Clinical laboratories and anatomic pathology groups should consider these cyberattacks on major healthcare entities as reminders that they should tighten their cybersecurity protections
Hackers continue to gain access to public health records—including clinical laboratory testing data—putting thousands of patients’ protected health information (PHI) at risk of being exposed. The latest important healthcare entity to become the victim of a ransomware attack is American Associated Pharmacies (AAP). According to The Register, AAP announced a ransomware operation called Embargo had stolen over 1.4 terabytes (TB) of data, encrypted those files, and demanded $1.3 million to decrypt the data.
Embargo claims that Scottsboro, Ala.-based AAP paid $1.3 million to have its systems restored. They are now demanding an additional $1.3 million to keep the stolen data private, the HIPAA Journal reported, adding, “The attack follows ransomware attacks on Memorial Hospital and Manor, an 80-bed community hospital and 107 long-term care facility in Georgia, and Weiser Memorial Hospital, a critical access hospital in Idaho.”
AAP has not publicly confirmed the ransomware attack, nor has it made an official statement regarding the breach. But it did post an “Important Notice” on its website reporting, “limited ordering capabilities for API Warehouse have been restored at APIRx.com.”
API Warehouse is a subsidiary of AAP that helps subscribers save on brand name and generic prescriptions via wholesale purchasing plans. It oversees more than 2,000 independent pharmacies across the US and has over 2,500 stock keeping units (SKUs) in its inventory.
The message further states “All user passwords associated with both APIRx.com and RxAAP.com have been reset, so existing credentials will no longer be valid to access the sites. Please click ‘forgot password’ on the log in screen and follow the prompts accordingly to reset your password.”
“Embargo seems to have international and multi-sector victims and is not focusing on a specific victim profile. They seem opportunistic,” Mike Hamilton (above), founder and chief information security officer (CISO) of cybersecurity firm Critical Insight, told HealthcareInfoSecurity. “However, as they do have multiple victims in healthcare, and their tooling to disable detection is sophisticated, they should not be discounted. If indeed they operate through affiliates, we can expect others to use their infrastructure and tools, and Embargo may emerge as a top threat to healthcare.” Since 80% of all medical records are made up of clinical laboratory testing data, laboratory patients are particularly vulnerable. (Photo copyright: Critical Insight.)
Embargo on the Hunt for PHI
Due to the large amount of data Embargo stole from the AAP servers, it’s likely the hackers were able to procure medical records and account details from all customers of the pharmacies involved in the attack.
Researchers at ESET, an internet security company, first noticed the ransomware organization known as Embargo in June of this year. In a news release, ESET stated that Embargo used an endpoint detection and response (EDR) killer toolkit to steal AAP’s data.
“Based on its modus operandi, Embargo seems to be a well-resourced group. It sets up its own infrastructure to communicate with victims. Moreover, the group pressures victims into paying by using double extortion: the operators exfiltrate victims’ sensitive data and threaten to publish it on a leak site, in addition to encrypting it,” ESET wrote in a news release.
Embargo recently attacked other organizations within the healthcare industry as well. In November, it claimed responsibility for breaching the security of Memorial Hospital and Manor in Bainbridge, Ga. The cyberattack affected Memorial’s email and electronic medical record (EHR) systems, which caused the facility to pivot to a paper-based system, The Cyber Express reported.
Embargo’s attack on Weiser Memorial Hospital in Weiser, Idaho, involved the theft of approximately 200 gigabytes (GB) of sensitive data and caused a four-week-long outage of its computer systems.
Other Cyberattacks on Healthcare Organizations
Dark Daily has covered many cyberattacks on hospital health systems in multiple ebriefs over the past few years.
Safeguarding patient data is critical, and more healthcare organizations are discovering the hard way that they are vulnerable to hackers. This situation serves as another reminder to clinical laboratory and pathology group managers that they need to be proactive and serious about protecting their information systems, and in upgrading their digital security at regular intervals.
Hackers are working hard to obtain access to protected health information, which puts patients at continuous risk of having their private records stolen.
Judge will decide the restitution Holmes must pay to defrauded Theranos investors at future court date; Ex-COO Ramesh “Sunny” Balwani to be sentenced next month
Clinical laboratory leaders and anatomic pathologists who closely followed the fraud trial of Elizabeth Holmes may have wondered how the Theranos founder and ex-CEO would be punished for her crimes. Now we know.
Late into the four-hour sentencing hearing, Holmes tearfully spoke, according to a twitter post by NBC reporter Scott Budman, who was in the courtroom. “I am devastated by my failings,” Holmes said. “I have felt deep pain for what people went through because I have failed them … To investors, patients, I am sorry.”
Davila ordered Holmes to surrender to authorities on April 27 to begin her time behind bars. She is free until that time. Her upcoming prison term caps off one of the biggest downfalls ever of an American entrepreneur.
Elizabeth Holmes (above), founder and former CEO of Theranos, the now defunct clinical laboratory company, as she enters the federal courthouse in San Jose, Calif., prior to her sentencing on Friday. In January, Holmes was convicted on three counts of wire fraud and one count of conspiracy. Last summer, Theranos’ former CLIA laboratory director, pathologist Adam Rosendorff, MD, expressed remorse over his testimony which led to Holmes’ defense team requesting a new trial. The judge denied that request and allowed the sentencing of Holmes to proceed as scheduled. (Photo copyright: Jim Wilson/The New York Times.)
.
Defense Lawyers Plan to Appeal
Dean Johnson, JD, a California criminal defense lawyer, told NBC Bay Area News during live coverage of the hearing on Friday that Holmes’ defense team will appeal her conviction.
“I have no doubt there will be an appeal in this case,” Johnson said.
Judge Edward Davila, who oversaw Holmes’ trial and sentencing hearing in US District Court in San Jose, Calif., estimated that the total loss for Theranos investors was $121 million. Investors had committed funds to support the company’s flawed Edison blood testing technology. A separate restitution hearing for Holmes will be scheduled for a later date.
Beyond the sentencing, Holmes, 38, will be saddled by infamy for the rest of her life, with her past reputation as a charismatic innovator ruined.
“The judge [said] evidence shows Elizabeth Holmes was leader of the company, but not necessarily the leader of the criminal acts,” Budman tweeted. Those words clearly pointed to Balwani, who Holmes’ defense team had painted as exerting control over her and the company.
Prosecutors Sought a Stiffer Sentence for Holmes
Prosecutors had asked Davila to sentence Holmes to 15 years in prison, arguing that her conviction represented “one of the most substantial white collar offenses Silicon Valley or any other district has seen,” according to NBC Bay Area News, which cited court documents. The government also wanted her to pay $803 million in restitution.
Holmes’ defense team, however, wished for no prison time at all, instead asking that Holmes serve time under house arrest. “If a period of confinement is necessary, the defense suggests that a term of 18 months or less, with a subsequent supervised release period that requires community service, will amply meet that charge,” her lawyers wrote in a court filing.
Prior to the sentencing, Davila received 130 letters supporting Holmes and asking for leniency, NPR reported. Among them was a note from William “Billy” Evans, Holmes’ partner.
“If you are to know Liz, it is to know that she is honest, humble, selfless, and kind beyond what most people have ever experienced,” Evans wrote, NPR reported. “Please let her be free.”
Holmes and Evans have a 16-month-old son together, and she is pregnant with the couple’s second child. Her first pregnancy caused her trial to be rescheduled. Prior to last week’s sentencing, some reporters covering the trial speculated that because Holmes was the mother of an infant—and now pregnant again—the judge might be more lenient in sentencing. The 11-year, four-month sentence indicates that the judge was not much influenced by that factor.
Last Minute Pitch for New Trial Failed
Holmes’ legal wranglings continued until the very end.
However, Rosendorff later told the court that he stood by his testimony about problems with Theranos’ blood testing technology.
In denying the request for a new trial, Davila wrote, “The court finds Dr. Rosendorff’s statements under oath to be credible,” according to The Washington Post.
From Teen Founder to Disgraced Entrepreneur
Holmes founded Theranos in 2003 at age 19 while she was attending Stanford University as a chemical engineering major. She dropped out of Stanford as a sophomore to focus on her new company.
Theranos claimed its technology—known as Edison—could perform diagnostics tests using a finger prick and a micro-specimen vial instead of a needle and several Vacutainers of blood. The company said it could return results to patients and clinicians in four hours for about half of the cost of typical lab test fees.
However, the promise of this technology began to unravel in 2015 following an investigative article by The Wall Street Journal that revealed the company ran only a handful of tests using its technology, instead relying on traditional testing for most of its specimen work.
Following The Journal’s exposé, the Centers for Medicare and Medicaid Services (CMS) sanctioned Theranos and Holmes in 2016. Meanwhile, the US Securities and Exchange Commission (SEC) investigated Holmes for raising hundreds of millions from investors by exaggerating or making false statements about the company’s technology and financial performance.
In 2018, the US Department of Justice (DOJ) indicted Holmes and Balwani, and Theranos closed shortly after.
Fortunately, the Theranos saga has not stunted investment in healthcare technology startups. Spending was in the tens of billions in 2021, although that number has dropped this year as the COVID-19 pandemic has waned, according to TechCrunch. Nevertheless, it is safe to assume that healthcare tech investors are scrutinizing scientific data from startups more thoroughly because of the Theranos fraud case.
Meanwhile, the saga of Theranos continues to leave a bad taste in the mouths of many clinical laboratory managers and pathologists. That’s because, during the peak period of adulation and spectacular news coverage about Elizabeth Holmes and her plans to totally disrupt the clinical laboratory industry, hospital and health system CEOs believed that they would be able to downsize their in-house medical laboratories and obtain lab tests from Theranos at savings of 50% or more. Consequently, during the years 2013 through the end of 2015, some hospital lab leaders saw requests for capital investment in their labs denied or delayed.
One example of how hospital CEOs embraced news of Theranos’ blood testing technology took place at the Cleveland Clinic. Elizabeth Holmes did such a good job selling the benefits of the Edison technology, then-CEO, Toby Cosgrove, MD, placed Theranos at number three on its list of top ten medical innovations for 2015.
In later years, Cosgrove admitted that no one at Cleveland Clinic or its pathologists were allowed to examine the analyzers and evaluate the technology.
It was for these reasons that the demise of Theranos was welcomed by many hospital lab administrators and pathologists. The fact that two of Theranos’ senior executives have been convicted of fraud validates many of the serious concerns that medical laboratory professionals had at that time, but which most major news reporters and media ignored and failed to report to the public.
Fawning media coverage Theranos’ blood-test claims ended once experts spoke out, showing the importance of strong relationships between pathologist and journalists
Wall Street Journal (WSJ) reporter John Carreyrou’s investigation into former Silicon Valley darling Theranos is credited with turning the spotlight on the blood-testing company’s claims and questionable technology. However, Carreyrou’s investigation may never have happened without the assistance of Missouri pathologist Adam Clapper, MD, who tipped off the reporter to growing skepticism about Theranos’ finger-stick blood testing device.
Clapper’s involvement in Theranos’ fall from grace provides
a lesson on why anatomic
pathologists, clinical
pathologists, and other medical
laboratory leaders should cultivate strong working relationships with
healthcare journalists who seek out expert sources when covering lab-related
issues.
Dark Daily has written extensively about Theranos—once valued at nine billion dollars—and its founder and former CEO Elizabeth Holmes, whose criminal trial on nine counts of wire fraud and two counts of conspiracy to commit wire fraud is scheduled to begin this summer, noted the WSJ.
In 2018, Holmes and former Theranos President Ramesh “Sunny” Balwani settled a civil case with the Securities and Exchange Commission (SEC). Holmes agreed to pay a $500,000 penalty and relinquished control of Theranos. She also was barred from serving as Director of a public company for 10 years.
Theranos Investigation Would Not Have Occurred without
Clapper
Holmes founded Theranos in 2003 when she was 19 years old.
By 2013, Holmes had become a media sensation based on her claims that Theranos
had developed a medical technology that could run thousands of clinical
laboratory tests using the blood from a tiny finger-prick. And, she claimed, it
could do so quickly and cheaply.
By 2015, Carreyrou’s exposé in theWall Street Journal revealed Theranos’ massive deceptions and questionable practices. His series of stories kickstarted the company’s downfall. However, Carreyrou acknowledges his investigation would not have occurred if it were not for pathologist Clapper.
“Without Adam Clapper, I am almost 100% sure that I wouldn’t have done anything,” Carreyrou told the Missourian. “It was the combination of him calling me and telling me what he had found out and how he felt and my feelings about the New Yorker story that really got me on the call of this scandal,” he said.
Anatomic and clinical pathologist Adam Clapper, MD (above), became skeptical about Holmes’ claims after reading a profile on her in The New Yorker. In December 2014, Clapper ended a post on his now defunct Pathology Blawg by saying, “Until proven otherwise, I’m going to be skeptical of Theranos’ claims.” That comment became a starting point for Carreyrou’s later investigation into Theranos. (Photo copyright: Missourian.)
According to the Missourian, Clapper turned to
Carreyrou because the reporter had impressed him as “very fact-oriented and
fact-driven” during telephone interviews for a series Carreyrou had written the
year prior on Medicare fraud.
“I could hear his wheels spinning in his head as we were
talking the first time, then he definitely sounded interested and intrigued,”
Clapper told the Missourian. “And then I could tell he was even more so
because very soon thereafter—like half an hour after that initial
conversation—he’d already started to do some research into Theranos.”
Ten months later, the WSJ published Carreyrou’s first
installment of his series on Theranos.
“The fact that this tip originated from a guy in Columbia,
Missouri, thousands of miles from Silicon Valley—who never spoke to Elizabeth
Holmes, who had no connection to the company or even to Silicon Valley other
than he read about her claims in a magazine and knew a lot about this by virtue
of being a pathologist—tells you that the people who put in all the money in [Theranos]
didn’t spend enough time talking to experts and asking them what was feasible
and what wasn’t,” said Carreyrou.
Benjamin Mazer, MD (above), an anatomic and clinical pathology resident in pathology and lab medicine at Yale New Haven Hospital, argues pathologists’ voices were noticeably—and critically—absent from media coverage during Theranos’ decade-long ascension. “For many of us in the pathology community, the writing was on the wall long before Carreyrou’s article was published,” he wrote in Health News Review. “Had journalists consulted pathologists as expert sources, the news coverage of Theranos might have been less fawning and more skeptical. Patients might have been spared erroneous tests.” (Photo copyright: Yale University.)
The lawyers defending Holmes against criminal fraud charges are contending Carreyrou “went beyond reporting the Theranos story” by prodding sources to contact federal regulators about the company’s alleged frauds and “possibly biased the agencies’ findings against [Theranos],” Bloomberg News reported.
Carreyrou told New York Magazine he doesn’t blame reporters for hyping Holmes and the technology she touted.
“You could make a case that maybe they should have done more
reporting beyond interviewing her and her immediate entourage,” he said. “But
how much is a writer/reporter to blame when the subject is bald-face lying to
him, too?”
Nonetheless, the Theranos scandal offers a lesson to
pathologists and clinical laboratory professionals in the importance of
building good working relationships with healthcare journalists who not only
must accurately report on healthcare breakthroughs and developments, but also
need someone they can trust for an unbiased opinion.
