety of devices: desktops, laptop,s tablets, and smart phones. The service is sold to doctors, hospitals, and related professionals.

According to its breach FAQ page, MIE's client list includes:

  • Concentra,
  • Allied Physicians, Inc. d/b/a Fort Wayne Neurological Center (including Neurology, Physical Medicine and Neurosurgery),
  • Franciscan St. Francis Health Indianapolis,
  • Gynecology Center, Inc. Fort Wayne,
  • Rochester Medical Group,
  • RediMed,and Fort Wayne Radiology Association, LLC (including d/b/a Nuvena Vein Center and Dexa Diagnostics, Open View MRI, LLC, Breast Diagnostic Center, LLC, P.E.T. Imaging Services, LLC, MRI Center — Fort Wayne Radiology, Inc. f/k/a Advanced Imaging Systems, Inc.)

NoMoreClipboard.com's client list includes many clinics, hospitals, physicians, specialists, attorneys, schools, and more (links added):

NoMoreClipboard.com Clients Affected By Data Breach
Advanced Cardiac Care
Advanced Foot Specialists
All About Childrens Pediatric Partners, PC
Allen County Dept of Health
Allied Physicians, Inc. d/b/a Fort Wayne Neurological Center
Altagracia Medical Center
Anderson Family Medicine
Arkansas Otolaryngology, P.A.
Auburn Cardiology Associates
Basedow Family Clinic Inc.
Bastrop Medical Clinic
Batish Family Medicine
Beaver Medical
Boston Podiatry Services PC
Brian Griner M.D.
Brightstarts Pediatrics
Burnsville Medical Center
Capital Rehabilitation
Cardiovascular Consultants of Kansas
Carl Gustafson OD
Carolina Gastroenterology
Carolina Kidney & Hypertension Center
Carolinas Psychiatric Associates
Center for Advanced Spinal Surgery
Chang Neurosurgery & Spine Care
Cheyenne County Hospital
Children's Clinic of Owasso, P.C.
Clara A. Lennox MD
Claude E. Younes M.D., Inc.
Coalville Health Center
Cornerstone Medical and Wellness, LLC
Cumberland Heart
David A. Wassil, D.O.
David M Mayer MD
Dr. Alicia Guice
Dr. Anne Hughes
Dr. Buchele
Dr. Clark
Dr. Harvey
Dr. John Labban
Dr. John Suen
Dr. Puleo
Dr. Rajesh Rana
Dr. Rustagi
Dr. Schermerhorn
Dr. Shah
Ear, Nose & Throat Associates, P.C.
East Carolina Medical Associates
Eastern Washington Dermatology Associates
Ellinwood District Hospital
Family Care Chiropractic Center
Family Practice Associates of Macomb
Family Practice of Macomb
Floyd Trillis Jr., M.D.
Fredonia Regional Hospital
Fremont Family Medicine
Generations Primary Care
Grace Community Health Center, Inc.
Grisell Memorial Hospital
Harding Pediatrics LLP
Harlan County Health System
Health Access Program
Heart Institute of Venice
Henderson Minor Outpatient Medicine
Henry County Hospital myhealth portal
Highgate Clinic
Hobart Family Medical Clinic
Howard Stierwalt, M.D.
Howard University Hospital
Hudson Essex Nephrology
Huntington Medical Associates
Huntington Medical Group
Hutchinson Regional Medical Center
Idaho Sports Medicine Institute
In Step Foot & Ankle Specialists
Independence Rehabilitation Inc
Indiana Endocrine Specialists
Indiana Internal Medicine Consultants
Indiana Ohio Heart Indiana Surgical Specialists
Indiana University
Indiana University Health Center
Indianapolis Gastroenterology and Hepatology
Internal Medicine Associates
IU — Northwest
Jackson Neurolosurgery Clinic
James E. Hunt, MD
Jasmine K. Leong MD
Jewell County Hospital
John Hiestand, M.D.
Jonathan F. Diller, M.D.
Jubilee Community Health
Kardous Primary Care
Keith A. Harvey, M.D.
Kenneth Cesa DPM
Kings Clinic and Urgent Care
Kiowa County Memorial Hospital
Kristin Egan MD
Lakeshore Family Practice
Lane County Hospital
Logan County Hospital
Margaret Mary Health
Masonboro Urgent Care
McDonough Medical Group Psychiatry
Medical Care, Inc.
Medical Center of East Houston
Medicine Lodge Memorial Hospital
MHP Cardiology
Michael Mann, MD, PC
Michelle Barnes Marshall, P.C.
Michiana Gastroenterology, Inc.
Minneola District Hospital
Mora Surgical Clinic
Moundridge Mercy Hospital Inc
Nancy L. Carteron M.D.
Naples Heart Rhythm Specialists
Nate Delisi DO
Neighborhood Health Clinic
Neosho Memorial Regional Medical Center
Neuro Spine Pain Surgery Center
Norman G. McKoy, M.D. & Ass., P.A.
North Corridor Internal Medicine
Nova Pain Management
Novapex Franklin
Oakland Family Practice
Oakland Medical Group
Ohio Physical Medicine & Rehabilitation Inc.
On Track For Life
Ottawa County Health Center
Pareshchandra C. Patel MD
Parkview Health System, Inc. d/b/a Family Practice Associates of Huntington
Parkview Health System, Inc. d/b/a Fort Wayne Cardiology
Parrott Medical Clinic
Partners In Family Care
Personalized Health Care Of Tucson
Phillips County Hospital
Physical Medicine Consultants
Physicians of North Worchester County
Precision Weight Loss Center
Primary & Alternative Medical Center
Prince George's County Health Dept.
Rebecca J. Kurth M.D.
Relief Center Republic County Hospital
Ricardo S. Lemos MD
Richard A. Stone M.D.
Richard Ganz MD
River Primary Care
Rolando P. Oro MD, PA
Ronald Chochinov
Sabetha Community Hospital
Santa Cruz Pulmonary Medical Group
Santone Chiropractic
Sarasota Cardiovascular Group
Sarasota Center for Family Health Wellness
Sarasota Heart Center
Satanta District Hospital
Saul & Cutarelli MD's Inc.
Shaver Medical Clinic, P. A.
Skiatook Osteopathic Clinic Inc.
Sleep Centers of Fort Wayne
Smith County Hospital
Smith Family Chiropractic
Somers Eye Center
South Forsyth Family Medicine & Pediatrics
Southeast Rehabilitation Associates PC
Southgate Radiology
Southwest Internal Medicine & Pain Management
Southwest Orthopaedic Surgery Specialists, PLC
Stafford County Hospital
Stephen Helvie MD
Stephen T. Child MD
Susan A. Kubica MD
Texas Childrens Hospital
The Children's Health Place
The Heart & Vascular Specialists
The Heart and Vascular Center of Sarasota
The Imaging Center
The Johnson Center for Pelvic Health
The Medical Foundation, My Lab Results Portal
Thompson Family Chiropractic
Trego County Hospital
Union Square Dermatology
Volunteers in Medicine
Wells Chiropractic Clinic
Wichita County Health Center
William Klope MD
Wyoming Total Health Record Patient Portal
Yovanni Tineo M.D.
Zack Hall M.D.

The MIE press release included few details about exactly how hackers accessed its systems:

"On May 26, 2015, we discovered suspicious activity in one of our servers. We immediately began an investigation to identify and remediate any identified security vulnerability. Our first priority was to safeguard the security of personal and protected health information, and we have been working with a team of third-party experts to investigate the attack and enhance data security and protection. This investigation is ongoing. On May 26, 2015, we also reported this incident to law enforcement including the FBI Cyber Squad. Law enforcement is actively investigating this matter, and we are cooperating fully with law enforcement’s investigation. The investigation indicates this is a sophisticated cyber attack. Our forensic investigation indicates the unauthorized access to our network began on May 7, 2015. Our monitoring systems helped us detect this unauthorized access, and we were able to shut down the attackers as they attempted to access client data."

The breach highlights the need for greater transparency by both health care providers and the outsourcing vendors they hire. The breach also highlights the fact that medical records are stored and accessible via cloud-based services. Did you know that? I didn't before. And, this raises the question: is storage of PHI in the cloud the best and safest way?

The breach notices from MIE to consumers may create confusion, since patients don't do business directly with MIE and probably won't recognize its name. My wife received a breach notice on Friday and did not recognize MIE by name. I hadn't heard of MIE, either, so I did some online research. During June, MIE notified both the California Attorney General's office (Aobe PDF) and the New Hampshire Attorney General's office (Adobe PDF) of residents in each state affected by the data breach. MIE is represented by the law firm of Lewis, Brisbois, Bisgaard and Smith LLP (LBBS). LBBS has offices in 35 states and the District of Columbia.

MIE probably notified several other states, but many states, including the Massachusetts Attorney General's office, do not post online breach notices they receive. (They should, since it helps consumers verify breach notices.) HIPAA federal law requires certain entities to send breach notices to affected patients for breaches of unprotected data affecting more than 500 patients. At press time, a check of the Health & Human Services site did not find an MIE breach listing. When posted, it should reveal the total number of patients affected by the breach.

The breach notice my wife received was dated July 17, 2015. It repeated information already available online and offered few, new details. It began:

"My name is Eric Jones and I am co-founder and COO of Medical Informatics Engineering, a company that provides electronic medical record services to certain health care provider clients, including Concentra. On behalf of Medical Informatics Engineering, I am writing to notify you that a data security compromise occurred at medical Informatics Engineering that has affected the security of some of your personal  and protected health information. This letter contains details about the incident and our response..."

My wife didn't recognize either Concentra nor No More Clipboard by name. The notice she received listed the following patients' information as exposed or stolen:

"While investigations into this incident are ongoing, we determined the security of some personal and protected health information contained on Medical Informatics Engineering's network has been affected. The affected information: SSN, Address, Phone, Birth Date"

This seemed vague. Which address: e-mail or residential street address? Which phone: mobile, land-line, or both? Were Social Security Numbers stored in open or encrypted format? And, if not encrypted, why not? The breach notice didn't say much.

Then, there is this: the breach letter my wife received included far fewer information elements than the July 24, 2015 press release:

"The affected data relating to individuals affiliated with affected Medical Informatics Engineering clients may include an individual’s name, telephone number, mailing address, username, hashed password, security question and answer, spousal information (name and potentially date of birth), email address, date of birth, Social Security number, lab results, health insurance policy information, diagnosis, disability code, doctor’s name, medical conditions, and child’s name and birth statistics. The affected data relating to individuals who used a NoMoreClipboard portal/personal health record may include an individuals’ name, home address, Social Security number, username, hashed password, spousal information (name and potentially date of birth), security question and answer, email address, date of birth, health information, and health insurance policy information."

This raised the question: which MIE document is correct? The breach notice, the press release, or neither? The notice seemed to raise more questions than it answered, so Monday morning we called the MIE hotline listed in its breach notice. After waiting 50 minutes on hold, a representative finally answered. The phone representative identified herself and her employer, Epic Systems based in Oregon. So, MIE outsourced the hotline support portion of its post-breach response.

I asked the representative to explain exactly how MIE acquired my wife's medical records. She looked up my wife's record in their system and replied that MIE had acquired it through business with Concentra. This was puzzling since neither my wife nor I have done business with Concentra. So, I was on the phone with one subcontractor who was pointing the finger at another subcontractor. Lovely. And, nobody on the phone actually from MIE. Disappointing.

Next, I called the nearest Concentra office, which is 17 miles away in Wilmington, Massachusetts. (We live in Boston.) The person in the billing department was helpful. (She admitted that she, too, had received a breach notice from MIE.) The representative attempted to find my wife's information in Concentra's systems. As my wife and I thought: no record. We have not done any business with Concentra. Confirmed.

The Wilmington-office representative's first answer was to give me the MIE breach hotline number. I explained that I had already called the MIE hotline. Then, the representative provided a regional contact in Concentra's human resources department. I have called Tyree Wallace twice, but so far no response. Not good.

What to make of this situation? One vendor's system has errors, but I can't yet tell which: MIE or Concentra. Maybe that's a result of the hack. May be not. The whole situation reminds me of the robo-signing and residential mortgage-back securities scandals by banks, where shortcuts were taken without proper documentation and items repackaged, sold, and resold without disclosures -- nobody knew exactly what was what. An epic mess. Could a similar epic mess happened with electronic medical records? I hope not.

I reviewed the breach notice again, bu this time focused upon MIE's offer of two years of free credit monitoring services with the Experian ProtectMyID Elite service. The ProtectMyID website lists the following features:

"Credit Monitoring: You may review your credit card statements every month for purchases you didn't make. But, every day, we check your credit report for other types of fraud that are much more dangerous. We watch for 50 leading indicators of identity theft. Each one, from a new loan to medical collections, poses a unique threat to your identity that we'll help you address."

"Internet Scan: ProtectMyID continually monitors a vast number of online sources where compromised credit and debit card numbers, Social Security numbers and other personal data is found, traded or sold, helping reduce your potential exposure to identity theft."

"National Change of Address Monitoring: Your bills and monthly statements can feed criminals important account and personal information. An identity thief may steal a single piece of your mail or all of it with a fraudulent change of address request at the post office. Every day, we look for the red flags. We monitor address changes at the national and credit report levels and help you resolve any issues."

Is this a good deal? Each affected patient can decide for their self, since you know your needs best. Plus, patients' needs vary. The Internet scan and address monitoring features sound nice, but only you can determine if you need those protections. While two years of free credit monitoring is better than one year, I couldn't find an explicit statement in the site where ProtectMyID monitors credit reports at all three credit reporting agencies (e.g., Experian, Equifax, TransUnion), or only one. Monitoring only one doesn't seem like effective coverage. In 8+ years of blogging, I've learned that criminals are smart and persistent. Monitor only one branded credit report (e.g., Experians), and criminals will approach lenders who use other branded credit reports, in order to take out fraudulent loans.

So, what to make of this breach? I see several issues:

  1. Transparency matters: the MIE breach and its post-breach response highlight the importance of transparency. Health care providers and outsourced vendors should make it easy for patients to determine who has their electronic health records and why. Breach notices should clearly state both the EHR vendor's name and the health care provider each patient specifically used. Don't use vague, confusing language MIE used. (See above.) Be specific and clear in breach notices. Something like this would be better: "We acquired your electronic health records during [year] from Concentra. It was acquired for [insert reasons]."
  2. Update online policies: health care provider's websites should identify the EHR vendors by name in their policies (e.g., terms of use, privacy). EHR vendor sites should identify their clients. Why? When breaches happen, patients need to quickly and easily verify the vendor's breach notice received. When policies don't mention vendors by name, verification is harder.
  3. Effective credit monitoring: ideally, provide a free service that monitors credit reports at all three major credit reporting agencies (e.g., Equifax, Experian, and TransUnion), not one.
  4. Cloud-based EHR services: is this the best, safest way to store PHI? Cloud storage offers speed, flexibility, and storage benefits. But what about security? Can PHI be effectively secured and protected in the cloud? If you want to learn more, read this 2013 report by the Center for Democracy & technology about HIPAA compliance and cloud storage (Adobe PDF). The MIE breach highlights the risk. Time will tell if experts were correct. Time will tell if cloud-storage vendors can adequately protect electronic health records (EHR).

In my opinion: an epic fail is brewing. It seems that MIE has done, so far, the minimum with its post breach response. The efforts seem focused upon avoiding liability instead of helping affected patients. So far, MIE has failed to provide a satisfactory answer about when, how, and why it acquired my wife's electronic medical records. I look forward to more disclosures by MIE about exactly how hackers breached its system, and what it will do so this doesn't happen again.

During the next day or so, my wife and I will file a HIPAA complaint. I encourage other patients in similar situations to file complaints, too.

Did you receive a breach notice from MIE? What are your opinions of the MIE data breach and the company's response? Of the free ProtectMyID credit monitoring arranged by MIE? If you have used Concentra, what are your opinions of it?

Less Competition. Consumers Pay More And Get Less

Business leaders and economists like to promote the idea of a free marketplace, where there is plenty of competition and consumers get more benefits, such as lower prices and more choice. So, are consumers getting a good deal? The facts suggest not.

On Monday, April 27, former U.S. Labor Secretary and professor Robert Reich posted the following:

"We’re paying more and getting less because giant companies face less and less competition. For example:

1. U.S. airlines have consolidated into a handful of giant carriers that divide up routes and collude on fares. In 2005 the U.S. had nine major airlines. Now we have just four.

2. 80% of Americans are served by just one Internet Service Provider – usually Comcast, AT&T, or Time-Warner.

3. The biggest banks have become far bigger. In 1990, the five biggest held just 10% of all banking assets. Now the biggest five hold almost 45%.

4. Monsanto owns the key genetic traits in more than 90% of the soybeans and 80% of the corn planted by U.S. farmers.

5. Giant health insurers are larger; the giant hospital chains, far bigger; the most powerful digital platforms (Amazon, Facebook, Google), gigantic.

Whatever happened to antitrust enforcement?"

There are more examples. Here in the Northeast, EverSource, a publicly-traded utility holding company, provides residential energy services in Connecticut, Massachusetts, and New Hampshire. EverSource was created when Northeast Utilities merged with NSTAR Electric & Gas. Northeast Utilities included Connecticut Light & Power, Public Service of New Hampshire, Western Massachusetts Electric, and Yankee Gas. Earlier this year, electricity rates in Boston rose from 29 percent higher to 63 percent higher in February than the national average.

What are your opinions? What consolidation examples come to mind? Are we consumers getting a good deal, or are we getting screwed?

Survey: Almost Half Of Respondents Are Concerned About Data Breaches At Health Care Providers

There have been several high-profile data breaches recently at health care providers. You've probably heard about them, including the massive breach at Anthem that affected 80 million patients. Earlier this month, Software Advice released the results of an online survey. It found:

"...45 percent of patients surveyed are “very” or “moderately concerned” about a security breach (which we defined as their medical records and/or insurance information being accessed without their consent, and potentially resulting in identity theft). We also asked the 45 percent who are very or moderately concerned to list the reasons behind their level of concern... The highest percentage of respondents (47 percent) say they are concerned about becoming the victim of fraud or identity theft."

When criminals use stolen health care credentials, it is usually to gain access to expensive treatments under the victim's name, and/or to gain access to prescription drugs. The victims are often liable for any co-payments. Experts warn that resolving medical identity fraud can be costly, time, consuming and require plenty of effort and expertise since the victim's medical records have been corrupted with the thief's medical and health information.

The researchers surveyed 243 people. The survey explored how patients' security concerns affect their relationships with their physicians:

"... we asked respondents whether data security concerns lead them to withhold personal health information from their doctors. We defined “personal health information” as including their own (or their family’s) prescription, mental illness and substance abuse history. While the majority of our sample (79 percent) say this “rarely or never” happens, it is significant (and unfortunate) that 21 percent of patients withhold personal information from their physicians specifically because they are concerned about a security breach."

That equals one in every five patients withholding personal information. And, there's more. Many patients fail to read the privacy notices from their physicians or health care providers:

"... we wanted to see how many actually read the Notice of Privacy Practices (NPP) at their doctors’ offices. NPPs are written explanations of how a provider may use and share health information, and how patients can exercise their privacy rights. Patients usually get NPPs (which typically look like this) during their first visit to a health care provider. HIPAA requires NPPs be presented to all patients, but patients do not necessarily have to read or sign the forms. In fact, 44 percent of our sample tell us they “rarely or never” read NPPs all the way through before signing, and 3 percent simply “never sign” them."

The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act are laws enacted to protect patients' privacy and medical information. The HIPAA law specifies which health care providers and entities (e.g., "covered entities," "business associates," "subcontractors") are required to comply with HIPAA privacy and data security requirements. The U.S. Department of Health & Human Services (HHS) federal agency operates the official HIPAA privacy web site.

So, too many consumers (and especially teenagers) have a bad habit of ignoring privacy policies at health care providers, just as they ignore privacy policies at websites in general. (Granted, the legalese makes most privacy policies difficult to understand. And, many mobile app developers avoided publishing privacy policies, until forced to do so.) That must change because consumers are only hurting themselves.

Another key finding from the survey:

"... 54 percent of respondents say they would be “very” or “moderately likely” to change providers as a result of their personal health information being accessed without their permission. Digging deeper, we asked patients in that 54 percent if there would be anything their provider could do to retain them in spite of a breach... While 28 percent say there is nothing their provider could do that would convince them to stay, the greatest percentage of our respondents (37 percent) would stick with their doctor if they provided specific examples of how the practice’s security policies and procedures had improved after the breach."

Patients were especially likely to switch health care providers if the breach was caused by staff members. Good. It's one way to hold health care providers accountable when they fail to protect patients' sensitive medical information. And, good data security and privacy makes for good health care practices. After a data breach, it is even more important for health care providers to perform explicit actions to regain patients' trust.

Informed consumers know that their medical information is very valuable to criminals. How valuable? The Pittsburgh-Post Gazette reported:

"The value of personal financial and health records is two or three times [the value of financial information alone], because there’s so many more opportunities for fraud... Combine a Social Security number, birth date and some health history, and a thief can open credit accounts plus bill insurers or the government for fictitious medical care... Hackers also can comb through clinical information, looking for material to blackmail wealthy or powerful patients..."

The newspaper described the troubling history and increasing number of data breaches in the health care industry:

"In 2011 and 2012, combined, there were 458 big breaches involving a total of 14.7 million people, according to the federal Department of Health and Human Services. In 2013 and 2014, there were 528 involving 19 million people. Around 10 percent of breaches stem from hacking, while around half are physical thefts of records or computers. The rest are inadvertent losses, unauthorized disclosures or improper disposals of health information."

You can browse details about many of those breaches in this blog. Select "Medical Fraud" or "Health Care/EHR" in the categories tag cloud on the right.

Another privacy threat for consumers is when non-covered entities, like social networking websites and fitness apps, collect medical and health information. Consumers don't realize that they share personal medical information with non-covered entities, they lose HIPAA privacy and data security protections.

Who are these non-covered entities? The Privacy Right Clearinghouse website provides a good description of HIPAA Basics, including:

"Here are just a few examples of those who aren’t covered under HIPAA but may handle health information: life and long-term insurance companies; workers' compensation insurers, administrative agencies, or employers (unless they are otherwise considered covered entities); agencies that deliver Social Security and welfare benefits; automobile insurance plans that include health benefits; search engines and websites that provide health or medical information and are not operated by a covered entity; marketers; gyms and fitness clubs; direct to consumer (DTC) genetic testing companies; many mobile applications (apps) used for health and fitness purposes; those who conduct screenings at pharmacies, shopping centers, health fairs, or other public places for blood pressure, cholesterol, spinal alignment, and other conditions; certain alternative medicine practitioners; most schools and school districts; researchers who obtain health data directly from health care providers; most law enforcement agencies; many state agencies, like child protective services; courts, where health information is material to a case"

So, the next time you hear a corporate apologist claim that breaches at health care providers don't matter, you now know how ridiculous that claim is. Breaches matter to patients. Hence, they matter. Period. No excuses. If health care entities archive data in cloud services, they'd better protect it and commit sufficient resources. Smart health care providers listen to their patients' needs. Woe to those that don't.

What are your opinions of the survey?

Anthem Breach Update: Free Services For Consumers Affected, Class Action Lawsuits

Anthem Anthem, Inc. has announced that it will provide 24 months of free identity-theft repair and credit monitoring services for breach victims by the health care insurer's massive data breach announced on Friday, February 6, 2015. In its latest announcement, Anthem stated that breach victims include both current and former customers as far back as 2004. It also said:

"This includes customers of Anthem, Inc. companies Amerigroup, Anthem and Empire Blue Cross Blue Shield companies, Caremore, Unicare and HealthLink. Additionally customers of Blue Cross and Blue Shield companies who used their Blue Cross and Blue Shield insurance in one of fourteen states where Anthem, Inc. operates may be impacted and are also eligible: California, Colorado, Connecticut, Georgia, Indiana, Kentucky, Maine, Missouri, Nevada, New Hampshire, New York, Virginia, and Wisconsin."

Founded in 2004, AllClear ID, Inc. is headquartered in Austin, Texas. In 2012, Debix changed its company name to AllClear ID. Experts predict that the data breach could cost Anthem $100 million or more. Earlier this month, the Attorney Generals in 10 states sent a joint letter to Anthem urging it to step up its post-breach response and notices to breach victims. Connecticut Attorney General George Jepsen said on February 10:

"My office has been flooded with phone calls from concerned Connecticut residents who are frustrated with the lack of information from Anthem, and their feelings are completely justified... Anthem started out well by publicly disclosing the breach relatively quickly, but its subsequent delay in providing information to affected individuals is flatly unacceptable."

Attorney generals from Arkansas, Illinois, Kentucky, Maine, Mississippi, Nebraska, Nevada, Pennsylvania and Rhode Island signed the joint letter. On February 11, John Shegerian, Chairman and CEO of Electronic Recyclers International (ERI), warned health care companies to better protect consumers' sensitive information:

"This is more than a simple invasion of privacy, although it is that as well... With the theft of medical records comes a whole new host of problems and concerns, perhaps even worse than other forms of cybercrime. Whereas credit card fraud may be corrected in a relatively straightforward manner, it can be tougher to identify that medical data has been breached. Maximum insurance payout limits may be reached as a result of fraudulent claims, and this might only be discovered when a consumer's claims for legitimate services are denied. Plus, there’s the problem that people’s private health information and medical records are out there and vulnerable, which undoes everything the HIPAA Privacy Rules were designed to protect."

ERI processes the electronic waste produced by health care and other companies. Several class-action lawsuits have already been filed:

  • Aswad Hood v. Anthem, Inc., No. 2:15-cv-00918 (Adobe PDF). Filed Feb. 9, 2015. U.S. District Court, Central District of California
  • Samantha Kirby v. Anthem Inc. et al., No. 2:15-cv-00820. Filed Feb. 5, 2015. U.S. District Court, Central District of California
  • Danny Juliano v. Anthem Inc., No. 2:15-cv-00219. Filed Feb. 5, 2015. U.S. District Court, Northern District of Alabama.

Anthem has arranged for services provided by AllClear ID. No enrollment is necessary, Breach victims who have already experienced fraud and financial theft receive the free AllClear Secure identity repair service. To use these services:

"... call 877-263-7995 and a dedicated investigator will do the work to recover financial losses, restore your credit, and make sure your identity is returned to its proper condition. Call centers are open Monday to Saturday from 9 a.m. to 9 p.m. ET. From Monday, Feb. 16 to Friday, Feb. 20, the call center will be open extended hours from 9 a.m. to 11 p.m. ET."

Breach victims who also want the AllClear PRO credit monitoring and insurance services, should call 877-263-7995. or enroll online at https://anthem.allclearid.com/. Some breach victims included children under the age of 18. Anthem has also arranged for AllClear ID ChildScan services. See the Anthem Breach FAQ page for details.

Massive Data Breach At Anthem Affects 80 Million People. Latest In A Series Of Incidents

Anthem On Friday, Anthem, Inc. announced that identity thieves had gained unauthorized access to its computer network and stole the sensitive personal information of patients and staff. Joseph R. Swedish, the President and CEO, stated in a letter to its members that the data elements compromised included personal information about:

"... current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data... Based on what we know now, there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised."

Affected patients included the following health care plans: Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, and Unicare. BlueCard members were also affected. While the Anthem breach notice did not mention 80 million affected patients, several news sources mentioned that statistics, including the Los Angeles Times and Forbes.

Anthem said it took steps to fix and close the data breach. It contacted the Federal Bureau of Investigation (FBI), and hired Mandiant, a respectable computer security firm, to evaluate its computer systems, networks, and data security processes. The health care provider launched the Anthem Facts website to keep members informed about the data breach and answer many questions. The site includes Mr. Swedish's breach notification letter. Members with questions can call the health care provider at 1-877-263-7995.

This is a massive data breach. Nor is it good news for several reasons. First, the data elements stolen are sufficient to allow criminals to commit financial fraud using the victims' identities. To the good, Anthem stated it wiil contact affected members and provide free credit monitoring services. However, the health care company's announcement did not state the number of years of complimentary credit monitoring services. Many companies provide one or two years, even though the stolen information retains value for a far longer period.

Second, since e-mail addresses and names were stolen, it means that breach victims are at risk of receiving e-mail spam and phishing attacks as the hackers resell the stolen data to other criminals worldwide. The FAQ page in the Anthem Facts site acknowledged this risk and advised members to:

"... be aware of scam email campaigns targeting current and former Anthem members. These scams, designed to capture personal information (known as "phishing") are designed to appear as if they are from Anthem and the emails include a "click here" link for credit monitoring. These emails are NOT from Anthem.DO NOT click on any links in email. DO NOT reply to the email or reach out to the senders in any way. DO NOT supply any information on the website that may open, If you have clicked on a link in email. DO NOT open any attachments that arrive with email."

Anthem also confirmed this in several tweets:

Anthem tweets about phishiing. Click to view larger image

Opening e-mail attachments from unknown persons can spawn computer viruses and malware on your desktop, laptop, tablet, or smart phone. So, it is wise to learn how to spot phishing e-mails. There is plenty of information in this blog.

Third, security experts are concerned that Anthem applied data encryption only to information during transit and not will it was "at rest" and stored in databases. Forbes reported:

"Encryption, which scrambles data so only authorized parties can read it, is considered the most effective way to achieve data security. Several data experts say the lack of encryption made it easier for hackers to gain access to up to 80 million customer records including Social Security numbers, e-mail addresses and other personal information... The Health Insurance Portability and Accountability Act, known more commonly under its acronym “HIPAA,” doesn’t require health care companies to encrypt such data."

Fourth, it is good that Anthem has hired a reputable, skilled computer security firm to help it understand exactly how the breach occurred and then apply the necessary fixes. After studying several breaches and companies' post-breach actions during the 7+ years I've written this blog, I've noticed that post-breach fixes don't happen quickly. The breach investigation takes time. Hence, you see in the announcement cautious words, such as "Based upon what we know now." The fixes often include a mixture of technical solutions and staff training. During the coming months we will see how transparent Anthem will be with sharing data about the breach and the fixes it applies to its networks, computers, and staff training.

The fact is: there is nothing to stop criminals from repeatedly attacking the company's networks. Hopefully, Anthem will implement fixes fast enough and sufficient enough to both identify and thwart future attacks.

Fifth and perhaps more troubling is the history of data breaches at Anthem. Anthem, Inc. was formed in 2004 with the merger of Anthem and WellPoint Health Networks. The company changed its name from WellPoint to Anthem in 2014. A March 2008 WellPoint breach affected 130,000 patients and a 2006 breach affected about 200,000 patients when backup computer tapes were stolen from a vendor.

In 2011, Wellpoint settled data security allegations with the State of Indiana Attorney General after a data breach during 2009-10 affected 32,000 Indiana residents. A faulty website security update exposed the personal, financial, and medical information of about 470,000 consumers nationwide. Wellpoint made a $100,000 payment to the state.

In 2013, WellPoint paid $1.7 million to the U.S. Department of Health and Human Services (HHS) to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules:

"The HHS Office for Civil Rights (OCR) began its investigation following a breach report submitted by WellPoint as required by the Health Information Technology for Economic and Clinical Health, or HITECH Act. The HITECH Breach Notification Rule requires HIPAA-covered entities to notify HHS of a breach of unsecured protected health information. The report indicated that security weaknesses in an online application database left the electronic protected health information (ePHI) of 612,402 individuals accessible to unauthorized individuals over the Internet. OCR’s investigation indicated that WellPoint did not implement appropriate administrative and technical safeguards as required under the HIPAA Security Rule."

Sixth, In its breach notice, Mr. Swedish said:

"Safeguarding your personal, financial and medical information is one of our top priorities, and because of that, we have state-of-the-art information security systems to protect your data... I want to personally apologize to each of you for what has happened, as I know you expect us to protect your information. We will continue to do everything in our power to make our systems and security processes better and more secure, and hope that we can earn back your trust and confidence in Anthem."

The health care company's history suggests otherwise. Safeguarding patients' data may not be a top priority. An apology is nice, but actions speak louder than words. In 2012, Anthem settled a lawsuit with the Office of the California Attorney General. Terms of the settlement included a $150,000 payment, technical fixes to its computer networks, restricting access only to certain employees, and data-security training of all employees. Anthem allegedly printed Social Security numbers on letters it mailed to more than 33,000 persons from April 2011 and March 2012; a clear privacy and data security no-no. The lawsuit claimed that this practice violated state law prohibiting the disclosure of Social Security numbers. After that 2012 breach, Anthem offered affected members one year of free credit monitoring services.

The latest data security lapse at Anthem/WellPoint causes one to wonder if data security is truly a top priority, if the state-of-the-art systems Mr. Swedish described have truly kept pace with Internet and software developments, and if adequate employee training about data security stopped after terms of the 2012 settlement were fulfilled.

While writing this blog, I have learned that identity criminals are both creative and persistent. The "bad guys" possess the same computer skills and equipment as the "good guys." In my opinion, repeated security lapses will stop only when company executives go to prison. Fines are not enough.

What are your opinions of the Anthem breach? Of the company's statements and actions so far? If you receive a breach notice from Anthem, please share details (but exclude any information that would further compromise the security of your personal information).

Ebola And Leading Death Causes HIghlight Bigger Issues Facing the USA

The Ebola virus disease has been in the news. And, everyone seems worried. We all may be worried about the wrong stuff. ProPublica reported in September 2013:

"... a study in the current issue of the Journal of Patient Safety that says the numbers may be much higher — between 210,000 and 440,000 patients each year who go to the hospital for care suffer some type of preventable harm that contributes to their death, the study says. That would make medical errors the third-leading cause of death in America, behind heart disease, which is the first, and cancer, which is second."

I'll bet you didn't know that so many people die every year from medical errors. Below is the ranked list of death causes in 2011 in the U.S.A. published by the Center For Disease Control (CDC):

  1. Heart disease: 596,577
  2. Cancer: 576,691
  3. Chronic lower respiratory diseases: 142,943
  4. Stroke (cerebrovascular diseases): 128,932
  5. Accidents (unintentional injuries): 126,438
  6. Alzheimer's disease: 84,974
  7. Diabetes: 73,831
  8. Influenza and Pneumonia: 53,826
  9. Nephritis, nephrotic syndrome, and nephrosis: 45,591
  10. Intentional self-harm (suicide): 39,518

440,000 deaths per year from medical errors easily captures the number 3 spot. As bad as this is, sadly there is more.

On Friday October 17, professor and former U.S. Labor Secretary Robert Reich posted on his Facebook page (link added):

"The failures at Dallas Presbyterian Hospital reflect a much bigger problem. According to the US Centers for Disease Control and Prevention, hospital-acquired infections now affect one in 25 patients, causing 99,000 deaths each year. That’s 1 out of 4 deaths in hospitals -- more deaths than caused by many of the conditions that lead patients to enter hospitals in the first place..."

Hence, a more accurate ranked list of leading causes of death would include both medical errors and hospital-acquired infections:

  1. Heart disease: 596,577
  2. Cancer: 576,691
  3. Medical errors: 440,000
  4. Chronic lower respiratory diseases: 142,943
  5. Stroke (cerebrovascular diseases): 128,932
  6. Accidents (unintentional injuries): 126,438
  7. Hospital-acquired infections: 99,000
  8. Alzheimer's disease: 84,974
  9. Diabetes: 73,831
  10. Influenza and Pneumonia: 53,826
  11. Nephritis, nephrotic syndrome, and nephrosis: 45,591
  12. Intentional self-harm (suicide): 39,518

With existing death causes like these, the calls by politicians to ban flights from West Africa seem to miss the point. So much for American exceptionalism. Mr. Reich explored the problem further:

"... hospital administrators don’t have much incentive to improve. Most people have no idea of the infection rate at any given hospital, and don’t ask their doctors. If a hospital’s infection rate goes down the hospital doesn’t get more patients, and if it goes up the hospital doesn’t get fewer. (In fact, it might even make money because it can then increase its billing.) Bottom line: The CDC should require hospitals to report their infection rates into a common database that you have access to, and you should consult it before choosing a hospital for yourself or a loved one."

Now, that proposal makes sense. It allows consumers to make informed decisions about where to seek health care.

What are your opinions of the leading causes of death? Is the country focused on the right problem? Have you asked your physician about hospital infection rates?

I Surf, Therefore I am Vulnerable

Profile page at social weight-loss site. Click to view larger image.

[Editor's Note: today's post is by R. Michelle Green, a frequent guest author. She is the Principal for her company, Client Solutions, and a combination geek girl, personal organizer, and career coach. Today, she shares her experiences with with maintaining privacy online, especially at social networking sites that ask users to share health and fitness data.]

By R. Michelle Green

I recently watched a 60 Minutes report called The Data Brokers, about companies that gather our personal information from the net and sell it. If you haven’t seen it, it’s worth your time. I spent the next several minutes thinking about the information I share, and the trade-offs I know I make.

I have two Google Mail accounts, for example. I consciously work to limit its access to all of me, using different browsers for the different Gmail accounts. I don’t stay logged in if I’m not actively reading or sending emails. Google treats me differently depending on which account I’m using (check it yourself – I got different results for the same search request) so my little efforts are not wasted. I know it’s a losing battle, but I make the effort.

I am not a power Facebook user. I Liked a couple of shows, but I play no games, and resist its use for birthdays, reminders etc. The site patiently and relentlessly reminds me that my profile is only 55% complete. It’ll stay that way if I have anything to do with it. (Why do they need to know where I was born? Or my elementary school? Please…) And the very idea of using my Facebook login credentials to log into other sites makes me twitch.

My ruminations led me to identify one site with a great deal of info about me that I had not scrutinized at all. My nutritionist requires me to journal my food intake at a free online weight-loss site offering coaching, motivational support, and analytic tools. This is not meant to be a review of the site, but rather the actions I took (and DIDN’T take) in using it.

While I consider myself pretty thoughtful about my net use (I actually do read most EULAs and TOCs), I realized I’d never tried to read this site’s. Like many sites that offer more choices as you scroll down, there never seemed to be a bottom to the main page. Only through intense perseverance (i.e., holding the page down button for several seconds) did I find links to a Privacy Policy and the Terms and Conditions.

The good news – the site manages the info well. They retain it, they do not sell it, and they are careful to distinguish between Private User Generated Content (available only by log-in) and Public User Generated Content (visible on the public Community pages). Once you find one governing document, big ad sized icons lead you to the other documents that control one’s use of the site. It also encourages people to read this info, with participation points (e.g., points users can earn by participating in the site's loyalty program) available at the bottom of each agreement. They even offer advice about how to surf the internet safely.

The bad news – I didn’t see any printer friendly protocols for these agreements. Like many sites, they permit 3rd party advertisers to offer you ads targeted to the content you are posting. They do not mention specifically the names of parties with whom they share information – but doubleclick (now a Google subsidiary) is mentioned as their 3rd party advertising partner. And like many sites, even when you do have choices about how your info is used, the default skews to the site’s benefit, as the user can only opt-out after the fact. Some of you have heard about Personal Health Information (PHI) here on this blog, with articles as far back as 2011. The term is never mentioned on my site, perhaps because they are careful to say that they are not dispensing medical advice, only offering tools for users’ convenience. And those tools have helped many people live healthier and stronger lives. For free? And with the site’s assertion that even if the site is purchased by some other entity, these rules will still apply? Not too shabby.

But I should have checked all that stuff first, back in 2012.

Now I only wrote down what I ate. But even just knowing the food I eat could be descriptive of very specific illnesses or syndromes. The site is available both via browsers and mobile apps. If I really fully used the site, I could be sharing my exercise routine and location, my psychological attitudes about myself, my meals, and/or my moods, and more. The site would have access to my conversations with others on the site. It would have access to what it calls user generated content (recipes, comments on restaurants, or other activities associated with participation in the online "Community"). That’s when it starts getting scary to me.

I’ve accepted that more info than I prefer is out on the net and out of my hands, but I’m not fully abdicating control. The keys, IMHO, to negotiating the compromises required to benefit from our digital technologies?

A) Read the terms and the privacy clauses of any site or application you routinely use. Review them periodically – they can and will change them, as Facebook has demonstrated.

B) Read the manuals of the mechanisms that you use to access the 'net, be they desktops, laptops or mobile devices like tablets, smartphones, etc.

C) Know how to disable your device’s location tracking. Know what your apps are broadcasting, and what it takes to control them.

D) take advantage of the apps or software available to maximize your control and minimize 3rd party controls. The program I’m most curious about after watching the 60 Minutes report is Disconnect. This software permits you to see in real time the numerous parties watching your web interactions, and reveal what information they are gathering in the process.

E) Don’t make it easy for them! For example, don’t use your Facebook log-in to join some other site. My choice with Facebook? I log in, enjoy, and log off when I’m done. I never leave it on continually in the background. (Apparently I am congenitally immune to FOMO.)

Pew research back in 2011 noted that the more time you spend on social networking sites, the more trusting you are. (Beware confusing correlation with causation!!) Since I’m unwilling to be Travis McGee and live off the grid, I’m always looking for new tools that make my life easier. Perhaps you’ll share with me some of your favorite ways to negotiate a path between eschewing the use of the net completely, and passive ignorance about the loss of privacy.

Breach At Community Health Systems Affects 4.5 Million Patients Nationwide

Community Health Systems, Inc. (CHS) announced a data breach that affected 4.5 million patients nationwide. Breach victims are patients who have done business with any CHS hospitals, or whose physicians are associated with CHS hospitals. CHS said in its website that it includes 206 affiliated hospitals in 29 states, with 135,000 employees and 22,000 physicians.

CHS believes the attack, by hackers from China, occurred between April and June of 2014. Sensitive personal data elements stolen included patient names, addresses, birth dates, telephone numbers and social security numbers. This means that breach victims are vulnerable to identity theft and fraud, since the data elements stolen are sufficient for thieves to apply for and/or open fraudulent credit accounts and loans. The only good news was that the breach did not include patients' medical records and payment information (e.g., credit/debit cards).

CHS has notified federal law enforcement agencies and (links added):

"... engaged Mandiant, who has conducted a thorough investigation of this incident and is advising the Company regarding remediation efforts. Immediately prior to the filing of this Report, the Company completed eradication of the malware from its systems and finalized the implementation of other remediation efforts that are designed to protect against future intrusions of this type. The Company has been informed by federal authorities and Mandiant that this intruder has typically sought valuable intellectual property, such as medical device and equipment development data."

CHS is notifying breach victims, and will offer identity theft protection services. The announcement did not specify which, if any, data elements were encrypted. Usually, breach announcements state which items were encrypted. Hopefully, future announcements will provide the necessary details.

I browsed the CHS site Monday afternoon expecting to see a notice on the site about the breach. I didn't see one. May it is there and hidden. For context: after its massive breach, Target provided a notice and link on its home page for affected breach victims to easily access important information. CHS needs to do the same.

What's even more troubling is that the Social Security numbers weren't encrypted by CHS. How do I know this? The HIPAA Breach Notification Rule governs when hospitals must disclose data breaches. It says in part (links and bold text added):

"Covered entities and business associates must only provide the required notifications if the breach involved unsecured protected health information. Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance... The guidance... specifies encryption and destruction as the technologies and methodologies for rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals. Additionally, the guidance also applies to unsecured personal health record identifiable health information under the FTC regulations. Covered entities and business associates, as well as entities regulated by the FTC regulations, that secure information as specified by the guidance are relieved from providing notifications following the breach of such information."

In other words, if CHS had encrypted the information stolen, it probably would not have had to issue a breach notification (and incur the related costs). Since it did issue a breach notification, I conclude the data elements stolen -- especially Social Security numbers -- were not encrypted. Even though credit card data wasn't stolen in the breach, this makes one wonder if this payment information is encrypted. Hopefully, CHS will say more soon about what data is encrypted; and why or why not.

While browsing its website, I learned that CHS confirmed in an August 4 press release that it had:

"... resolved the investigation by the U.S. Department of Justice into short stay admissions through emergency departments at certain affiliated hospitals. The parties have entered into a settlement agreement, which concludes the government’s review into whether these 119 hospitals billed Medicare, Medicaid and TRICARE for certain inpatient admissions from January 2005 to December 2010 that the government believed should have been billed as outpatient or observation cases... Under the terms of the agreement, there is no finding of improper conduct by Community Health Systems or its affiliated hospitals, and the Company has denied any wrongdoing. The Company has agreed to pay $88,257,500 in resolution of all federal government claims, including Medicare, TRICARE and the federal share of the Medicaid claims, and an additional $892,500 to the states for their portions of the Medicaid claims."

To see if your hospital was affected, browse the list of CHS locations by state. Have you received a breach notice from CHS? What are your opinions of the notice? Of the identity theft protection services offered?

U.S. Senator Asks FTC To Require "Opt-Out" Mechanism With Fitness Apps For Privacy

U.S. Senator Charlces Schumer (D-New York) expressed the privacy threat to consumers by fitness apps that collect and share consumers' sensitive fitness and health data with third parties -- without notice nor consent. In an August 10th news conference and press release, the Senator expressed concerns about the privacy threats the privacy concerns:

"... personal health and fitness data – so rich that an individual can be identified by their gait – is being gathered and stored by fitness bracelets like ‘FitBit’ and others like it, and can potentially be sold to third parties, like employers, insurance providers and other companies, without the users’ knowledge or consent. Schumer said that this creates a privacy nightmare, given that these fitness trackers gather highly personal information on steps per day, sleep patterns, calories burned, and GPS locations. Users often input private health information like blood pressure, weight and more...."

While the Senator believes that fitness apps are an effective and helpful technology for better health, the privacy concerns are compounded by the fact that:

"There are currently no federal protections to prevent those developers from then selling that data to a third party without the wearer’s consent. Schumer therefore urged the Federal Trade Commission (FTC) to push for fitness device and app companies to provide a clear and obvious opportunity to “opt-out” before any personal health data is provided to third parties, who could discriminate against the user based on that sensitive and private health information."

A March 3, 2014 blog post explored the massive data collection by Facebook via several fitness apps. The Senator's privacy concerns are valid since we already know that at least one credit reporting agency wants access to consumers' data collected by Facebook and other social networking services. News organizations have widely reported about several problems in the credit reporting industry: failures to fix errors in the reports they sell, data breaches, and settlement agreements about alleged improper list sales.

FitBit updated its privacy policy on August 10. The relevant sections about data sharing:

"What Data May be Shared With Third Parties?
First and foremost: We don’t sell any data that could identify you. We only share data about you when it is necessary to provide our services, when the data is de-identified and aggregated, or when you direct us to share it."

The Fitbit Privacy Policy distinguishes between data collected than identify you versus data that cannot:

"Data That Could Identify You: Personally Identifiable Information (PII) is data that includes a personal identifier like your name, email or address, or data that could reasonably be linked back to you. We will only share PII data under the following circumstances: With companies that are contractually engaged in providing us with services like order fulfillment, email management and credit card processing... If we believe, after due consideration, that doing so is reasonably necessary to comply with a law, regulation, or valid legal process. If we are going to release your data, we will do our best to provide you with notice in advance by email, unless we are prohibited by a court order from doing so... If it is necessary in connection with the sale, merger, bankruptcy, sale of assets or reorganization of our company, your PII can be sold or transferred as part of that transaction as permitted by law. The promises in this Privacy Policy will apply to your data as transferred to the new entity."

Ways your sensitive data with Fitbit might be shared:

"Other Ways You Might Share Your Data
Default Visibility Settings -- The privacy settings on new Fitbit accounts are set to reveal minimal data about you with the purpose of getting you active and involved with Fitbit...
Fitbit Social Tools -- Fitbit provides many ways for you to share data with other Fitbit users, such as with the 7-day Leaderboard, Challenges, or by posting comments to the Fitbit community message boards. When you interact with others in these ways, you will be displaying your data based upon the visibility settings in your User Account privacy settings...
Community Posts -- To post to Fitbit community message boards, you’ll be asked to create a community username that’s separate from your Fitbit username. This community username will be posted next to any comments you publish on community message boards. Other information, like a profile photo that you’ve added to your Fitbit account may also be visible on message boards, depending on your Fitbit account settings.
Contests and Giveaways -- Fitbit may offer opportunities to participate in contests, giveaways and other promotions. Any data you submit in connection with these activities will be treated in accordance with this Privacy Policy, unless the rules for those offers notes otherwise."

So, a Fitbit user interested in maintaining as much privacy as possible should, a) read the service's main policies (e.g., terms and conditions, privacy policy); b) read rules or policies for any special programs such as contests; and c) read the rules and avoid any of the above list of sharing options; and d) be extremely carefully about what you share on any community posts and social tools.

After reading the Fitbit privacy policy, there seem to me to be four concerns. First, I noticed that the policy never listed the third parties, by company name, with whom data is shared. So, even if a consumer knows what data is being shared, you still don't know with whom. This is a common problem on the Internet, not just with fitness apps or sites.

Second, Fitbit does not honor Do Not Track browser settings:

"Although we would like to honor the browsers set with a “Do Not Track” signal, we are currently unable to honor those signals. We believe that consumers should exercise choice regarding the collection of this type of data, which is why we disclose the cookies used and provide links to opt-out of those collection practices below."

So, the burden is on the consumer to pay close attention. This brings us to my third observation: the policy does not offer a global opt-out of all data sharing, which Senator Schumer called for. A global opt-out mechanism would make it easy for consumers to ensure that no sensitive health and fitness data is shared with third parties. Instead, the burden is on users to wade through every program, site feature, and mobile app feature and its corresponding rules or policies.

Fourth, the Fitbit policy doesn't indicate what is stored in cloud services; on computers hosted by third party companies. My March 3, 2014 blog post explored the privacy policies of other fitness apps, and some of them mention cloud services. To be informed shoppers, consumers must think about this in the context of the specific mobile platform (e.g., Apple iOS, Android,, etc.). Whatever is transmitted through your mobile device potentially could be shared with the manufacturers of that device, its operating system, and the telephone company.

What are your opinions about the privacy of fitness apps?

Florida Enacts Stronger Security And Data Breach Notification Law

On June 20, 2014, Florida Governor Rick Scott signed into law the “Florida Information Protection Act of 2014" (FIPA). FIPA went into effect on July 1, 2014. The positive elements:

  1. The entity must notify both affected customers and the Florida Department of Legal Affairs (DLA) when a breach occurs.
  2. Notice must be given within thirty (30) days after the breach is discovered or occurred, unless law enforcement warrants a delay. The previous law specified 45 days.
  3. The DLA now has the authority, under the Florida Deceptive and Unfair Trade Practices Act, to civilly prosecute violations.
  4. Failure to provide timely notice can results in civil penalties applied to violators.
  5. Covered entities include both commercial entities (e.g., corporations, sole proprietors, partnerships, associations, trusts, estates), and state government agencies. However, state agencies are exempted from civil penalties for failing to provide timely notice.
  6. Notice must be given for a breach affecting 500 or more persons in the State of Florida
  7. The law requires outsourcing companies (e.g., "third-party agents) to notify their hiring entity within ten (10) days after the breach is discovered or occurred
  8. The law requires outsourcing companies, contracted with by covered entities to maintain, process, and store personal information, to take "reasonable measures to protect and secure data in electronic format" for personal information.
  9. The new law expanded the definition of personal information to include a user name or e-mail address in combination with a password or security question used to access an online account.
  10. Covered entities are exempted from providing notice to affected persons individually and can provide notice via ads online or in print, if one of the conditions applies: the cost of notifying persons individually would exceed $250k, there are more than 500k persons affected, or the covered entities lacks both e-mail and snail-mail addresses.
  11. By February 1st of each year, the DLA must submit an annual report of breach notices received

The not-so-good elements of FIPA:

  1. The law defines a "data breach" in terms of files in electronic format, and seems to ignore breaches involving paper files.
  2. The law seems vague if notice is required for breaches affecting both less than 500 persons in Florida and more persons in other states. A better law would have stated 500 persons regardless of their location.
  3. While the law requires both physical and electronic customer records to be be disposed in a way that prevents personal information from being disclosed, government entities are exempted from this provision.
  4. The law seemed vague on what constitutes, "reasonable measures to protect and secure data in electronic format" for personal information. Some states' security and breach notification laws have specified encryption.
  5. The law does not create a private right of action.
  6. The law provides an exemption if there is a determination of no fraud or financial harm:

"... notice to the affected individuals is not required if, after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, the covered entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the individuals who se personal information has been accessed. Such a determination must be documented in writing and maintained for at least 5 years. The covered entity shall provide the written determination to the department within 30 days after the determination."

47 states now have passed, amended or proposed data breach notification laws. Shame on the three laggards. I applaud Florida officials for strengthening their state's privacy and data breach notification law, but wish they'd gone further and addressed the above not-so-good items.

View the full text of FIPA (Adobe PDF). Read the summary of FIPA by Martindale.

What are your opinions of FIPA?

ID Experts Introduces Medical Identity Theft Service To Detect And Lower Health Care Fraud

ID Experts Corporation logo Just before the holidays, ID Experts Corporation introduced Medical Identity Alert System (MIDAS), a new service to help health care plan providers, employers, and consumers prevent and reduce medical identity theft and fraud. The F.B.I. estimated health care fraud at $80 billion each year. The 2013 Survey on Medical Identity Theft by Ponemon found:

"... most cases of identity theft result not from a data breach but from the sharing of personal identification credentials with family and friends. Or, family members take the victim’s credentials without permission."

About 1.84 million people in the USA are currently affected by medical identity theft and fraud. This can lead to misdiagnoses, mistreatments, delayed treatments, and wrong prescription medications. Only 54 percent of patients review the Explanation of Benefits (EOB) statements from their health care providers.

MIDAS uses real-time text messages and emails to alert users when a healthcare transaction is submitted to their health plan. The alert links to a secure wesite where the member can validate the transaction, or flag it as “suspicious.” Then, MIDAS resolution experts follow up on the flagged transactions.

The MIDAS website lists several benefits:

  • Lowers health care costs
  • Detects health care fraud and medical identity theft
  • Engages patients for Affordable Care Act (ACA) compliance
  • Uses proven fraud reduction strategies
  • Simple yet powerful
  • Accessible from anywhere with an Internet connection
  • Service is backed by experienced identity protection experts

Bob Gregg, CEO of ID Experts said:

“Consumers have easy access to their personal financial data yet their medical care transactions are a closed door... MIDAS will change this by bringing transparency to healthcare transactions, engaging members as the first line of defense in protecting their identities and uniting health plans with their members to combat fraud.”

PHIprivacy investigated the service, and reported that ID Experts does not share MIDAS users' information with other companies.

This service appeals for a three reasons:

  1. Lowering health care fraud should translate into lower health care costs and premiums for consumers,
  2. Most credit-monitoring solutions focus only upon financial transactions, and do not cover nor monitor for medical identity theft and fraud, and
  3. MIDAS can help more patients review their medical transactions; something experts advise patients do to, just like financial institutions and credit reporting agencies advise consumers to review their accounts and credit reports for fraud.

Note: this is not an endorsement. It is simply a news article to inform readers of a new service. I do not have any arrangements or relationship with ID Experts. If you subscribe to MIDAS, please share you opinions and experience below.

7 Interesting Statistics About Trust From The Latest AP Survey Of Americans

Recently, the Associated Press (AP) released the results of its latest survey about selected institutions Americans trust, or don't trust. The Associated Press-GfK survey was conducted October 3-7, 2013 by GfK Public Affairs & Corporate Communications, a division of GfK Custom Research North America. The poll included a national, representative sample of 1,227 persona ages 18 or older.

If you use social networking websites (e.g., Facebook, Pinterest, Google+, Twitter, Instagram, Linkedin, SnapChat, etc.), you will want to pay special attention to item #5 below. The survey asked participants to state how much they trust other people in certain situations. That trust level could be "a great deal," "quite a bit," "not too much, and "not at all." Key survey results:

  1. 81 percent of survey respondents trust only some of the time the government in Washington, DC to do what is right only some of the time. Only 2 percent trust Washington all of the time.
  2. 50 percent of survey respondents trust "a great deal" or "quite a bit" people who handle their medical records at a hospital or doctor's office
  3. 47 percent of survey respondents trust "a great deal" or "quite a bit" people who prepare their food when they eat out in restaurants
  4. 41 percent of survey respondents trust "a great deal" or "quite a bit" people they hired to come into their homes to do work
  5. 38 percent of survey respondents trust "a great deal" or "quite a bit" people who they have shared photos, videos, and other information with at social networking websites
  6. 30 percent of survey respondents trust "a great deal" or "quite a bit" people who swiped their debit/credit cards when making a purchase in retail stores
  7. 21 percent of survey respondents trust "a great deal" or "quite a bit" other automobile drivers when they are driving, walking, or bicycling

Item number five makes one wonder why so many people use social networking websites when so few trust the "friends" they are connected with. Very interesting. Maybe, Americans are just a mistrustful and wary bunch. Or maybe, we've been burned previously by people or companies that abused their trust.

Some descriptive information about the survey participants:

  • 46 percent live in the suburbs, 26 percent in urban areas, and 25 percent in rural areas
  • 83 percent reported that they have health care insurance: private or public. Of those that have health care insurance, 54 percent have it through an employer, 21 percent through Medicare, 7 percent through Medicaid, 6 percent through private insurance they purchased on their own, and 11 percent through "something else"
  • 34 percent reported that somebody in their household owns a gun
  • 49 percent reported that they work as employees, 18 percent are retired, 9 percent are unemployed and looking for work, 7 percent are self-employed, 6 percent are disabled, and 1 percent are temporarily laid off from a job

Trust questions the survey didn't ask which I wish it had asked:

  • How much would you trust other people at banks to protect your financial information and provide unbiased answers to your questions?
  • How much would you trust other people at Internet service providers (ISP's) to protect your personal information?
  • How much would you trust other people at credit monitoring agencies to protect your credit reports and provide accurate information?
  • How much would you trust other people at software companies to provide effective anti-virus solutions that protect your computers and mobile devices?
  • How much would you trust other people at telephone and telecommunications companies to protect your sensitive phone call and geo-location information?
  • How much would you trust other people at companies to provide complete and accurate policy statements (e.g., terms of usage, privacy) about their websites or mobile apps?
  • How much do you trust other people to use wearable computers (e.g., Google Glass) with maturity and respect for your privacy?
  • How much would you trust other people at retail websites to deliver your purchases via drones to your home?

Learn more about AP-GfK surveys, or download the AP-GfK survey results (Adobe PDF).

Federal Health Care Portal Experienced Ongoing Cyber Attacks By Hackers

On Thursday, the Examiner Free Republic reported that during Congressional testimony before the House Homeland Security committee:

"... Roberta Stempfley, acting assistant secretary of the Department of Homeland Security’s Office of Cyber-security and Communications, who confirmed at least 16 attacks on the Affordable Care Act’s portal Healthcare.gov website in 2013..."

Watch video of Stempfley's testimony. There were several types of attacks including one attempted:

"... Distributed Denial of Service (DDoS) attack. A DDoS attack is designed to make a network unavailable to intended users, generally through a concerted effort to disrupt service..."

The hackers or groups sharing the DDoS software tools:

"...Right wingers have been distributing the link to the necessary tools to perform the attacks on the Healthcare.gov website through social networking, as pointed out by Information Week, and other websites. The name of the attack tool is called, "Destroy Obama Care!"

The Information Week article reported:

"What of the "Destroy Obama Care!" tool's premise that it allows users to exercise their right to civil disobedience? On this front, the tool's author has read his or her U.S. legal code incorrectly. Indeed, U.S. law enforcement agencies have vigorously prosecuted people who launch DDoS attacks against any website."

It'll be interesting to see who is prosecuted and jailed for this. Whether or not you agree with the Affordable Care Act, it is law. It is hypocritical to criticism something for its availability failure while silently and simultaneously hacking it at the same time. Shameful.

[Correction: An earlier version of this article linked to a news story at the Examiner(dot)com site. Since that site and article have been removed online, they were replaced with a link to the Free Republic, which replicated the news story. The Aegis Cyber Security site also reported the hacking attempt.]

Johnson & Johnson to Pay $2.2 Billion to 46 States To Settle Alleged Unfair Marketing

On Monday, the California Attorney General announced a settlement with Johnson & Johnson regarding alleged unfair marketing practices by its Janssen Pharmaceuticals subsidiary. About 45 other states participated in the $2.2 billion settlement. California's share of the settlement is $89 million.

The settlement resolved allegations of:

"... unlawful marketing practices, including off-label promotion and kickbacks, to promote the sales of [Janssen's] atypical antipsychotic drugs, Risperdal and Invega... As part of this global resolution, the companies have agreed to resolve civil liabilities for their alleged unlawful conduct, which caused false and/or fraudulent claims to be submitted to Medi-Cal and improper Medi-Cal purchases..."

Terms of the settlement require the companies to o compensate the Medicaid programs. The companies will pay $1.114 billion as the combined federal and states’ share of the civil settlement for both drugs. The California Department of Health Care Services will be reimbursed for $44.5 million in losses from the fraud. the remainder will pay for Medi-Cal fraud and enforcement efforts. Also:

"Janssen Pharmaceuticals, Inc. plead guilty to a criminal misdemeanor charge of misbranding Risperdal in violation of the Food, Drug, and Cosmetic Act. As part of the criminal plea, Janssen has agreed to pay an additional $400 million in criminal fines and forfeitures."

California Attorney General Kamala Harris said about the settlement:

"Motivated by profit, these companies made false claims that jeopardized the health of California’s most vulnerable patients, including children and senior citizens—and left California taxpayers with the bill... Today’s record settlement reinforces the California Department of Justice’s commitment to rooting out this kind of greed...”

Some of the other state attorney generals that announced this settlement include Florida, Maryland, Massachusetts, and New York.

On the same day, Johnson & Johnson and two of its subsidiaries (e.g., Janssen Pharmaceuticals, and Scios, Inc.) announced that the settlement agreement included 45 states plus the U.S. Justice Department. This resolved allegations about the marketing of Invega and Naturecor by Scios Inc., plus allegations about Janssen's interactions with Omnicare, Inc., pharmacy services.

Data Breach At California Hospitals Put Sensitive Health Information of 729,000 Patients At Risk

A data breach at the AHMC Healthcare hospital group earlier this month has placed the sensitive health information of 729,000 patients at risk. The breach occurred when two laptop computers were stolen from an administration building in San Gabriel Valley.

The theft was recorded on video on October 12, and it was discovered on October 14. The breach victims were patients at several AHMC hospitals: Garfield Medical Center, Monterey Park Hospital, Greater El Monte Community Hospital, Whittier Hospital Medical Center, San Gabriel Valley Medical Center and Anaheim Regional Medical Center.

According to the October 21 breach announcement (Adobe PDF), the theft included patient records with the following data elements: patient names, Medicare and healthcare insurance identification numbers, diagnosis and medical procedure codes, and insurance payment information.

The hospital group is investigating the breach and has hired a vendor to assist. The breach announcement did not disclose what steps the hospital group will take to avoid future thefts like this.

A breach like this makes one wonder why so many patient records were stored on two laptop computers.

IBM To Move 110,000 Retirees From Its Sponsored Health Care Plan To Private Exchanges. Other Companies Plot Similar Moves

IBM, Inc. logo Earlier this week, IBM announced that it will move about 110,000 Medicare-eligible retirees from its current company-sponsored health plan to private health care insurance exchanges. Retirees will receive payments towards the cost of health care through exchanges.

While IBM denied that costs were the reason for the move, the news report stated that experts have estimated Medicare costs to triple by 2020. So, while the move may not save IBM any money today, it seems the company's decision is clearly cost-related -- to save itself money in the future.

Reportedly, the new plan for IBM retirees will start January 1, 2014. According to the Chicago tribune:

"IBM also said it was hosting meetings with groups of retirees across the country to inform them about the move to the country's largest private Medicare Exchange. While some retirees may be skeptical, studies showed that the majority of people have a more positive outlook once they were presented with the concept and understood the options available to them through these exchanges..."

Health care exchanges were created under the 2010 Affordable Health Care Act. At many health care exchanges, open enrollment will begin on October 1, 2013. A health care exchange is:

"... a regulated marketplace where consumers can more easily compare insurance plans through the Internet, on the phone, or through an official helper, called a “navigator.” Consumers can also find out if they qualify for Medicaid -- the jointly run federal/state health care program for the poor -- or for a federal subsidies to help pay for the insurance... They are for small businesses and people who don’t have access to affordable insurance through an employer or are not already enrolled in a government program, such as Medicare."

Experts have projected that the shift to private health care exchanges will affect both retirees and current employees. (I'll bet you didn't know that.) The projections include 1 million workers enrolled in private health care exchanges in 2013, increasing to perhaps 40 million workers in 2018.

United Parcel Service logo Other companies have announced similar health care plan changes for their retirees, including General Electric and Time Warner. Last month, the United Parcel Service announced that it will stop health care coverage for employees' spouses, who can get coverage through another employer's plan:

"By denying coverage to spouses, employers not only save the annual premiums, but also the new fees that went into effect as part of the Affordable Care Act. This year, companies have to pay $1 or $2 “per life” covered on their plans, a sum that jumps to $65 in 2014. And health law guidelines proposed recently mandate coverage of employees’ dependent children (up to age 26), but husbands and wives are optional... next year, 12% of employers plan to exclude spouses, up from 4% this year, according to a recent Towers Watson survey."

Local leaders in some states, such as North Carolina, are hosting forums to explain to residents what health care exchanges are and how they operate. The insurance commissioner in Maryland has already published rates available in the state's new health care exchange; with some rates are as low as $122 per month.

What is your opinion of private health care exchanges? What is your opinion of employers that no longer cover their employees' spouses?