Clinical laboratories and anatomic pathology groups should consider these cyberattacks on major healthcare entities as reminders that they should tighten their cybersecurity protections
Hackers continue to gain access to public health records—including clinical laboratory testing data—putting thousands of patients’ protected health information (PHI) at risk of being exposed. The latest important healthcare entity to become the victim of a ransomware attack is American Associated Pharmacies (AAP). According to The Register, AAP announced a ransomware operation called Embargo had stolen over 1.4 terabytes (TB) of data, encrypted those files, and demanded $1.3 million to decrypt the data.
Embargo claims that Scottsboro, Ala.-based AAP paid $1.3 million to have its systems restored. They are now demanding an additional $1.3 million to keep the stolen data private, the HIPAA Journal reported, adding, “The attack follows ransomware attacks on Memorial Hospital and Manor, an 80-bed community hospital and 107 long-term care facility in Georgia, and Weiser Memorial Hospital, a critical access hospital in Idaho.”
AAP has not publicly confirmed the ransomware attack, nor has it made an official statement regarding the breach. But it did post an “Important Notice” on its website reporting, “limited ordering capabilities for API Warehouse have been restored at APIRx.com.”
API Warehouse is a subsidiary of AAP that helps subscribers save on brand name and generic prescriptions via wholesale purchasing plans. It oversees more than 2,000 independent pharmacies across the US and has over 2,500 stock keeping units (SKUs) in its inventory.
The message further states “All user passwords associated with both APIRx.com and RxAAP.com have been reset, so existing credentials will no longer be valid to access the sites. Please click ‘forgot password’ on the log in screen and follow the prompts accordingly to reset your password.”
“Embargo seems to have international and multi-sector victims and is not focusing on a specific victim profile. They seem opportunistic,” Mike Hamilton (above), founder and chief information security officer (CISO) of cybersecurity firm Critical Insight, told HealthcareInfoSecurity. “However, as they do have multiple victims in healthcare, and their tooling to disable detection is sophisticated, they should not be discounted. If indeed they operate through affiliates, we can expect others to use their infrastructure and tools, and Embargo may emerge as a top threat to healthcare.” Since 80% of all medical records are made up of clinical laboratory testing data, laboratory patients are particularly vulnerable. (Photo copyright: Critical Insight.)
Embargo on the Hunt for PHI
Due to the large amount of data Embargo stole from the AAP servers, it’s likely the hackers were able to procure medical records and account details from all customers of the pharmacies involved in the attack.
Researchers at ESET, an internet security company, first noticed the ransomware organization known as Embargo in June of this year. In a news release, ESET stated that Embargo used an endpoint detection and response (EDR) killer toolkit to steal AAP’s data.
“Based on its modus operandi, Embargo seems to be a well-resourced group. It sets up its own infrastructure to communicate with victims. Moreover, the group pressures victims into paying by using double extortion: the operators exfiltrate victims’ sensitive data and threaten to publish it on a leak site, in addition to encrypting it,” ESET wrote in a news release.
Embargo recently attacked other organizations within the healthcare industry as well. In November, it claimed responsibility for breaching the security of Memorial Hospital and Manor in Bainbridge, Ga. The cyberattack affected Memorial’s email and electronic medical record (EHR) systems, which caused the facility to pivot to a paper-based system, The Cyber Express reported.
Embargo’s attack on Weiser Memorial Hospital in Weiser, Idaho, involved the theft of approximately 200 gigabytes (GB) of sensitive data and caused a four-week-long outage of its computer systems.
Other Cyberattacks on Healthcare Organizations
Dark Daily has covered many cyberattacks on hospital health systems in multiple ebriefs over the past few years.
Safeguarding patient data is critical, and more healthcare organizations are discovering the hard way that they are vulnerable to hackers. This situation serves as another reminder to clinical laboratory and pathology group managers that they need to be proactive and serious about protecting their information systems, and in upgrading their digital security at regular intervals.
Hackers are working hard to obtain access to protected health information, which puts patients at continuous risk of having their private records stolen.
Are ongoing protests and federal investigations into health plan practices evidence that customers have reached a tipping point?
It is not common for beneficiaries to get arrested in front of their health plan’s headquarters. But that is what happened in July, when protesters gathered outside of UnitedHealth Group (UHG) in Minnetonka, Minn., to stress their dissatisfaction with the health insurer. More than 150 protesters participated in the demonstration. Eleven were arrested and charged with misdemeanors for blocking the public street outside of the headquarters.
Their main complaint is that the insurer systemically denies care for patients. This is a situation that probably resonates with hospitals, physicians, clinical laboratory professionals, and pathologists, who often see their own claims denied by health plans, including UnitedHealthcare.
“UnitedHealth Group’s profiteering by denying care is a disgrace, leaving people across Minnesota and all of the United States without the care they desperately need,” wrote members of the People’s Action Institute in a letter to UHG’s CEO Sir Andrew Witty. People’s Action organized the protest as part of its Care Over Cost campaign.
“Health insurance coverage has expanded in America, but we are finding it is private health insurance corporations themselves that are often the largest barrier for people to receive the care they and their doctor agree they need,” Aija Nemer-Aanerud, campaign director with People’s Action told CBS News.
“We have asked UnitedHealthcare for systemic changes in their practices and they have refused,” he told Bring Me The News.
Nemer-Aanerud told CBS News that UnitedHealth Group leadership has “refused to acknowledge that prior authorizations and claim denials are a widespread problem.”
“Our mission is to help people live healthier lives and help make the health system work better for everyone,” said UnitedHealth Group CEO Sir Andrew Witty (above) during a Senate Finance Committee hearing in May, NTD reported. “Together, we are working to help enable our health system’s transition to value-based care and are empowering physicians and their care teams to deliver more personalized, high-quality care that delivers better outcomes at a lower cost.” (Photo copyright: The Business Journals.)
People’s Action Institute Demands
In the letter, the changes People’s Action urged UHG to make include:
Ceasing to deny claims for treatments recommended by medical professionals.
Overturning existing denials for recommended treatments.
Stopping the practice of using Artificial Intelligence (AI) and algorithms to deny claims in bulk.
Executing a publicly shared audit and reimbursing federal/state governments for public money diverted by claims and prior-authorization denials within Medicare and Medicaid systems.
Expediting payment of claims.
Making public the details of denied claims and prior authorizations by market, plan, state, geography, gender, disability and race.
A spokesperson for UnitedHealth Group told CBS News that the company has had several talks with People’s Action and has settled some of the organization’s issues. That spokesperson also confirmed that UHG tried to discuss specific cases, but the issues People’s Action brought up had already been resolved.
“The safety and security of our employees is a top priority. We have resolved the member-specific concerns raised by this group and remain open to a constructive dialogue about ensuring access to high-quality, affordable care,” UnitedHealthcare said in a statement.
Profits over Patients?
The People’s Action Institute is a national network of individuals and organizations who strive to help people across the US overturn medical care denials made by insurance giants. Its Care Over Cost campaign aims to influence insurers to initiate systemic changes in their practices.
The recent protest occurred as UnitedHealth Group released its second-quarter financial report claiming $7.9 billion in profits. The company provides health insurance for more than 47 million people across the country and took in $22.4 billion in profits last year.
“UnitedHealth Group’s $7.9 billion quarterly profit announcement is the result of a business model built on pocketing premiums and billions of dollars in public funds, then profiting by refusing to authorize or pay for care,” said Nemer-Aanerud in a press release. “People should not have to turn to public petitions or direct actions to get UnitedHealthcare to pay for the care they need to live.”
“UnitedHealth Group made a decision to spend billions of dollars on stock buybacks, lobbying, and executive pay instead of paying for care people need,” Nemer-Aanerud told Bring Me The News. “They are harming people for profit and should be held accountable for that choice.”
“We all pay for this convoluted system, whether it is in our health insurance premiums or in our public programs. UnitedHealth Group is making billions of dollars in profit by denying people care, including in privatized Medicare and Medicaid plans, to the point that it has prompted a federal investigation … Still, we left the meeting with hope,” they added.
Protests like this one against UnitedHealth Group serve as evidence that the current system of commercial health insurance plans could be deteriorating. This descent may cause customers of these plans to take unprecedented actions to fight for necessary medical care.
As noted earlier, hospitals, physician groups, clinical laboratories, and anatomic pathology groups that see their own claims often denied by health insurers without a clear reason for the denials are probably sympathetic to the plight of patients who are frustrated with how UnitedHealthcare denies their access to care.
Palmetto GBA’s Chief Medical Officer will cover how clinical laboratories billing for genetic testing should prepare for Z-Codes at the upcoming Executive War College in New Orleans
After multiple delays, UnitedHealthcare (UHC) commercial plans will soon require clinical laboratories to use Z-Codes when submitting claims for certain molecular diagnostic tests. Several private insurers, including UHC, already require use of Z-Codes in their Medicare Advantage plans, but beginning June 1, UHC will be the first to mandate use of the codes in its commercial plans as well. Molecular, anatomic, and clinical pathologist Gabriel Bien-Willner, MD, PhD, who oversees the coding system and is Chief Medical Officer at Palmetto GBA, expects that other private payers will follow.
“A Z-Code is a random string of characters that’s used, like a barcode, to identify a specific service by a specific lab,” Bien-Willner explained in an interview with Dark Daily. By themselves, he said, the codes don’t have much value. Their utility comes from the DEX Diagnostics Exchange registry, “where the code defines a specific genetic test and everything associated with it: The lab that is performing the test. The test’s intended use. The analytes that are being measured.”
The registry also contains qualitative information, such as, “Is this a good test? Is it reasonable and necessary?” he said.
Molecular, anatomic, and clinical pathologist Gabriel Bien-Willner, MD, PhD (above), Palmetto GBA’s Chief Medical Officer, will speak about Z-Codes and the MolDX program during several sessions at the upcoming Executive War College on Diagnostics, Clinical Laboratory, and Pathology Management taking place in New Orleans on April 30-May 1. Clinical laboratories involved in genetic testing will want to attend these critical sessions. (Photo copyright: Bien-Willner Physicians Association.)
Palmetto GBA Takes Control
Palmetto’s involvement with Z-Codes goes back to 2011, when the company established the MolDX program on behalf of the federal Centers for Medicare and Medicaid Services (CMS). The purpose was to handle processing of Medicare claims involving genetic tests. The coding system was originally developed by McKesson, and Palmetto adopted it as a more granular way to track use of the tests.
In 2017, McKesson merged its information technology business with Change Healthcare Holdings LLC to form Change Healthcare. Palmetto GBA acquired the Z-Codes and DEX registry from Change in 2020. Palmetto GBA had already been using the codes in MolDX and “we felt we needed better control of our own operations,” Bien-Willner explained.
In addition to administering MolDX, Palmetto is one of four regional Medicare contractors who require Z-Codes in claims for genetic tests. Collectively, the contractors handle Medicare claims submissions in 28 states.
Benefits of Z-Codes
Why require use of Z-Codes? Bien-Willner explained that the system addresses several fundamental issues with molecular diagnostic testing.
“Payers interact with labs through claims,” he said. “A claim will often have a CPT code [Current Procedural Technology code] that doesn’t really explain what was done or why.”
In addition, “molecular diagnostic testing is mostly done with laboratory developed tests (LDTs), not FDA-approved tests,” he said. “We don’t see LDTs as a problem, but there’s no standardization of the services. Two services could be described similarly, or with the same CPT codes. But they could have different intended uses with different levels of sophistication and different methodologies, quality, and content. So, how does the payer know what they’re paying for and whether it’s any good?”
When the CPT code is accompanied by a Z-Code, he said, “now we know exactly what test was done, who did it, who’s authorized to do it, what analytes are measured, and whether it meets coverage criteria under policy.”
The process to obtain a code begins when the lab registers for the DEX system, he explained. “Then they submit information about the test. They describe the intended use, the analytes that are being measured, and the methodologies. When they’ve submitted all the necessary information, we give the test a Z-Code.”
The assessment could be as simple as a spreadsheet that asks the lab which cancer types were tested in validation, he said. On the other end of the scale, “we might want to see the entire validation summary documentation,” he said.
Commercial Potential
Bien-Willner joined the Palmetto GBA in 2018 primarily to direct the MolDX program. But he soon saw the potential use of Z-Codes and the DEX registry for commercial plans. “It became instantly obvious that this is a problem for all payers, not just Medicare,” he said.
Over time, he said, “we’ve refined these processes to make them more reproducible, scalable, and efficient. Now commercial plans can license the DEX system, which Z-Codes are a part of, to better automate claims processing or pre-authorizations.”
In 2021, the company began offering the coding system for Medicare Advantage plans, with UHC the first to come aboard. “It was much easier to roll this out for Medicare Advantage, because those programs have to follow the same policies that Medicare does,” he explained.
As for UHC’s commercial plans, the insurer originally planned to require Z-Codes in claims beginning Aug. 1, 2023, then pushed that back to Oct. 1, according to Dark Daily’s sister publication The Dark Report.
Then it was pushed back again to April 1 of this year, and now to June 1.
“The implementation will be in a stepwise fashion,” Bien-Willner advised. “It’s difficult to take an entirely different approach to claims processing. There are something like 10 switches that have to be turned on for everything to work, and it’s going to be one switch at a time.”
For Palmetto GBA, the commercial plans represent “a whole different line of business that I think will have a huge impact in this industry,” he said. “They have the same issues that Medicare has. But for Medicare, we had to create automated solutions up front because it’s more of a pay and chase model,” where the claim is paid and CMS later goes after errors or fraudulent claims.
“Commercial plans in general just thought they could manually solve this issue on a claim-by-claim basis,” he said. “That worked well when there was just a handful of genetic tests. Now there are tens of thousands of tests and it’s impossible to keep up.
They instituted programs to try to control these things, but I don’t believe they work very well.”
Bien-Willner is scheduled to speak about Palmetto GBA’s MolDX program, Z-Codes, and related topics during three sessions at the upcoming 29th annual Executive War College conference. Clinical laboratory and pathology group managers would be wise to attend his presentations. Visit here (or paste this URL into your browser: https://www.executivewarcollege.com/registration) to learn more and to secure your seat in New Orleans.
Forces in play will directly impact the operations and financial stability of many of the nation’s clinical laboratories
With significant regulatory changes expected in the next 18 to 24 months, experts are predicting a “Perfect Storm” for managers of clinical laboratories and pathology practices.
Currently looming are changes to critical regulations in two regulatory areas that will affect hospitals and medical laboratories. One regulatory change is unfolding with the US Food and Drug Administration (FDA) and the other regulatory effort centers around efforts to update the Clinical Laboratory Improvement Amendments of 1988 (CLIA).
The major FDA changes involve the soon-to-be-published Final Rule on Laboratory Developed Tests (LDTs), which is currently causing its own individual storm within healthcare and will likely lead to lawsuits, according to the FDA Law Blog.
In a similar fashion—and being managed under the federal Centers for Medicare and Medicaid Services (CMS)—are the changes to CLIA rules that are expected to be the most significant since 2003.
The final element of the “Perfect Storm” of changes coming to the lab industry is the increased use by private payers of Z-Codes for genetic test claims.
In his general keynote, Robert L. Michel, Dark Daily’s Editor-in-Chief and creator of the 29th Executive War College on Diagnostics, Clinical Laboratory, and Pathology Management, will set the stage by introducing a session titled, “Regulatory Trifecta Coming Soon to All Labs! Anticipating the Federal LDT Rule, Revisions to CLIA Regulations, and Private Payers’ Z-Code Policies for Genetic Claims.”
“There are an unprecedented set of regulatory challenges all smashing into each other and the time is now to start preparing for the coming storm,” says Robert L. Michel (above), Dark Daily’s Editor-in-Chief and creator of the 29th Executive War College on Diagnostics, Clinical Laboratory, and Pathology Management, a national conference on lab management taking place April 30-May 1, 2024, at the Hyatt in New Orleans. (Photo copyright: The Dark Intelligence Group.)
Coming Trifecta of Disruptive Forces to Clinical Laboratory, Anatomic Pathology
The upcoming changes, Michel notes, have the potential to cause major disruptions at hospitals and clinical laboratories nationwide.
“Importantly, this perfect storm—which I like to describe as a Trifecta because these three disruptive forces that will affect how labs will conduct business—is not yet on the radar screen of most lab administrators, executives, and pathologists,” he says.
Because of that, several sessions at this year’s Executive War College conference, now in its 29th year, will offer information designed to give attendees a better understanding of how to manage what’s coming for their labs and anatomic pathology practices.
“This regulatory trifecta consists of three elements,” adds Michel, who is also Editor-in-Chief of Dark Daily’s sister publication The Dark Report, a business intelligence service for senior level executives in the clinical laboratory and pathology industry, as well in companies that offer solutions to labs and pathology groups.
According to Michel, that trifecta includes the following:
Element 1
FDA’s Draft LDT Rule
FDA’s LDT rule is currently the headline story in the lab industry. Speaking about this development and two other FDA initiatives involving diagnostics at the upcoming Executive War College will be pathologist Tim Stenzel, MD, PhD, former director of the FDA’s Office of In Vitro Diagnostics. It’s expected that the final rule on LDTs could be published by the end of April.
Stenzel will also discuss harmonization of ISO 13485 Medical Devices and the FDA’s recent memo on reclassifying most high-risk in vitro diagnostics to moderate-risk to ease the regulatory burden on companies seeking agency review of their diagnostic assays.
Salerno will also cover the CDC’s efforts to foster closer connections with clinical labs and their local public health laboratories, as well as the expanding menu of services for labs that his department now offers.
Element 3
Private Payer Use of Z-Codes for Test Claims
On the third development—increased use by private payers of Z-Codes for genetic test claims—the speaker will be pathologist Gabriel Bien-Willner, MD, PhD. He is the Medical Director of the MolDX program at Palmetto GBA, a Medicare Administrative Contractor (MAC). It is the MolDX program that oversees the issuance of Z-Codes for molecular and diagnostic tests.
UnitedHealthcare (UHC) was first to issue such a Z-Code policy last year, although it has delayed implementation several times. Other major payers are watching to see if UHC succeeds with this requirement, Michel says.
Other Critical Topics to be Covered at EWC
In addition to these need-to-know regulatory topics, Michel says that this year’s Executive War College will present almost 100 sessions and include 148 speakers. Some of the other topics on the agenda in New Orleans include the following and more:
Standardizing automation, analyzers, and tests across 25 lab sites.
Effective ways to attract, hire, and retain top-performing pathologists.
Leveraging your lab’s managed care contracts to increase covered tests.
“Our agenda is filled with the topics that are critically important to senior managers when it comes to managing their labs and anatomic pathology practices,” Michel notes.
“Every laboratory in the United States should recognize these three powerful developments are all in play at the same time and each will have direct impact on the clinical and financial performance of our nation’s labs,” Michel says. “For that reason, every lab should have one or more of their leadership team present at this year’s Executive War College to understand the implications of these developments.”
Visit here to learn more about the 29th Executive War College conference taking place in New Orleans.
Pharmaceutical tourism, like medical tourism, casts light on healthcare’s true costs and identifies patient populations that bear the brunt of growing drug prices
You’ve heard of medical tourism, where patients travel to other countries to receive low-cost, high-quality medical care. Now the State of Utah is introducing “pharmaceutical tourism” to state employees, who will be paid to make trips to Mexico to purchase certain prescription drugs.
The State of Utah is not alone in its use of this strategy. Prescription medication costs are skyrocketing for many critical drugs. To reign in those costs, several organizations are incentivizing their employees to purchase those drugs less expensively outside of the US. Clinical laboratories and anatomic pathology groups that perform companion diagnostic tests associated with certain high-priced therapeutic drugs might see more of their patients decide to cross international borders to access the drugs they need.
This pharmaceutical tourism highlights how complex US laws
hide the true cost of prescription drugs from patients and their employers. It also
raises the question: how might pharmaceutical tourism impact retail pharmacies
in this country?
Saves Patients Money,
but at What Cost?
The Public Employees Health Plan (PEHP) for Utah state employees recently announced a pharmacy tourism program. Its members can receive free air travel and $500 in cash to fill 90-day prescriptions in Mexico for certain higher-cost medications.
“The prescription drugs received in Mexico are the same quality and from the same manufacturer as those sold in the US,” said Travis Tolley, Clinical Management Director at PEHP Health and Benefits, in a news release. “The difference is the price you pay. For example, a 90-day supply for the average cost of an eligible drug in the US is over $4,500 per month and is 40-60% less in Mexico. The substantial savings allow us to reward our members for seeking lower-cost options.”
Participants in the program receive round-trip airfare from Utah to San
Diego for themselves and a companion, followed by transportation to a clinic in
Tijuana where their prescriptions are filled. They also can receive a taxable
$500 cash bonus for each trip—up to four trips/year. The airfare from Salt Lake
City to San Diego typically costs around $300.
In 2018, Utah passed the “Health Insurance Right to Shop Amendments” bill (H.B. 19), which requires PEHP to offer incentives and a savings reward program to members who seek out and utilize low-cost options for healthcare. State Representative Norman Thurston (above right) sponsored the bill. “Why wouldn’t we pay $300 to go to San Diego, drive across to Mexico, and save the system tens of thousands of dollars? If it can be done safely, we should be all over that,” he told Becker’s Hospital Review. (Photo copyright: Daily Herald.)
PEHP, which covers 160,000 public employees and family
members, offers the pharmacy tourism program for 13 specific medications where
a vast disparity in cost exists between the US and Mexico.
The drugs that qualify for the program along with the most
common illnesses they treat are:
One of the more expensive drugs on the list, Avonex, costs
approximately $6,700 for a month’s supply in the US compared to only about
$2,200 at the contracted clinic in Tijuana. That’s a savings of approximately
$13,500 for a three-month supply, which compensates for the program’s $500 cash
reward and transportation costs.
Not the First Time
PEHP Tried Medical Tourism
PEHP previously offered free
airfare to members willing to fly to other countries for medical procedures and
prescriptions. However, without the cash incentives, participation was low. The
health plan hopes the lure of $500 per trip will increase participation rate.
UnitedHealthcare (UHC) also is experimenting with ways to lower prescription drug costs. Last year, they introduced My ScriptRewards. The program incentivizes members to opt for less expensive medications. Participants in this program receive up to $500 in prepaid debit cards to help defray their medical costs.
Currently, My ScriptRewards can only be used for select antiviral medications (Cimduo plus Isentress or Cimduo plus Tivicay) to treat human immunodeficiency virus (HIV). And, it’s only available to UHC commercial plan members who are covered by group plans. However, UHC plans to expand the program to include other high-cost specialty medications in the future.
According to the Centers for Disease Control and Prevention (CDC), prescription medications account for 9.8% of national health expenditures. And in 2017, Quintiles and IMS Health, Inc. (now IQVIA), a company that compiles data for the pharmaceutical industry, estimated that prescription spending in the US will reach an annual cost of $580-$610 billion by 2021.
And, with prescription costs soaring, it’s likely insurance
providers will continue to seek new ways to curtail costs. In an era when many medical
laboratory companies are charging sky-high prices for their proprietary tests
and test panels, might “clinical laboratory tourism” be the next trend to
emerge?
