This follows class action lawsuits in multiple states against insurance companies that deny millions of healthcare claims each year
Artificial intelligence (AI) has become ubiquitous in many aspects of healthcare. But perhaps its most controversial use is in the payer denial-of-claims process. Multiple states are pursuing legislation that would limit or outright ban AI’s use without physician involvement.
Clinical laboratories experience payment denials at both the prior authorization stage when a doctor orders a lab test as well as when the claim is submitted for reimbursement. And many labs perform tests for which they know they will not be paid just to maintain the client account relationships with doctors.
Now, several states are taking measures to protect patients from what some say is a dangerous trend to use AI algorithms only to review and deny medical claims for critical healthcare and clinical laboratory testing. This will be of interest to lab managers and those in charge of their lab’s revenue.
“Physicians and patients already face daunting challenges in navigating medical insurers’ bureaucratic administrative processes,” said Arizona Medical Association (ArMA) President Nadeem Kazi, MD, in a news release. “Taking physicians’ clinical experience out of these processes entirely is a misguided step,” he added.
However, on March 13, the Arizona Senate’s Finance Committee altered the language in its version of the bill. In it, AI is not specifically mentioned.
Instead, the bill’s language now “requires a medical director or healthcare provider, before a healthcare insurer may deny a claim or issue a direct denial of a prior authorization, to individually review any denial that involves medical necessity or experimental status or that requires the use of medical judgment and prohibits the director or provider from relying solely on recommendations derived from any other source during the prior authorization denial or claim denial review.”
Presumably, “any other source” includes AI-driven software platforms used by payers for prior authorization denials and claims processing.
“While AI promises innovation for several areas of healthcare, the review and denial of medical insurance claims—some of which represent life-changing treatments and procedures—should be left to physicians who can make nuanced clinical judgments,” said Shelby Job, ArMA communications director, in a statement following that state’s passage of the House bill in February.
The bill is now being debated in the Arizona Senate. If the Senate passes its version, the two sides will need to reconcile their bills.
“Patients deserve healthcare delivered by humans with compassionate medical expertise, not pattern-based computer algorithms designed by insurance companies,” said ArMA President Nadeem Kazi, MD (above), in a news release. (Photo copyright: Arizona Medical Association.)
Multiple States Move to Limit Use of AI in Claims Denials
In an Arizona House of Representatives Committee on Commerce meeting, state Republican representative Julie Willoughby, who is also an ER nurse, said that “she hopes the bill will protect Arizonians from losing healthcare access due to AI interference,” NBC News reported following passage of the House bill.
“What we’re asking for in this is that any claims that are denied have a provider look them over for completeness to ensure that there isn’t anything that the AI algorithm may not have accounted for,” she said.
If signed into law, the bill will require a medical director at the insurance carrier in question to “individually review each claim or prior authorization before a healthcare insurer is able to deny a claim for that patient,” NBC News noted.
California passed similar legislation in September that would “ensure that a licensed physician supervises the use of AI decision-making tools when they are used to inform decisions to approve, modify, or deny requests by providers,” NBC News reported.
The author of the California bill, Democratic senator Josh Becker, JD, argued upon the bill’s passing that AI “should never replace the expertise and judgment of physicians,” adding, “An algorithm cannot fully understand a patient’s unique medical history or needs, and its misuse can lead to devastating consequences.”
And in Texas, a bill introduced by Republican senator Charles Schwertner, MD, states that AI “should not be used as the ‘sole basis of a decision to wholly or partly deny, delay, or modify healthcare services,’” NBC News reported.
In a statement, the Texas Coalition of Patients said the bill is “crucial in ensuring that life-altering healthcare decisions remain in the hands of medical professionals rather than Big Insurance’s automated systems.”
In all, 11 states have introduced legislation to “to push back on artificial intelligence use in reviewing medical claims,” according to NBC News.
In May 2023, The Dark Report explored payer claims denials, and it was acknowledged back then that automated systems were already reviewing claims.
And then there are the lawsuits. According to The Guardian, Cigna, Humana, and UnitedHealth all face class-action lawsuits concerning the use of AI to “deny lifesaving care.”
Can AI Coexist with Human-based Care?
Although at this time AI may not understand the nuanced complexities of healthcare claims, there seem to be plenty of uses for it in healthcare decision-making. It can analyze large sets of data for diagnosis, transcribe medical documents using automatic speech recognition, and streamline administrative tasks––all of which can help a workforce plagued by staff burnout and shortages, Los Angeles Pacific University noted.
And though its use in payer claims reviews and denials is being resisted, AI will likely continue to help doctors diagnose disease and make better treatment decisions. Nevertheless, clinical laboratory and pathology workers should be aware of how the tool is being used and keep an eye out for suspicious claims denials.
Clinical laboratories should closely watch the Trump administration as it contemplates a court appeal, a revised LDT rulemaking, or abandoning the rule altogether
With a US District Court judge’s decision to vacate the Food and Drug Administration’s (FDA) rule on laboratory-developed tests (LDTs), perhaps the most intriguing aspect for clinical laboratories is what the next move will be by the federal government.
It’s hard to predict whether the administration of President Donald Trump will either appeal the judge’s decision, direct the FDA to come up with a new version of the rule that passes legal muster, or simply back off further scrutiny of LDTs.
Let’s look more closely at the options for clinical laboratory professionals to monitor.
US District Court Judge Sean Jordan, JD (above), vacated the federal Food and Drug Administration’s final rule to regulate laboratory-developed tests (LDTs) on March 31, 2025. In a lawsuit, the Association for Molecular Pathologists and the American Clinical Laboratory Association accused the FDA of overstepping its legal authority in issuing the LDT rule in 2024. The outcome of this ruling will affect clinical laboratories’ future development their own tests. (Photo copyright: Jackson Walker LLP.)
Will the Trump Administration Appeal the LDT Decision?
The FDA’s final rule—which came out in 2024 and was about to hit its first compliance milestone on May 6, 2025—had been discussed for at least 10 years prior, covering multiple presidential administrations. Because the final rule was published by the FDA under former President Joe Biden, it surprised some observers to see Trump’s Department of Justice defend the FDA’s right to implement the rule during oral arguments in February before Judge Sean Jordan in US District Court for the Eastern District of Texas.
That hearing was the culmination of a combined lawsuit from American Clinical Laboratory Association (ACLA) and the Association for Molecular Pathology (AMP) challenging the LDT rule. The suit sought summary judgment on the matter, which Jordan granted on March 31 in his decision to vacate the FDA’s rule.
“The Court vacates and sets aside, in its entirety, the FDA’s final rule titled Medical Devices; Laboratory Developed Tests,” Jordan wrote. “The Court remands this matter to the secretary of Health and Human Services for further consideration.”
Trump’s legal team set a precedent early in the president’s second term to aggressively challenge any court decisions that buck his authority. From that perspective, an appeal of the LDT judgment seems probable, although there is no official word yet about that.
Trump ran on an anti-regulatory, smaller government platform. In that sense, the DOJ’s defense of the FDA’s standing to carry out the LDT rule was a surprise.
Will the FDA Create a Revised Version of the LDT Rule?
The court sent the rule back to the FDA, which leaves the door open for the agency to construct and issue a new rule.
The clinical laboratory industry argued that LDTs should not be classified as medical devices, which the rule instead emphasized. That could be an area where a new version of the rule bends.
Congress could also step in here. For many years, a proposed bill known as the VALID Act (formally the Verifying Accurate Leading-Edge IVCT Development Act) was filed in the House of Representatives to increase LDT oversight.
But then—after the FDA’s LDT rule came out—the VALID Act looked to be the lesser of two evils to lab professionals. It’s possible labs and lawmakers could work out a new version of the VALID Act to avoid another potentially onerous FDA-issued rulemaking.
Will Trump and the FDA Do Nothing?
Even though it would go against the current pattern of challenging court decisions, the Trump administration could simply step back and choose to do nothing with the FDA’s vacated rule.
In that case, presumably LDTs would continue to be overseen by the Clinical Laboratory Improvement Amendments of 1988 (CLIA). The medical lab industry has long preferred to see CLIA reform as the pathway to regulating LDTs in the future rather than formal FDA involvement. The FDA referred to this arrangement as “enforcement discretion,” as LDT oversight has always been on the books at the FDA, but the agency deferred to CLIA for many years.
Of related interest was a news release last week from the federal Department of Health and Human Services (HHS) announcing a sweeping number of layoffs under its individual agencies. The FDA is slated to lose 3,500 employees, although the “reduction will not affect drug, medical device, or food reviewers, nor will it impact inspectors,” HHS noted in a fact sheet.
Revisiting an LDT rule that will require more reviewers and inspectors seems at odds with a shrinking FDA.
Clinical Labs Must Monitor the Near-term Future of LDTs
After coming out ahead in one of the biggest court showdowns in clinical lab history, medical laboratory scientists and industry leaders now must keep their eyes on the various avenues that LDT regulation could head down in the near future.
Watch for further analysis of the business implications of this court decision in The Dark Report.
Lawsuit is a strong reminder that clinical laboratories and pathology groups must take whatever steps necessary to secure their patients’ protected health information
Lehigh Valley Health Network (LVHN), one of the largest primary care groups in Pennsylvania, will pay out $65 million to settle a class-action lawsuit brought by the healthcare network’s own patients (identified only as “Jane Doe” in court documents) following a ransomware attack early last year in which LVHN refused to pay the ransom.
The payout may be the largest settlement for a single cyberattack to date and highlights the need for clinical laboratories and pathology groups to review their cyberattack defenses and incorporate steps to better secure patient protected health information (PHI), with one goal being to minimize the possibility of patients filing a class action lawsuit following a cyberattack.
LVHN blamed ransomware group ALPHV (a.k.a., BlackCat) for the attack, Fierce Healthcare reported. The hackers gained access to gigabytes of personal data belonging to 134,000 patients and staff members.
According to a news release LVHN issued in June, the private information the thieves obtained included, “names, addresses, phone numbers, medical record numbers, treatment and diagnosis information, including Current Procedural Terminology (CPT) codes, and health insurance information. For some individuals, the information included email addresses, banking information, Social Security numbers, and driver’s license numbers. The information for a limited number of individuals included clinical images of patients during treatment.”
The case is worth attention because it casts light on what the health system administration did/did not do to prevent the data breach that enabled the hackers to post nude photos of cancer patients undergoing treatment and other patient PHI on the Internet.
“When you go to the doctor’s office, that’s one place where you’re anticipating that everyone is working to maintain your privacy, even though you have to open yourself up to be treated,” said Patrick Howard, JD (above), partner at Philadelphia-based Saltz Mongeluzzi Bendesky P.C., who is representing the plaintiffs in the class action lawsuit. “It wasn’t lost on anyone that that was a very significant breach.” Clinical laboratories are particularly vulnerable since as much as 80% of a patient’s health record is lab test results and other data. (Photo copyright: Saltz Mongeluzzi Bendesky P.C.)
Lawsuit Details
The class action lawsuit was filed in March 2023 by a “Jane Doe” cancer patient whose data was hacked on behalf of herself and other victims of the cyberattack. The court documents recount how the unidentified plaintiff—a woman in her 50s—was “called by the hospital’s vice president of compliance on March 6, with news that that naked images of her were now online, before offering—‘with a chuckle’—two years of credit monitoring services. The Jane Doe plaintiff responded that she had no idea that the hospital had taken photographs of her while unclothed during her treatment for breast cancer, nor that it was storing them on corporate servers.”
“The pictures are really difficult to look at,” said Patrick Howard, JD, partner at Philadelphia-based Saltz Mongeluzzi Bendesky P.C. (SMB), who is representing the plaintiffs, in a news release. His legal team hired a cybersecurity expert who located the images the hackers had posted on the Dark Web, enabling them to “establish each person’s information that was actually online.”
The plaintiff’s attorney’s argued LVHN failed in its responsibility to protect patient information and were in violation of HIPAA (Health Insurance Portability and Accountability Act of 1996).
The class action lawsuit also alleges LVHN routinely took photos of naked cancer patients, sometimes without their knowledge. Some of those photos were published by BlackCat on the Dark Web.
“While LVHN is publicly patting itself on the back for standing up to these hackers and refusing to meet their ransom demands, they are consciously and intentionally ignoring the real victims,” the lawsuit states. “Rather than act in their patients’ best interest, LVHN put its own financial considerations first.”
The law firm also stated this settlement is “the largest of its kind, on a per-patient basis, in a healthcare data breach ransomware case,” The Register reported.
Patients affected by the security breach were placed in relief tiers based on the private information that was stolen and leaked. The compensatory breakdown for those patients is:
$50 to patients whose records were hacked.
$1,000 to patients who had their information posted online.
$7,500 to patients whose non-nude photos were posted online.
$70,000 to $80,000 for patients who had their nude photos posted online.
“We struck the right deal,” Howard told WHYY News. “The vast majority of that money is going to mostly women whose images were published online, in topless fashion, with both their face exposed and their name in the files.”
Game Changing Data Breach
LVHN originally announced an attack had been detected in February 2023. On March 4, 2023, the ALPHV hackers demanded a ransom in excess of $5 million from LVHN, threatening to distribute the stolen data unless the ransom was paid. LVHN refused to pay the ransom which led to the cybercriminals uploading the stolen data to the Dark Web.
“Attacks like this are reprehensible and we are dedicating appropriate resources to respond to this incident,” stated Brian Nester, DO, President and CEO, LVHN, in a news release.
“The type of data that was exposed, it’s a game changer,” said Carter Groome, founder and CEO of digital-risk firm First Health Advisory in the SMB news release. “This was so much more of a tangible, direct distress to those people who trusted the organization.”
“Pictures are part of medical care. That’s something that they do to track scarring and all sorts of things. But they are the most delicate and sensitive medical information,” Howard told WHYY News. “I think this case will be talked about in healthcare circles for some time in best practices in storing those types of images.”
Patients had until October 21, 2024, to exclude themselves from or object to the settlement. The deadline to submit a claim form was November 3, 2024, and the final approval hearing was held on November 15, 2024.
LVHN agreed to the terms of the settlement, whilst denying any wrongdoing on its part. Individuals in the settlement class who chose to participate in the lawsuit will be sent payment automatically.
LVHN has established a website for people seeking information about the cyberattack.
As ransomware attacks continue to increase, clinical laboratories and pathology groups should review their cyberattack defenses and determine how to better secure their patients’ protected health information. Taking necessary precautions could minimize the possibility of patient data being compromised and prevent another huge class-action lawsuit.
Holmes says life in prison is ‘Hell’ and that Theranos was a failure but ‘not fraud’
For some reason disgraced Theranos founder and ex-CEO Elizabeth Holmes, in a lengthy interview with People magazine, described life in prison while raising her two children even as a three-judge panel of the US 9th Circuit Court of Appeals affirmed her conviction and 11.25-year sentence for fraud.
In June of 2024, Holmes’ defense team appealed to have her conviction overturned due to alleged errors in her trial. According to court documents containing the federal judges’ decisions, her attorneys argued that:
Former Theranos employees who testified as lay witnesses should not have been allowed to offer improper expert testimony.
The court abused its discretion by allowing testimony that Theranos voided all patient sample tests run on a device used in Theranos’s clinical laboratory.
Her rights were violated under the Confrontation Clause of the Sixth Amendment when she was prohibited from cross-examining a former Theranos laboratory director on aspects of his post-Theranos employment.
In February 2025, the judges rejected all points and denied her appeal. Holmes is serving her sentence in a minimum security federal prison camp in Texas and is currently scheduled to be released in 2032.
Elizabeth Holmes (above) taken backstage at TechCrunch Disrupt San Francisco 2014 when Holmes was at the height of her fame and popularity. At this point, Theranos’ Edison blood testing device had not yet been shown to be a fake. But as clinical laboratory scientists and anatomic pathologists studied the technology it was shown to be incapable of producing the results claimed by Holmes and her company president Ramesh Balwani. Today, both are serving lengthy prison sentences for defrauding investors. (Photo copyright: Max Morse/Wikimedia Commons.)
‘Nothing More than a Mirage’
Holmes was convicted in 2022 and sentenced to 135 months for her role in the Theranos fraud case. She was also ordered to pay approximately $452 million in restitution due to her offense, which resulted in significant financial losses to various entities and individuals.
Holmes’ one-time romantic partner and former president of Theranos Ramesh “Sunny” Balwani also was convicted of several fraud charges and sentenced to 155 months in prison.
Theranos claimed to have invented a device called Edison that could run a variety of fast, accurate, and affordable clinical laboratory diagnostic tests from a single finger prick of blood. That’s in contrast to traditional testing methods that require veinous blood drawn with a hypodermic needle. The reality, however, was that the Edison device did not work as described to investors.
“The vision sold by Holmes and Balwani was nothing more than mirage,” wrote 9th Circuit Judge Jacqueline Nguyen, JD, in the panel’s decision, adding that the “grandiose achievements touted by Holmes and Balwani were half-truths and outright lies.”
The judges continued: “Theranos’s blood-testing device failed to deliver faster and more accurate testing results than conventional technology. Pharmaceutical companies never validated the technology, as Holmes and Balwani had told investors. Contrary to the rosy revenue projections shared with investors and business partners, Theranos was running out of money.”
Life Behind Bars
Holmes told People she has adjusted to prison life, waking up every morning just after 5 AM. Her routine includes daily exercise and working as a reentry clerk. Holmes, who was once touted as having an estimated worth of $4.5 billion, now earns just 31 cents an hour teaching fellow inmates how to prepare resumes and apply for jobs and government benefits.
“So many of these women don’t have anyone, and once they’re in there, they’re forgotten,” she told People.
Holmes also teaches French and participates in cognitive and behavioral therapy for post-traumatic stress disorder (PTSD) to address past traumas, including the downfall of Theranos, which was once valued at $9 billion.
“It’s surreal,” she said. “People who have never met me believe so strongly about me. They don’t understand who I am. It forces you to spend a lot of time questioning belief and hoping the truth will prevail. I am walking by faith and, ultimately, the truth. But it’s been hell and torture to be here.”
Raising Children from Prison
Holmes’ trial was delayed three times due to the COVID-19 pandemic and then a fourth time due to a pregnancy. She gave birth to son William a few weeks before her trial began. She later gave birth to daughter Invicta. Both children are being raised by their father Billy Evans, Holmes’ current partner.
Critics allege Holmes only had children to gain sympathy and attempt to avoid prison time. In the People interview, she tried to dispel those claims.
“I know how the optics look, but I always wanted to be a mother,” she said. “I wanted to have children, be a mom. I truly did not think I would ever be convicted or found guilty. I kept talking to my lawyers and they also assured me we would never get this far.
“It wasn’t planned, and I can’t worry about what others think,” she added. “It’s just when the timing happened.”
Holmes’ children will be nine and 10 years-old when she’s slated for release in 2032. She continues to maintain her innocence and considers her trial and conviction a miscarriage of justice. She asserts that while Theranos was a flop, “failure is not fraud.”
“First it was about accepting it happened. Then it was about forgiving myself for my own part. [And] I refused to plead guilty to crimes I did not commit,” Holmes said.
Interestingly, Holmes intends to return to the healthcare industry upon her release. “There is not a day I have not continued to work on my research and inventions,” she told People. “I remain completely committed to my dream of making affordable healthcare solutions available to everyone.”
How she plans to do that given the federal government has banned her for life from operating a clinical laboratory and participating in federal health programs is anyone’s guess.
And thus the life and times saga of Elizabeth Holmes continues.
Dettwyler is set to retire at age 92 after a long career helping clinical laboratories with their coding and billing systems
When William Dettwyler, MT, began working in a clinical laboratory, Harry Truman was president of the United States and scientists had not yet discovered the structure of DNA. Now, as he approaches his 92nd birthday in March, he is finally ready to retire from a career that has spanned more than seven decades, from bench work as a medical laboratory technician (MLT) to assisting labs with their medical coding and medical billing challenges.
Along the way, one of his coding innovations helped the State of Oregon save substantial sums in its Medicaid program. He also helped many medical laboratories increase reimbursement by correcting their coding mistakes. This from someone who left school after eighth grade to help on his family’s farm in rural Oregon.
In an exclusive interview with Dark Daily, Dettwyler discusses his long career and offered pointers for labs on improving their coding and reimbursement procedures.
Back in the 1980s, when he began his consulting work for labs, “they were very poor at billing,” he recalled. “Hospital billing staff didn’t understand lab coding. Reference laboratories didn’t do a good job of picking the right codes or even billing all the codes. Up until around the 1970s, hospitals didn’t even have to bill individual lab procedures with CPT codes. They billed with a revenue center code for all their lab services.”
These days “people are much more sophisticated,” he notes. “There are fewer coding problems compared to what it was in the 1980s and 1990s up to the 2010s.” However, he says he still has a handful of clients who call on his expertise.
“It was not unusual to go to a large university medical center and in three days tell the CFO on my exit review that the following year their lab would bring in about a half million more in revenue, just from my coding review. But I did not reveal to them that I had only gone to the eighth grade in a little one room school and was the lone graduate in my eighth-grade class,” wrote William Dettwyler, MT (above), owner of Codus Medicus in Salem, Ore., in an article he penned for Medical Laboratory Observer. For 75 years Dettwyler worked in the clinical laboratory industry. For much of that time he helped labs all over America improve their coding and reimbursement systems. (Photo copyright: LinkedIn.)
How It All Began
Dettwyler got his first taste of lab work in the early 1950s as a teenager washing glassware for a medical laboratory technician at a local medical practice. A few years later he completed an MLT program at Oregon Institute of Technology in Klamath Falls and landed his first lab tech job at a clinic in Portland.
His entry to consulting came in the early 1970s while he was working for a medical group in Salem. “I was helping the accounting personnel with their billing and noticed that Medicaid was not paying for a common test for syphilis that I was performing,” he recalled. “I contacted Medicaid, and they told me they didn’t understand laboratory procedures.”
After that, “they started to call me frequently with laboratory questions,” he said. “It wasn’t long before they asked me to help them on a part-time basis.” He also assisted with questions related to radiology.
By 1976, Dettwyler was devoting 35 hours a week to assisting the state Medicaid agency while still working as a lab tech.
Simple Hack Ends Overpayments
One of his career highlights came around 1981, when he discovered that the agency was overpaying for some pathology and radiology procedures by as much as 200%.
“Pathologists and radiologists are paid based on whether they are performing the complete procedure—the technical component and the professional component—or just the professional component, where they interpret the results,” he explained.
When billing for just the professional component, the physicians would add two digits to the standard code, so it might come in as 88305-26. However, the state’s computer system could only accommodate a five-digit code, so the state was paying as if the providers had done everything.
“The computer techs said the software couldn’t handle a seven-digit number in a five-digit box, so I devised a way for the computer to read the equivalent of seven digits,” he recalled.
His solution was to modify the codes so that the last digit was an alphabetic character. Instead of billing for code 88305-26, the physicians would bill for 8830F, and the state would pay them correctly.
Around that time, Dettwyler also began assisting a Medicare office in Portland. This forced him to cut back on his work as a lab tech. But he still worked around 60 hours a week.
“For most of my life, I’ve worked three jobs,” he said. “Work is my hobby.” He also had a large family to support—by 1976, he and his wife had 10 kids.
Transition to Lab Consulting
In 1986, the state was facing a budget shortfall and cut its Medicaid consultants, so Dettwyler decided to seek consulting work with labs while continuing to work at the bench.
“I really liked the coding because I had very little competition,” he said. “But I wanted to keep working in the laboratory mainly to understand the problems.”
While working for the state, Dettwyler attended coding seminars and workshops. He noticed that labs were losing revenue due to poor billing practices. “They didn’t understand all the coding complexities, so they really hungered for this kind of assistance.”
But first, he had to find clients. So he partnered with another lab tech who was offering similar consulting services.
Business picked up after Dettwyler contributed an article to the trade publication Medical Laboratory Observer about his process, which he calls “procedure code verification and post payment analysis.”
“That went like gangbusters,” he said. “We started getting calls from all over the country.”
Dettwyler later split from his partner and went to work on his own.
“I would sit down with the person who was responsible for coding, usually the lab or radiology manager,” he explained. “We would go over the chargemaster and cover every procedure to make sure the code and units were correct. When I was done, I would give them a report of what codes we changed and why we changed them.”
Beginning in 1989, he signed on as a contractor for another consultancy, Health Systems Concepts on the East Coast, where he remained until 2019.
Advice to the Current Generation
What is Dettwyler’s advice for someone who wants to follow in his footsteps and assist labs with their coding? “I wouldn’t recommend it now,” he said. “There’s less need for that kind of assistance than in the past.”
However, he does find that labs still run into problems. The greatest need, he says, is in molecular diagnostics, due to the complexity of the procedures.
In addition, labs are sometimes confused by coding for therapeutic drug monitoring, in which a doctor is gauging a patient’s reaction to a therapy versus screening for substance abuse. “Those issues are often misunderstood,” he said.
Microbiology also poses coding challenges, he noted, because of the steps required to identify the pathogen and determine antibiotic susceptibility. “It requires quite a bit of additional coding,” he said. “Some labs don’t understand that they can’t just bill a code for culture and sensitivity. They have to bill for the individual portions.”
Labs that work with reference labs also have to be careful to verify codes for specific procedures. “I’ll review the codes used by reference labs and, surprisingly, they’re not always correct. Reference labs sometimes get it wrong.”
If someone does want to become a coding expert, Dettwyler suggests that “they should first have experience as a lab tech, especially in microbiology, because of the additional coding. And they should try to work with somebody who is already doing it. Then, they should work with the billing department to learn how it operates.”
He also advises clinical laboratory managers to follow the latest developments in the field by reading lab publications such as The Dark Report. “You have to do that to keep current,” he said.
Despite never completing high school, Dettwyler eventually received his GED and an associate degree. “But the degrees didn’t really help me,” he said. “Much of it was on-the-job training and keeping my eyes open and listening.”
Clinical laboratories are particularly tasty targets for cybercriminals seeking the abundance of protect health information contained in patient electronic health records
Recent data from cybersecurity company Netwrix of Frisco, Texas, shows that 84% of healthcare organizations—including clinical laboratories and pathology groups—caught at least one cyberattack in the past year and “69% of them faced financial damage as a result.” That’s according to the company’s latest Hybrid Security Trends Report which notes that 24% of healthcare organizations are “fully cloud-based,” as opposed to just 11% of non-healthcare industries.
“Phishing was the most common type of incident experienced on premises, similar to other industries. Account compromise topped the list for cloud attacks: 74% of healthcare organizations that spotted a cyberattack reported user or admin account compromise,” the Netwrix report notes.
Phishing, where cybercriminals send fake emails and texts to unsuspecting employees that trick them into providing private information, continues to be one of the most prevalent cyberthreats experienced by healthcare organizations and often serves as the catalyst for much larger and more dangerous cyberattacks.
This is particularly dangerous in clinical laboratories where as much as 80% of protected health information (PHI) in patients’ electronic health records (EHRs) is laboratory test results and other personal medical data.
“Protected health information (PHI) is one of the most expensive types of data sold on darknet forums, which makes healthcare organizations a top target for cybercriminals, said Ilia Sotnikov (above), security strategist and VP of user experience at Netwrix, in the report. Clinical laboratory patient electronic health records are particularly weighted toward PHI. (Photo copyright: Netwrix.)
Don’t Open That Email!
Typical phishing scams begin with innocent-looking emails from companies that appear to be legitimate and often contain language that implies urgent action is needed on the part of the user. These emails can be very convincing, appear to originate from reputable companies, and usually instruct users to open an attachment contained in the email or click on a link that goes to a known company website. However, the site is a fake.
Once the harmful file attachment is opened, users will be directed to download fake software or ransomware that attempts to capture the user’s personal information. When visiting a malicious website, consumers will often receive pop-ups with instructions for updating information, but the true purpose is to harvest personal data.
Never provide any personal information to an unsolicited request.
If you believe the contact is legitimate, initiate a contact with the organization using verified data, usually via telephone.
Never provide any passwords over the phone or in response to an unsolicited Internet request.
Review any accounts, such as bank statements, often to search for any suspicious activity.
“Healthcare workers regularly communicate with many people they do not know—patients, laboratory assistants, external auditors and more—so properly vetting every message is a huge burden,” said IT security expert Dirk Schrader, VP of security research at Netwrix, in the report. “Plus, they do not realize how critical it is to be cautious, since security awareness training often takes a back seat to the urgent work of taking care of patients. Combined, these factors can lead to a higher rate of security incidents.”
Top 10 Brands Faked in Phishing Scams
Phishing emails often appear to be from legitimate companies to lull the recipient into a false sense of security. In a January 22 report, Check Point Research (CPR) announced its latest Brand Phishing Ranking for the fourth quarter of 2024. The report reveals the brands that were most frequently impersonated in phishing attacks by cybercriminals for the purpose of stealing personal information from consumers.
According to the CPR report, 80% of disclosed brand phishing incidents occurred within just 10 brands (listed below with each brand’s percentage of phishing attacks). They are:
According to the report, fraudulent domains “replicated official websites to mislead shoppers with fake discounts, ultimately stealing login credentials and personal information. These fraudulent sites replicate the brand’s logo and offer unrealistically low prices to lure victims. Their goal is to trick users into sharing sensitive information, such as login credentials and personal details, enabling hackers to steal their data effectively.”
Steps Clinical Labs Can Take to Protect Patients’ PHI
Clinical laboratories and pathology groups can take precautions that minimize the risk of allowing cybercriminals access to their patients’ PHI.
“A core defense strategy is to minimize standing privileges by using a privileged access management (PAM) solution. Another is to implement identity threat detection and response (IDTR) tools to quickly block malicious actors using compromised credentials,” said Ilia Sotnikov, security strategist and VP of user experience at Netwrix, in the report.
The threat of phishing scams is a lingering issue that everyone in healthcare should be aware of and take necessary precautions to recognize and prevent having one’s PHI stolen. Clinical laboratory management should constantly remind lab personnel and contractors to be vigilant regarding fake emails and texts from well-known brands that ask for private information.
