Clinical laboratories and anatomic pathology groups should consider these cyberattacks on major healthcare entities as reminders that they should tighten their cybersecurity protections
Hackers continue to gain access to public health records—including clinical laboratory testing data—putting thousands of patients’ protected health information (PHI) at risk of being exposed. The latest important healthcare entity to become the victim of a ransomware attack is American Associated Pharmacies (AAP). According to The Register, AAP announced a ransomware operation called Embargo had stolen over 1.4 terabytes (TB) of data, encrypted those files, and demanded $1.3 million to decrypt the data.
Embargo claims that Scottsboro, Ala.-based AAP paid $1.3 million to have its systems restored. They are now demanding an additional $1.3 million to keep the stolen data private, the HIPAA Journal reported, adding, “The attack follows ransomware attacks on Memorial Hospital and Manor, an 80-bed community hospital and 107 long-term care facility in Georgia, and Weiser Memorial Hospital, a critical access hospital in Idaho.”
AAP has not publicly confirmed the ransomware attack, nor has it made an official statement regarding the breach. But it did post an “Important Notice” on its website reporting, “limited ordering capabilities for API Warehouse have been restored at APIRx.com.”
API Warehouse is a subsidiary of AAP that helps subscribers save on brand name and generic prescriptions via wholesale purchasing plans. It oversees more than 2,000 independent pharmacies across the US and has over 2,500 stock keeping units (SKUs) in its inventory.
The message further states “All user passwords associated with both APIRx.com and RxAAP.com have been reset, so existing credentials will no longer be valid to access the sites. Please click ‘forgot password’ on the log in screen and follow the prompts accordingly to reset your password.”
“Embargo seems to have international and multi-sector victims and is not focusing on a specific victim profile. They seem opportunistic,” Mike Hamilton (above), founder and chief information security officer (CISO) of cybersecurity firm Critical Insight, told HealthcareInfoSecurity. “However, as they do have multiple victims in healthcare, and their tooling to disable detection is sophisticated, they should not be discounted. If indeed they operate through affiliates, we can expect others to use their infrastructure and tools, and Embargo may emerge as a top threat to healthcare.” Since 80% of all medical records are made up of clinical laboratory testing data, laboratory patients are particularly vulnerable. (Photo copyright: Critical Insight.)
Embargo on the Hunt for PHI
Due to the large amount of data Embargo stole from the AAP servers, it’s likely the hackers were able to procure medical records and account details from all customers of the pharmacies involved in the attack.
Researchers at ESET, an internet security company, first noticed the ransomware organization known as Embargo in June of this year. In a news release, ESET stated that Embargo used an endpoint detection and response (EDR) killer toolkit to steal AAP’s data.
“Based on its modus operandi, Embargo seems to be a well-resourced group. It sets up its own infrastructure to communicate with victims. Moreover, the group pressures victims into paying by using double extortion: the operators exfiltrate victims’ sensitive data and threaten to publish it on a leak site, in addition to encrypting it,” ESET wrote in a news release.
Embargo recently attacked other organizations within the healthcare industry as well. In November, it claimed responsibility for breaching the security of Memorial Hospital and Manor in Bainbridge, Ga. The cyberattack affected Memorial’s email and electronic medical record (EHR) systems, which caused the facility to pivot to a paper-based system, The Cyber Express reported.
Embargo’s attack on Weiser Memorial Hospital in Weiser, Idaho, involved the theft of approximately 200 gigabytes (GB) of sensitive data and caused a four-week-long outage of its computer systems.
Other Cyberattacks on Healthcare Organizations
Dark Daily has covered many cyberattacks on hospital health systems in multiple ebriefs over the past few years.
Safeguarding patient data is critical, and more healthcare organizations are discovering the hard way that they are vulnerable to hackers. This situation serves as another reminder to clinical laboratory and pathology group managers that they need to be proactive and serious about protecting their information systems, and in upgrading their digital security at regular intervals.
Hackers are working hard to obtain access to protected health information, which puts patients at continuous risk of having their private records stolen.
Are ongoing protests and federal investigations into health plan practices evidence that customers have reached a tipping point?
It is not common for beneficiaries to get arrested in front of their health plan’s headquarters. But that is what happened in July, when protesters gathered outside of UnitedHealth Group (UHG) in Minnetonka, Minn., to stress their dissatisfaction with the health insurer. More than 150 protesters participated in the demonstration. Eleven were arrested and charged with misdemeanors for blocking the public street outside of the headquarters.
Their main complaint is that the insurer systemically denies care for patients. This is a situation that probably resonates with hospitals, physicians, clinical laboratory professionals, and pathologists, who often see their own claims denied by health plans, including UnitedHealthcare.
“UnitedHealth Group’s profiteering by denying care is a disgrace, leaving people across Minnesota and all of the United States without the care they desperately need,” wrote members of the People’s Action Institute in a letter to UHG’s CEO Sir Andrew Witty. People’s Action organized the protest as part of its Care Over Cost campaign.
“Health insurance coverage has expanded in America, but we are finding it is private health insurance corporations themselves that are often the largest barrier for people to receive the care they and their doctor agree they need,” Aija Nemer-Aanerud, campaign director with People’s Action told CBS News.
“We have asked UnitedHealthcare for systemic changes in their practices and they have refused,” he told Bring Me The News.
Nemer-Aanerud told CBS News that UnitedHealth Group leadership has “refused to acknowledge that prior authorizations and claim denials are a widespread problem.”
“Our mission is to help people live healthier lives and help make the health system work better for everyone,” said UnitedHealth Group CEO Sir Andrew Witty (above) during a Senate Finance Committee hearing in May, NTD reported. “Together, we are working to help enable our health system’s transition to value-based care and are empowering physicians and their care teams to deliver more personalized, high-quality care that delivers better outcomes at a lower cost.” (Photo copyright: The Business Journals.)
People’s Action Institute Demands
In the letter, the changes People’s Action urged UHG to make include:
Ceasing to deny claims for treatments recommended by medical professionals.
Overturning existing denials for recommended treatments.
Stopping the practice of using Artificial Intelligence (AI) and algorithms to deny claims in bulk.
Executing a publicly shared audit and reimbursing federal/state governments for public money diverted by claims and prior-authorization denials within Medicare and Medicaid systems.
Expediting payment of claims.
Making public the details of denied claims and prior authorizations by market, plan, state, geography, gender, disability and race.
A spokesperson for UnitedHealth Group told CBS News that the company has had several talks with People’s Action and has settled some of the organization’s issues. That spokesperson also confirmed that UHG tried to discuss specific cases, but the issues People’s Action brought up had already been resolved.
“The safety and security of our employees is a top priority. We have resolved the member-specific concerns raised by this group and remain open to a constructive dialogue about ensuring access to high-quality, affordable care,” UnitedHealthcare said in a statement.
Profits over Patients?
The People’s Action Institute is a national network of individuals and organizations who strive to help people across the US overturn medical care denials made by insurance giants. Its Care Over Cost campaign aims to influence insurers to initiate systemic changes in their practices.
The recent protest occurred as UnitedHealth Group released its second-quarter financial report claiming $7.9 billion in profits. The company provides health insurance for more than 47 million people across the country and took in $22.4 billion in profits last year.
“UnitedHealth Group’s $7.9 billion quarterly profit announcement is the result of a business model built on pocketing premiums and billions of dollars in public funds, then profiting by refusing to authorize or pay for care,” said Nemer-Aanerud in a press release. “People should not have to turn to public petitions or direct actions to get UnitedHealthcare to pay for the care they need to live.”
“UnitedHealth Group made a decision to spend billions of dollars on stock buybacks, lobbying, and executive pay instead of paying for care people need,” Nemer-Aanerud told Bring Me The News. “They are harming people for profit and should be held accountable for that choice.”
“We all pay for this convoluted system, whether it is in our health insurance premiums or in our public programs. UnitedHealth Group is making billions of dollars in profit by denying people care, including in privatized Medicare and Medicaid plans, to the point that it has prompted a federal investigation … Still, we left the meeting with hope,” they added.
Protests like this one against UnitedHealth Group serve as evidence that the current system of commercial health insurance plans could be deteriorating. This descent may cause customers of these plans to take unprecedented actions to fight for necessary medical care.
As noted earlier, hospitals, physician groups, clinical laboratories, and anatomic pathology groups that see their own claims often denied by health insurers without a clear reason for the denials are probably sympathetic to the plight of patients who are frustrated with how UnitedHealthcare denies their access to care.
Because of their big share of patient prescriptions, the three largest PBMs are about to undergo scrutiny via Congressional reports and looming lawsuits that call out questionable practices
Pharmacy benefit managers (PBMs) are finding themselves under scrutiny from both Federal Trade Commission (FTC) investigations into drug pricing as well as recent Congressional hearings into anticompetitive practices.
Because of how PBMs have captured the lion’s share of patient prescriptions away from retail pharmacies in the United States during the past 15 years, pathologists and clinical laboratory managers may want to track how Congress and federal antitrust regulators respond to this development. The issue is the high cost of prescription drugs for patients and the role of PBMs in keeping drug prices high to optimize their profits.
House representatives pressed the executives for “steering patients to pharmacies the PBM owns and favoring more expensive brand-name drugs on their formularies, or list of covered drugs, which result in higher rebates paid to them by drugmakers,” Healthcare Dive noted.
In its final report, the Committee on Oversight and Accountability found that “PBMs inflate prescription drug costs and interfere with patient care for their own financial benefit.”
Though hearings on PBMs have been increasing, the last time PBM executives testified on the Hill was before the Senate Committee on Finance in 2019, according to Healthcare Dive.
“Spread pricing and rebates benefit PBMs and have helped the three largest PBMs monopolize the pharmaceutical market … these self-benefitting practices only serve to help their bottom line rather than patients,” said Chairman James Comer (above) during a meeting of the federal Committee on Oversight and Accountability. “PBMs have been allowed to hide in the shadows for far too long. I look forward to the Oversight Committee continuing to work in a bipartisan fashion to shine a light on how these PBMs have undermined community pharmacies, raised prescriptions drug prices, and jeopardized patient care.” Clinical laboratory executives may want to track efforts by Congress to rein in PBMs so as to reduce the cost of prescription drugs to patients. (Photo copyright: US Federal Government/Public Domain.)
Turning up the Heat on PBMs
The spotlight began to grow on PBM practices back in 2023. Since then, PBMs have been the focus of three congressional hearings. The late July meeting came just hours after Chairman James Comer, R-KY, presented his report following a 32-month-long investigation “into how PBMs raise prices and reduce consumer choice,” Healthcare Dive reported.
Comer’s research found that “PBMs have used their position as middlemen to cement anticompetitive policies which have increased prescription drug costs, hurt independent pharmacies, and harmed patient care,” according to a press release announcing the upcoming hearing with the executives of the three largest PBMs.
Comer’s report uncovered “300 examples of the three PBMs preferring medications that cost at least $500 more per claim than a safe alternative medication excluded from their formularies,” Healthcare Dive noted.
Coming Lawsuits, Public Opinion
While the Congressional hearings put pressure on the three PBMs, a new threat looms on the horizon—multiple lawsuits—including one from the FTC “over their tactics for negotiating prices for drugs including insulin, after a two-year investigation into whether the companies steer patients away from less-expensive medicines,” The Wall Street Journal reported.
State attorney generals and independent pharmacies are lining up with lawsuits targeting PBM’s questionable business practices as well, Healthcare Dive reported.
While PBMs maintain their innocence, public opinion differs. An independent survey from KFF found that approximately three out of 10 individuals surveyed reported not taking a prescribed medicine due to expensive costs.
“This includes about one in five who report they have not filled a prescription or took an over-the counter drug instead (21%), and 12% who say they have cut pills in half or skipped a dose because of the cost,” KFF reported.
Further, 82% of those surveyed described the cost of prescription drugs to be unreasonable. Still, 65% described the costs as being easily affordable, with the biggest challenge going to those with a household income of less than $40,000.
PBMs Push Back
In response to the backlash, the PBMs brought their own report to Congress, prepared by global consulting firm Compass Lexecon. It showed that “PBMs pass through almost all rebates to plan sponsors and have operating margins below 5% in recent years,” Healthcare Dive reported.
During their testimony, Conway said that Optum Rx saves over $2,000 per person annually. Kautzner claimed Express Scripts brought $64 billion in savings to patients last year and kept “out-of-pocket costs on a per-prescription basis at $15, despite brand manufacturers raising drug prices on 60% of those products,” Healthcare Dive reported.
Joyner said CVS Caremark experienced “little or no competition” from the pharmaceutical industry for brand name drugs. He blamed the pharmaceutical industry for drug pricing increases, Healthcare Drive reported.
“Let me be clear, we do not contribute to the rising list prices. Hampering our ability to negotiate lower drug cost … would only remove an essential tool and our ability to deliver lower cost for medications,” Joyner told the Congressional committee.
House representatives were not moved.
“On one hand we have PBMs claiming to reduce prescription drug prices and on the other hand we have the Federal Trade Commission, we have major media outlets like The New York Times, and we have at least eight different attorneys generals, Democrats and Republicans, who all say PBMs are inflating drug costs,” said Raja Krishnamoorthi (D-Ill), Healthcare Dive reported.
“This is why just about every state now is taking up PBM reform,” Comer said. “There’s a credibility issue.”
Because there has been a parallel concentration of market share for clinical laboratory testing among a handful of billion-dollar national lab corporations, clinical laboratory managers may want to follow these events. They are examples of federal regulators investigating the business practices of a major healthcare sector while, at the same time, members of Congress look for ways to lower healthcare costs. Prescription drugs is a high-profile target.
At some future point, the cost of genetic testing could also become a target when Congress seeks other healthcare sectors in their goal to control medical expenses.
Initially thought to be an attack by a nation-state, actual culprit turned out to be a known ransomware group and each day brings new revelations about the cyberattack
Fallout continues from cyberattack on Change Healthcare, the revenue cycle management (RCM) company that is a business unit of Optum, itself a division of UnitedHealth Group. Recent news accounts say providers are losing an estimated $100 million per day because they cannot submit claims to Change Healthcare nor receive reimbursement for these claims.
The cyberattack took place on February 21. The following day, UnitedHealth Group filed a Material Cybersecurity Incidents report (form 8-K) with the US Securities and Exchange Commission (SEC) in which it stated it had “identified a suspected nation-state associated cybersecurity threat actor [that] had gained access to some of the Change Healthcare information technology systems.”
A few days later the real identity of the threat actor was revealed to be a ransomware group known as “BlackCat” or “ALPHV,” according to Reuters.
Change Healthcare of Nashville, Tenn., is “one of the largest commercial prescription processors in the US,” Healthcare Dive reported, adding that hospitals, pharmacies, and military facilities had difficulty transmitting prescriptions “as a result of the outage.”
Change Healthcare handles about 15 billion payments each year.
According to a Change Healthcare statement, the company “became aware of the outside threat” and “took immediate action to disconnect Change Healthcare’s systems to prevent further impact.”
Change Healthcare has provided a website where parties that have been affected by the cyberattack can find assistance and updated information on Change’s response to the intrusion and theft of its data.
“The fallout is only starting to happen now. It will get worse for consumers,” Andrew Newman (above), founder and Chief Technology Officer, ReasonLabs, told FOX Business, adding, “We know that the likely destination for [the Change Healthcare] data is the Dark Web, where BlackCat will auction it all off to the highest bidder. From there, consumers could expect to suffer from things like identity theft, credit score downgrades, and more.” Clinical laboratories are also targets of cyberattacks due to the large amount of private patient data stored on their laboratory information systems. (Photo copyright: ReasonLabs.)
Millions of Records May be in Wrong Hands
Reuters reported that ALPHV/BlackCat admitted it “stole millions of sensitive records, including medical insurance and health data from the company.”
The ransomware group has been focusing its attacks on healthcare with 70 incidents since December, according to federal agencies.
In a letter to HHS, AHA warned, “Change Healthcare’s downed systems will have an immediate adverse impact on hospital finances. … Their interrupted technology controls providers’ ability to process claims for payment, patient billing, and patient cost estimation services.”
“My understanding is Change/Optum touches almost every hospital in the US in one way or another,” John Riggi, AHA’s National Advisor for Cybersecurity and Risk, told Chief Healthcare Executive. “It has sector wide impact in potential risk. So, really, this is an attack on the entire sector.” Riggi spent nearly 30 years with the FBI.
Some physician practices may also have been impacted by the Change Healthcare cyberattack, according to the Medical Group Management Association (MGMA). In a letter to HHS, MGMA described negative changes in processes at doctors’ offices. They include delays in paper and electronic statements “for the duration of the outage.”
In addition, “prescriptions are being called into pharmacies instead of being electronically sent, so patients’ insurance information cannot be verified by pharmacies, and [the patients] are forced to self-pay or go without necessary medication.”
Here are “just a few of the consequences medical groups have felt” since the Change Healthcare cyberattack, according to the MGMA:
Substantial billing and cash flow disruptions, such as a lack of electronic claims processing. Both paper and electronic statements have been delayed. Some groups have been without any outgoing charges or incoming payments for the duration of the outage.
Limited or no electronic remittance advice from health plans. Groups are having to manually pull and post from payer portals.
Prior authorization submissions have been rejected or have not been transmittable at all. This further exacerbates what is routinely ranked the number one regulatory burden by medical groups and jeopardizes patient care.
Groups have been unable to perform eligibility checks for patients.
Many electronic prescriptions have not been transmitted, resulting in call-in prescriptions to pharmacies or paper prescriptions for patients. Subsequently, patients’ insurance information cannot be verified by pharmacies, and they are forced to self-pay or go without necessary medication.
Lack of connectivity to important data infrastructure needed for success in value-based care arrangements, and other health information technology disruptions.
Medical laboratory leaders and pathologists are advised to consult with their colleagues in IT and cybersecurity on how to best prevent ransomware attacks. Labs hold vast amount of private patient information. Recent incidents suggest more steps and strategies may be needed to protect laboratory information systems and patient data.
While consolidation is a common trend across many sectors—including anatomic pathology groups and hospital systems—UnitedHealth Group is the latest example of the payer-provider consolidation trend impacting medical laboratories nationwide
Pending the successful completion of a $4.9-billion acquisition of DaVita Medical Group, UnitedHealth Group (UNH) will be poised to become the largest single employer of doctors in the U.S., according to numbers reported by leading sources.
Clinical laboratories, anatomic pathology groups, and other service providers that service those doctors should already be taking a serious look at their revenue flows and efficiencies to maintain margins and weather the shift into a model of value-based reimbursement.
Controlling Costs with Direct Care
According to a press release, UnitedHealth Group’s (NYSE:UNH) direct-to-patient healthcare subsidiary, OptumCare, currently employs or is affiliated with 30,000 physicians. And, DaVita Medical Group, a subsidiary of DaVita Inc. (NYSA:DVA), lists 13,000 affiliated physicians on their website. Should acquisition of DaVita Medical Group go forward, OptumCare would have approximately 43,000 affiliated or employed physicians—roughly 5,000 more physicians than HCA Healthcare and nearly double Kaiser Permanente’s 22,080 physicians—thus, making OptumCare’s parent company UNH the largest individual employer of physicians in the U.S. The acquisition is reportedly to reinforce UNH’s ability to control costs and manage the care experience by acquiring office-based physicians to provide services.
OptumCare has seen significant growth over the past decade. OptumHealth, one of three segments of UNH’s overall Optum healthcare subsidiary, includes OptumCare medical groups and IPAs, MedExpress urgent care, Surgical Care Affiliates ambulatory surgery centers, HouseCalls home visits, behavioral health, care management, and Rally Health wellness and digital consumer engagement.
“We have been slowly, steadily, methodically aligning and partnering with phenomenal medical groups who choose to join us,” Andrew Hayek, CEO of OptumHealth (above), told Bloomberg. “The shift towards value-based care and enabling medical groups to make that transition to value-based care is an important trend.” (Photo copyright: Becker’s ASC Review.)
Acquisitions of Doctors on the Rise; Clinical Lab Revenues Threatened
Independent physicians and practices have been a hot commodity in recent years. A March 2018 study from Avalere Health in collaboration with the Physicians Advocacy Institute (PAI) showed that the number of physicians employed by hospitals rose from 26% in July 2012 to 42% in 2016—a rise of 16% over four years.
By acquiring physicians of their own, insurance companies like UnitedHealth Group believe they can offset the cost and shifts in service of these prior trends. “We’re in an arms race with hospital systems,” John Gorman of Gorman Health Group told Bloomberg. “The goal is to better control the means of production in their key markets.”
According to Modern Healthcare, the acquisition of DaVita Medical Group is UnitedHealth’s third such acquisition in 2017. Other acquisitions include:
Advisory Board, a healthcare consulting firm, for $2.3-billion in November.
Along with Surgical Care Affiliates came a chain of surgery centers that, according to The New York Times (NYT), OptumCare plans to use to perform approximately one million surgeries and other outpatient procedures this year alone, while reducing expenses for outpatient surgeries by more than 50%.
NYT also noted that acquisition of DaVita Medical Group doesn’t bring just physicians under the OptumCare umbrella, but also nearly 250 MedExpress urgent care locations across the country.
By having physicians, clinical laboratories, outpatient surgery centers, and urgent care centers within their own networks, insurance providers then can steer patients toward the lowest-cost options within their networks and away from more expensive hospitals. This could mean less demand on independent clinical laboratories and hospitals and, with that, reduced cash flows.
According to NYT, Optum currently works with more than 80 health plans. However, mergers such these—including those between CVS Health (NYSE:CVS) and Aetna (NYSE:AET), and the proposed agreement between Humana (NYSE:HUM) and Walmart (NYSE:WMT) to deliver healthcare in the retailers’ stores—indicate that insurers are seeking ways to offer care in locations consumers find most accessible, while also working to exert influence on who patients seek out, to generate cost advantages for the insurers.
This consolidation should concern hospitals as payers increasingly draw physicians from them, potentially also taking away their patients. The impact, however, may also reach independent medical laboratories, medical imaging centers, anatomic pathology groups, and other healthcare service providers that provide diagnoses and treatments in today’s complex healthcare system.
Deep Payer Pockets Mean Fewer Patients for Clinical Labs and Medical Groups
As this trend continues, it could gain momentum and potentially funnel more patients toward similar setups. Major corporations have deeper pockets to advertise their physicians, medical laboratories, and other service providers—or to raise public awareness and improve reputations. Such support might be harder to justify for independent healthcare providers and medical facilities with shrinking budgets and margins in the face of healthcare reform.
Shawn Purifoy, MD, a family medicine practitioner in Malvern, Ark., expressed his concern succinctly in The New York Times. “I can’t advertise on NBC [but] CVS can,” he noted.
While further consolidation within independent clinical laboratories and hospitals might help to fend off this latest trend, it remains essential that medical laboratories and other service providers continue to optimize efficiency and educate both physicians and payers on the value of their services—particularly those services offered at higher margins or common to menus across a range of service providers.
