News, Analysis, Trends, Management Innovations for
Clinical Laboratories and Pathology Groups

Hosted by Robert Michel

News, Analysis, Trends, Management Innovations for
Clinical Laboratories and Pathology Groups

Hosted by Robert Michel
Sign In

Patient Rights Group Says Too Many Hospitals Are Not Complying with CMS Price Transparency Rules

Only about a third of the hospitals surveyed are in full compliance with giving public access to prices, the watchdog group contends, but the AHA disputes its methodology

It’s been almost four years since the Centers for Medicare and Medicaid Services (CMS) enacted its Hospital Price Transparency rule which requires hospitals—including their medical laboratories—to make their prices available and easily accessible to the public. But according to a 2024 report from PatientRightsAdvocate.org (PRA), just 34.5% of reviewed hospitals are fully compliant with the transparency rule. That’s a slight decrease from the 36% compliance rate the PRA listed in its 2023 report, the watchdog group stated in a blog post.

Released on Feb. 29, this was the group’s sixth semi-annual hospital price transparency report since the CMS rule took effect in 2021.

The rule “requires hospitals to post all prices online, easily accessible and searchable, in the form of (i) a single machine-readable standard charges file for all items, services, and drugs by all payers and all plans, the de-identified minimum and maximum negotiated rates, and all discounted cash prices, as well as (ii) prices for the 300 most common shoppable services either as a consumer-friendly standard charges display listing actual prices or, alternatively, as a price estimator tool,” the report states.

The required viewable prices are to be for, among others, medical imaging, clinical laboratory testing, and outpatient procedures such as a colonoscopies, etc.

“With full transparency, consumers can benefit from competition to make informed decisions, protect from overcharges, billing errors, and fraud, and lower their costs,” the report states. “Employer and union plans can use pricing and claims data to improve their plan designs and direct members to lower cost, high-quality facilities. However, continued noncompliance impedes this ability.”

At any time, the US Department of Justice (DOJ) could decide to file charges against a hospital or a clinical laboratory for not posting their prices on their websites in compliance with the federal rule. Such an action by DOJ officials would be to specifically put the entire industry on notice that there will be consequences for non-compliance.

The PRA’s report provides hospitals and clinical laboratories with a reminder that consumer watchdogs are also monitoring compliance.

“Our comprehensive study of 2,000 hospitals indicates nearly two-thirds (65.5%) of hospitals reviewed continue failing to fully comply with the rule, yet the Centers for Medicare and Medicaid Services (CMS) has only fined fourteen hospitals for noncompliance out of the thousands found to not be meeting all of the rule’s requirements. When hospitals don’t post their prices, they can charge whatever they want,” wrote PRA Founder and Chairman Cynthia Fisher (above) in a letter to President Biden. Hospital medical laboratories are also required to post their prices for tests. (Photo copyright: PatientRightsAdvocate.org.)

Increasing Penalties for Non-compliance

In a March 18 Health Affairs blog post on price transparency, two healthcare policy experts—David Muhlestein, PhD, JD, Chief Research Officer at Leavitt Partners, Washington, DC, and Adjunct Assistant Professor of The Dartmouth Institute (TDI) at the Geisel School of Medicine at Dartmouth College; and Yuvraj Pathak, PhD, Associate Director at West Health—argued that CMS should increase penalties for non-compliance, so the dollar amounts are greater than the cost of compliance.

To compile their report, PRA analysts examined the websites of 2,000 US hospitals between September 3, 2023, and January 13, 2023, and found that 1,311, or 65.5%, were not in full compliance, mostly due to “missing or significantly incomplete pricing data,” the report states.

More than 6,000 licensed hospitals operate in the US, the report notes. The group said it focused on hospitals owned by the largest US health systems.

Among the notable findings:

  • The 2023 report found that 98% of Kaiser Permanente’s 42 hospitals were in full compliance with the rule, but in the 2024 study, none were compliant because the hospitals began posting multiple files instead of a single file.
  • In total, 103 hospitals rated as noncompliant in the previous report were found to be compliant in the new analysis. Conversely, 135 hospitals previously rated as compliant were listed as noncompliant in the 2024 report.

The report lauded three hospitals for posting “exemplary files” that were “easily accessible, downloadable, machine-readable, and including all negotiated rates by payer and plan.” Those were Cape Cod Hospital in Hyannis, Mass.; Christus Santa Rosa Medical Center in San Antonio; and UW Health University Hospital in Madison, Wis.

In its discussion of the findings, PRA called on CMS to step up enforcement of the pricing transparency rule. The group also wants the government to close what it describes as the “estimator tool loophole,” which allows hospitals to list non-binding price estimates and price ranges instead of concrete prices.

“Price estimator tools do not achieve the goals of price transparency policy and fundamentally undermine the intent of the regulations,” the PRA’s report contends.

AHA Pushes Back on PRA Assessment

The American Hospital Association (AHA) took issue with PRA’s methodology, as Dark Daily reported in “CMS Proposes New Amendments to Federal Hospital Price Transparency Rule That May Affect Clinical Laboratories and Pathology Groups.”

In response to the 2023 PRA report, AHA Group Vice President for Public Policy Molly Smith issued the following statement, “Once again, Patient Rights Advocate has put out a report that blatantly misconstrues, ignores, and mischaracterizes hospitals’ compliance with federal price transparency regulations. The AHA has repeatedly debunked point-by-point Patient Rights Advocate’s intentionally misleading ‘reports’ on price transparency.”

Citing CMS data, Smith said that as of 2022, 70% of US hospitals had complied with two key federal rules:

  • One requiring hospitals to post machine-readable files with pricing information.
  • The other mandating a list of prices for at least 300 “shoppable” services.

More than 80% of hospitals had complied with at least one of the rules, she contended in an AHA press release.

Speaking to the New Orleans Times-Picayune, PRA Founder and Chairman Cynthia Fisher said her group performs a more in-depth study of pricing data compared with CMS.

“They did not do a comprehensive review,” she told the publication. “We do a deep dive for full compliance.”

The PRA study came on the heels of a January report from Turquoise Health that offered a rosier assessment of hospital compliance, albeit with different criteria. According to the Turquoise report, as of Dec. 15, 2023:

  • 90.7% of 6,357 US hospitals had posted machine-readable files,
  • 83.1% posted information about negotiated rates, and
  • 77.3% posted cash rates.

The Turquoise Health end-to-end price transparency platform uses a 5-point system to rate the quality of hospitals’ machine-readable files and said that more than 50% scored five stars. Clinical laboratory managers and pathologists may find it timely to review their lab organization’s compliance with this federal price transparency rule.

—Stephen Beale

Related Information:

Just 34.5% of Reviewed Hospitals Fully Compliant with Federally-Mandated Price Transparency Rule

Sixth Semi-Annual Hospital Price Transparency Compliance Report

Improving Hospital Compliance with Price Transparency Rules

Only Half of LA Hospitals Publish Prices as Required by Law, Hindering Patient Choice

34.5% of Hospitals Complying with Price Transparency Rule, Report Says

Little Progress Made with Hospital Price Transparency Compliance

CMS Releases Tool to Validate Price Transparency File Compliance

Hospital Price Transparency Compliance Dips: Report

Hospitals Backslide on Price Transparency Test

Moving into 2024: State of Price Transparency

Hospitals Finally Reached Widespread Price Transparency Compliance in 2023

More Hospitals, Payers Compliant with Price Transparency Laws

New Zealand Clinical Laboratories to Undergo Health and Safety Checks after Workers Contract Typhoid, Others Exposed to Chemicals

This comes on top of months of strikes by NZ medical laboratory workers seeking fair pay and safe working conditions

Te Whatu Ora (aka, Health New Zealand, the country’s publicly funded healthcare system) recently ordered health and safety checks at multiple clinical laboratories in 18 districts across the country. This action is the result of safety issues detected after procedural discrepancies were discovered in separate labs.

According to Radio New Zealand(RNZ), Health New Zealand found “significant risks” at some medical laboratories and that “staff at one in Auckland were exposed to toxic fumes, at others two [people] caught typhoid, and delays jeopardized patients’ care.”

“Two lab workers were hospitalized this year after having caught typhoid from samples, one at a private lab in Auckland, and a second at Canterbury Health Laboratories, CHL,” RNZ reported.

A Health New Zealand internal document states there will need to be a “comprehensive” fix to deal with risks present in the island nation’s medical laboratory industry. The assessment states that the organization needs “a more detailed picture of the occupational health and health and safety risks present in our laboratories,” RNZ reported.

“The overall state of the laboratories and the practices they have in place pose an inherited risk from the former DHBs [district health boards] and will likely need a comprehensive approach to addressing significant and/or ongoing risks,” Health New Zealand said in the internal document. “There is growing demand on our laboratories in terms of the volume of the work, which can put pressure on processes, and work is often undertaken in facilities that, over time, may have become not fit for purpose.”

This story as an example of how clinical laboratory staff can be exposed to disease and toxic chemicals when procedures are not diligently followed. It is a reminder to all lab managers that diligence in following protective protocols is imperative.

“Te Whatu Ora is committed to identifying, tracking and mitigating all potential risks and issues within our service until they are fully resolved and no longer identifiable as an issue/risk,” Rachel Haggerty (above), Director, Strategy, Planning and Purchasing, Hospital and Specialist Services, for Health New Zealand told NZ Doctor. Clinical laboratory workers in New Zealand have been striking for fair pay and safe working environments for months. Now, they risk becoming infected by deadly pathogens and chemicals as well. (Photo copyright: NZ Doctor.)

Lab Worker Strikes and Staff Shortages

Community Anatomic Pathology Services in Auckland lost its histology accreditation last year because it was discovered that lab workers were exposed to toxic chemical levels at the facility. In addition, patients were forced to wait weeks for test results from that lab. 

The laboratory was also penalized back in 2017 for how substances were handled when formaldehyde levels in excess of the recommended limits were detected. 

Bryan Raill, a medical scientist at the Counties Manukau District Health Board, said the laboratory workers union in New Zealand believes staff shortages and lab conditions are contributing to the lab woes. Raill is also president of the medical laboratory workers division of APEX, a specialist union representing more than 4,000 allied, scientific, and technical health professionals throughout New Zealand.

“It’s not only your physical environment, being safe there, but you have to be safe in terms of what you do,” Raill told RNZ.

Raill said the two typhoid infections were a red flag and that Te Whatu Ora needs to do more.

“They’re stepping out of the inertia they’ve been bound, so this is a good thing, but it needs to be a wider thing,” he said.

The New Zealand Institute of Medical Laboratory Science (NZIMLS) warned the government months ago that lab technicians were under unsustainable pressure.

“They should look at the other health and safety aspect of the workload and the work environment that staff are working under,” Raill explained in an iHeart podcast. “The person who caught typhoid in Christchurch spent four days in ICU, and there had been a workplace exposure to another pathogen two years earlier and the recommendations that came out of that hadn’t been followed. For example, [the lab workers] were not vaccinated against typhoid.”

IT Implementation Delays also to Blame

Along with strikes and staff shortages, clinical laboratories in New Zealand are also dealing with information technology (IT) issues. Technical problems have delayed some needed lab upgrades by more than a year. 

In addition, “The impacts of new test, surgeries, and medicines/treatments on pathology services have also historically not been understood well nor accounted for and we are considering a number of options, as outlined in the risk register, to manage this,” said Rachel Haggerty, Director, Strategy, Planning and Purchasing, Hospital and Specialist Services, for Te Whatu Ora.

Future efforts will deal with training of lab personnel and focus on ventilation and hazardous substance management. 

Dark Daily has reported extensively on the ongoing problems within New Zealand clinical laboratory industry.

In “Pathology Lab Shortages in New Zealand Are One Cause in Long Delays in Melanoma Diagnoses,” we reported how pathology shortages were causing some patients to wait for more than a month for a melanoma diagnosis. And that the situation is putting cancer patients’ lives at risk.

And in “Medical Laboratory Workers Again on Strike at Large Clinical Laboratory Company Locations around New Zealand,” we covered ongoing strikes by medical technicians, phlebotomists, and clinical laboratory scientists in New Zealand and how their complaints mirror similar complaints by healthcare and clinical laboratory workers in the US.

Clinical laboratory personnel can be exposed to dangerous diseases and toxic chemicals when procedures are not diligently followed. This latest situation in New Zealand serves as a reminder that following protective protocols is imperative in labs worldwide to protect workers and patients.

—JP Schlingman

Related Information:

Te Whatu Ora Finds ‘Significant’ Risks at Labs, Workers Catch Typhoid from Samples, Exposed to Fumes

How to Fix the NZ Laboratory Fiasco

Private Healthcare Pushing Auckland Labs to the Brink

Bryan Raill: Apex Union President Urges Te Whatu Ora to Thoroughly Assess Risk in New Zealand Laboratories

Pathology Lab Shortages in New Zealand Are One Cause in Long Delays in Melanoma Diagnoses

Medical Laboratory Workers Again on Strike at Large Clinical Laboratory Company Locations around New Zealand

Four Thousand New Zealand Medical Laboratory Scientists and Technicians Threatened to Strike over Low Pay and Poor Working Conditions

New Federal Rules on Sepsis Treatment Could Cost Hospitals Millions of Dollars in Medicare Reimbursements

Some hospital organizations are pushing back, stating that the new regulations are ‘too rigid’ and interfere with doctors’ treatment of patients

In August, the Biden administration finalized provisions for hospitals to meet specific treatment metrics for all patients with suspected sepsis. Hospitals that fail to meet these requirements risk the potential loss of millions of dollars in Medicare reimbursements annually. This new federal rule did not go over well with some in the hospital industry.

Sepsis kills about 350,000 people every year. One in three people who contract the deadly blood infection in hospitals die, according to the Centers for Disease Control and Prevention (CDC). Thus, the federal government has once again implemented a final rule that requires hospitals, clinical laboratories, and medical providers to take immediate actions to diagnose and treat sepsis patients.

The effort has elicited pushback from several healthcare organizations that say the measure is “too rigid” and “does not allow clinicians flexibility to determine how recommendations should apply to their specific patients,” according to Becker’s Hospital Review.

The quality measures are known as the Severe Sepsis/Septic Shock Early Management Bundle (SEP-1). The regulation compels doctors and clinical laboratories to:

  • Perform blood tests within a specific period of time to look for biomarkers in patients that may indicate sepsis, and to
  • Administer antibiotics within three hours after a possible case is identified.

It also mandates that certain other tests are performed, and intravenous fluids administered, to prevent blood pressure from dipping to dangerously low levels. 

“These are core things that everyone should do every time they see a septic patient,” said Steven Simpson, MD, Professor of medicine at the University of Kansas told Fierce Healthcare. Simpson is also the chairman of the Sepsis Alliance, an advocacy group that works to battle sepsis. 

Simpson believes there is enough evidence to prove that the SEP-1 guidelines result in improved patient care and outcomes and should be enforced.

“It is quite clear that this works better than what was present before, which was nothing,” he said. “If the current sepsis mortality rate could be cut by even 5%, we could save a lot of lives. Before, even if you were reporting 0% compliance, you didn’t lose your money. Now you actually have to do it,” Simpson noted.

Chanu Rhee, MD

“We are encouraged by the increased attention to sepsis and support CMS’ creation of a sepsis mortality measure that will encourage hospitals to pay more attention to the full breadth of sepsis care,” Chanu Rhee, MD (above), Infectious Disease/Critical Care Physician and Associate Hospital Epidemiologist at Brigham and Women’s Hospital told Healthcare Finance. The new rule, however, requires doctors and medical laboratories to conduct tests and administer antibiotic treatment sooner than many healthcare providers deem wise. (Photo copyright: Brigham and Women’s Hospital.)

Healthcare Organizations Pushback against Final Rule

The recent final rule builds on previous federal efforts to combat sepsis. In 2015, the Centers for Medicare and Medicaid Services (CMS) first began attempting to reduce sepsis deaths with the implementation of SEP-1. That final rule updated the Medicare payment policies and rates under the Inpatient Prospective Payment System (IPPS) and Long-Term Care Hospitals Prospective Payment System (LTCH PPS).

Even then the rule elicited a response from the American Hospital Association (AHA), the Infectious Disease Society of America (IDSA), American College of Emergency Physicians (ACEP), the Society of Critical Care Medicine (SCCM), and the Society of Hospital Medicine (SHM). The organizations were concerned that the measure “encourages the overuse of broad-spectrum antibiotics,” according to a letter the AHA sent to then Acting Administrator of CMS Andrew Slavitt.

“By encouraging the use of broad spectrum antibiotics when more targeted ones will suffice, this measure promotes the overuse of the antibiotics that are our last line of defense against drug-resistant bacteria,” the AHA’s letter states.

In its recent coverage of the healthcare organizations’ pushback to CMS’ final rule, Healthcare Finance News explained, “The SEP-1 measure requires clinicians to provide a bundle of care to all patients with possible sepsis within three hours of recognition. … But the SEP-1 measure doesn’t take into account that many serious conditions present in a similar fashion to sepsis … Pushing clinicians to treat all these patients as if they have sepsis … leads to overuse of broad-spectrum antibiotics, which can be harmful to patients who are not infected, those who are infected with viruses rather than bacteria, and those who could safely be treated with narrower-spectrum antibiotics.”

CMS’ latest rule follows the same evolutionary path as previous federal guidelines. In August 2007, CMS announced that Medicare would no longer pay for additional costs associated with preventable errors, including situations known as Never Events. These are “adverse events that are serious, largely preventable, and of concern to both the public and healthcare providers for the purpose of public accountability,” according to the Leapfrog Group.

In 2014, the CDC suggested that all US hospitals have an antibiotic stewardship program (ASP) to measure and improve how antibiotics are prescribed by clinicians and utilized by patients.

Research Does Not Show Federal Sepsis Programs Work

In a paper published in the Journal of the American Medical Association (JAMA) titled, “The Importance of Shifting Sepsis Quality Measures from Processes to Outcomes,” Chanu Rhee, MD, Infectious Disease/Critical Care Physician and Associate Hospital Epidemiologist at Brigham and Women’s Hospital and Associate Professor of Population Medicine at Harvard Medical School, stressed his concerns about the new regulations.

He points to analysis which showed that though use of broad-spectrum antibiotics increased after the original 2015 SEP-1 regulations were introduced, there has been little change to patient outcomes.  

“Unfortunately, we do not have good evidence that implementation of the sepsis policy has led to an improvement in sepsis mortality rates,” Rhee told Fierce Healthcare.

Rhee believes that the latest regulations are a step in the right direction, but that more needs to be done for sepsis care. “Retiring past measures and refining future ones will help stimulate new innovations in diagnosis and treatment and ultimately improve outcomes for the many patients affected by sepsis,” he told Healthcare Finance.

Sepsis is very difficult to diagnose quickly and accurately. Delaying treatment could result in serious consequences. But clinical laboratory blood tests for blood infections can take up to three days to produce a result. During that time, a patient could be receiving the wrong antibiotic for the infection, which could lead to worse problems.

The new federal regulation is designed to ensure that patients receive the best care possible when dealing with sepsis and to lower mortality rates in those patients. It remains to be seen if it will have the desired effect.  

Jillia Schlingman

Related Information:

Feds Hope to Cut Sepsis Deaths by Hitching Medicare Payments to Treatment Stats

Healthcare Associations Push Back on CMS’ Sepsis Rule, Advocate Tweaks

Value-Based Purchasing (VBP) and SEP-1: What You Should Know

NIGMS: Sepsis Fact Sheet

CDC: What is Sepsis?

CDC: Core Elements of Antibiotic Stewardship

The Importance of Shifting Sepsis Quality Measures from Processes to Outcomes

Association Between Implementation of the Severe Sepsis and Septic Shock Early Management Bundle Performance Measure and Outcomes in Patients with Suspected Sepsis in US Hospitals

Infectious Diseases Society of America Position Paper: Recommended Revisions to the National Severe Sepsis and Septic Shock Early Management Bundle (SEP-1) Sepsis Quality Measure

CMS to Improve Quality of Care during Hospital Inpatient Stays – 2014

IT Experts Demonstrate How AI and Computer Microphones Can Be Used to Figure Out Passwords and Break into Customer Accounts

Clinical laboratories and pathology groups should be on the alert to this new digital threat; telehealth sessions and video conferencing calls particularly vulnerable to acoustic AI attacks

Banks may be the first to get hit by a new form of hacking because of all the money they hold in deposit accounts, but experts say healthcare providers—including medical laboratories—are comparably lucrative targets because of the value of patient data. The point of this hacking spear is artificial intelligence (AI) with increased capabilities to penetrate digital defenses.

AI is developing rapidly. Are healthcare organizations keeping up? The hackers sure are. An article from GoBankingRates titled, “How Hackers Are Using AI to Steal Your Bank Account Password,” reveals startling new AI capabilities that could enable bad actors to compromise information technology (IT) security and steal from customers’ accounts.

Though the article covers how the AI could conduct cyberattacks on bank information, similar techniques can be employed to gain access to patients’ protected health information (PHI) and clinical laboratory databases as well, putting all healthcare consumers at risk.

The new AI cyberattack employs an acoustic Side Channel Attack (SCA). An SCA is an attack enabled by leakage of information from a physical computer system. The “acoustic” SCA listens to keystrokes through a computer’s microphone to guess a password with 95% accuracy.

That’s according to a UK study published in IEEE Xplore, a journal of the IEEE European Symposium on Security and Privacy Workshops, titled, “A Practical Deep Learning-Based Acoustic Side Channel Attack on Keyboards.”

“With recent developments in deep learning, the ubiquity of microphones and the rise in online services via personal devices, acoustic side channel attacks present a greater threat to keyboards than ever,” wrote UK study authors Joshua Harrison, MEng, Durham University; Ehsan Toreini, University of Surrey; and Maryam Mehrnezhad, PhD, University of London.

Hackers could be recording keystrokes during video conferencing calls as well, where an accuracy of 93% is achievable, the authors added.

This nefarious technological advance could spell trouble for healthcare security. Using acoustic SCA attacks, busy healthcare facilities, clinical laboratories, and telehealth appointments could all be potentially compromised.

“The ubiquity of keyboard acoustic emanations makes them not only a readily available attack vector, but also prompts victims to underestimate (and therefore not try to hide) their output,” wrote Joshua Harrison, MEng (above), and his team in their IEEE Xplore paper. “For example, when typing a password, people will regularly hide their screen but will do little to obfuscate their keyboard’s sound.” Since computer keyboards and microphones in healthcare settings like hospitals and clinical laboratories are completely ubiquitous, the risk that this AI technology will be used to invade and steal patients’ protected health information is high. (Photo copyright: CNBC.)

Why Do Hackers Target Healthcare?

Ransomware attacks in healthcare are costly and dangerous. According to InstaMed, a healthcare payments and billing company owned by J.P. Morgan, healthcare data breaches increased to 29.5% in 2021 costing over $9 million. And beyond the financial implications, these attacks put sensitive patient data at risk.

Healthcare can be seen as one of the most desirable markets for hackers seeking sensitive information. As InstaMed points out, credit card hacks are usually quickly figured out and stopped. However, “medical records can contain multiple pieces of personally identifiable information. Additionally, breaches that expose this type of data typically take longer to uncover and are harder for an organization to determine in magnitude.”

With AI advancing at such a high rate, healthcare organizations may be unable to adapt older network systems quickly—leaving them vulnerable.

“Legacy devices have been an issue for a while now,” Alexandra Murdoch, medical data analyst at GlobalData PLC, told Medical Device Network, “Usually big medical devices, such as imaging equipment or MRI machines are really expensive and so hospitals do not replace them often. So as a result, we have in the network these old devices that can’t really be updated, and because they can’t be updated, they can’t be protected.”

Vulnerabilities of Telehealth

In “Penn Medicine Study Shows Telemedicine Can Cut Employer Healthcare Costs by 25%,” Dark Daily reported a study conducted by the Perelman School of Medicine at the University of Pennsylvania (Penn Medicine) which suggested there could be significant financial advantages for hospitals that conduct telehealth visits. This, we projected, would be a boon to clinical laboratories that perform medical testing for telemedicine providers.

But telehealth, according to the UK researchers, may also be one way hackers get past safeguards and into critical hospital systems.

“When trained on keystrokes recorded using the video-conferencing software Zoom, an accuracy of 93% was achieved, a new best for the medium. Our results prove the practicality of these side channel attacks via off-the-shelf equipment and algorithms,” the UK researchers wrote in IEEE Xplore.

“[AI] has worrying implications for the medical industry, as more and more appointments go virtual, the implications of deepfakes is a bit concerning if you only interact with a doctor over a Teams or a Zoom call,” David Higgins, Senior Director at information security company CyberArk, told Medical Device Network.

Higgins elaborated on why healthcare is a highly targeted industry for hackers.

“For a credit card record, you are looking at a cost of one to two dollars, but for a medical record, you are talking much more information because the gain for the purposes of social engineering becomes very lucrative. It’s so much easier to launch a ransomware attack, you don’t even need to be a coder, you can just buy ransomware off of the dark web and use it.”

Steps Healthcare Organizations Should Take to Prevent Cyberattacks

Hackers will do whatever they can to get their hands on medical records because stealing them is so lucrative. And this may only be the beginning, Higgins noted.

“I don’t think we are going to see a slowdown in attacks. What we are starting to see is that techniques to make that initial intrusion are becoming more sophisticated and more targeted,” he told Medical Device Network. “Now with things like AI coming into the mix, it’s going to become much harder for the day-to-day individual to spot a malicious email. Generative AI is going to fuel more of that ransomware and sadly it’s going to make it easier for more people to get past that first intrusion stage.”

To combat these attacks patient data needs to be encrypted, devices updated, and medical staff well-trained to spot cyberattacks before they get out of hand. These SCA attacks on bank accounts could be easily transferable to attacks on healthcare organizations’ patient records.

Clinical laboratories, anatomic pathology groups, and other healthcare facilities would be wise to invest in cybersecurity, training for workers, and updated technology. The hackers are going to stay on top of the technology, healthcare leaders need to be one step ahead of them.

—Ashley Croce

Related Information:

How Hackers Are Using AI to Steal Your Bank Account Password

A Practical Deep Learning-Based Acoustic Side Channel Attack on Keyboards

AI Can Steal Passwords with 95% Accuracy by ‘Listening’ to Keystrokes, Alarming Study Finds

New ‘Deep Learning Attack’ Deciphers Laptop Keystrokes with 95% Accuracy

Can A.I. Steal Your Password? Study Finds 95% Accuracy by Listening to Keyboard Typing

Ransomware in Healthcare: What You Need to Know

Hospital 2040: How Healthcare Cybercrime is Predicted to Escalate

30 Crucial Cybersecurity Statistics (2023): Data, Trends and More

Penn Medicine Study Shows Telemedicine Can Cut Employer Healthcare Costs by 25%

Johns Hopkins Researchers Determine 795,000 Americans Harmed from Diagnostic Errors Annually

Clinical laboratories can play a critical role in helping doctors to order correct tests and interpret the results

Nearly 800,000 Americans die or are permanently disabled each year due to diagnostic errors. That’s according to research conducted at Johns Hopkins School of Medicine that found most misdiagnoses are due to cognitive errors on the part of the treating physicians. Many diagnoses typically begin with–and are often achieved through—clinical laboratory testing. For that reason, the range of diagnostic errors identified in this study will interest pathologists and lab managers.

Of course, many types of diagnostic errors have nothing to do with lab tests. That said, the research team noted that some diagnostic errors take place when physicians do not pay attention to test results that indicate a patient is not doing well, or do not understand the significance of the test results. There are also examples where doctors order the wrong lab tests for patients’ symptoms.

The Johns Hopkins study findings were published in the journal BMJ Quality and Safety titled, “Burden of Serious Harms from Diagnostic Error in the USA.” The research team determined that only 15 diseases “accounted for 50.7% of total serious harms” and nearly 40% of those harms involved just five medical conditions:

These can be narrowed down even further to just three categories, the researchers noted in BMJ Quality and Safety. They are:

  • Major vascular events,
  • Infections, and
  • Cancers.

In an interview with CNN Health, lead author of the study David Newman-Toker, MD, PhD, a neurology professor at Johns Hopkins and Director of the Division of Neuro-Visual and Vestibular Disorders, said “These are relatively common diseases that are missed relatively commonly and are associated with significant amounts of harm.”

David Newman-Toker, MD, PhD

“We focused here on the serious harms, but the number of diagnostic errors that happen out there in the US each year is probably somewhere on the order of magnitude of 50 to 100 million,” neurologist David Newman-Toker, MD, PhD (above), professor and Director of the Division of Neuro-Visual and Vestibular Disorders at Johns Hopkins, who led the study, told STAT. “If you actually look, you see it’s happening all the time.” Clinical laboratories play a key role in ensuring correct understanding of the tests they perform. (Photo copyright: Johns Hopkins University.)

Changes to Healthcare Risk Management

According to Newman-Toker, the Johns Hopkins study is “the first population health estimate of the number of patients seriously harmed. It also provides more information about the distribution of the diseases that are involved,” Relias Media reported.

The sheer volume of this issue is not lost on the researchers. Newman-Toker likens it to measuring an iceberg.

“You dive below the surface, and you measure the circumference of the iceberg, and [you] will say, ‘Oh my gosh, it’s really big down here.’ And then you go five more feet, and you measure the circumference, and it keeps getting bigger. By the time you’re 20 feet below the surface, you realize this is huge,” he told Relias Media.  

Newman-Toker believes his team’s research offers an opportunity for physicians and healthcare risk managers to better understand how exactly to prioritize their resources and focus their efforts. “In terms of how it informs their day-to-day decision-making, it really is rebalancing some of the efforts a little bit in the direction of conditions that are more common and more commonly misdiagnosed than perhaps indicated by simply looking at claims data,” he noted.

Vascular events can present in symptoms typical of much less serious conditions. Strokes, for example, can present with vague symptoms such as a headache or dizziness. This is similar to heart attacks, which can just present as chest pains. However, heart attacks are far less misdiagnosed than strokes because of a decades-long effort to eradicate those diagnostic errors.

“Diagnostic errors are errors of omission,” Daniel Yang, MD, an internist and Program Director for the Diagnostic Excellence Initiative at the Gordon and Betty Moore Foundation, told CNN Health. “The question is: Could [the outcome] be prevented if we had done something differently earlier on? Oftentimes, that’s a judgment call that two doctors might disagree on.”

Physicians and risk managers can work together to determine the best course of action to identify vague symptoms and prevent the deaths and serious injuries that can come from diagnostic errors.

Economic Cost of Misdiagnosis

Misdiagnosis also comes with a huge economic burden. William Padula, PhD, Assistant Professor of Pharmaceutical and Health Economics at USC Mann School of Pharmacy and Pharmaceutical Sciences, laid out the cost burden for STAT News.

“A patient comes into the ED with a headache or dizziness, and they get told it’ll go away, and then they go home. And then a week later, you find out that they [had] a stroke,” he explained. “By then, the stroke has compounded so much that what could have been addressed in the moment … for $10,000 now becomes a $100,000 issue. … So, there’s a margin of $90,000 that has been added to the US health system burden because of the misdiagnosis.”

Padula estimates that the total cost for these misdiagnoses could come to as much as $100 billion on the healthcare system.

What’s the Solution?

How can physicians avoid misdiagnoses and keep their patients safe? Newman-Toker suggests that physicians consult with other doctors. “I believe that the quickest way to solve the diagnostic error problem in the real world would be to construct approaches that basically rely on the ‘phone a friend’ model,” he told STAT News.

“This doesn’t mean that the patient should have to seek a second opinion, but rather that providers should make it standard practice to consult with a colleague before providing a diagnosis or dismissing a patient,” STAT News added.

Clinical laboratory professionals should note that while these misdiagnoses do not take place in the lab, doctor may order incorrect tests for patients by misreading their symptoms. Thus, clinical pathologists and lab scientists can play a critical role in helping doctors to order the correct tests for their patients and accurately interpret the results.

—Ashley Croce

Related Information:

Burden of Serious Harms from Diagnostic Error in the USA

Burden of Harm from Diagnostic Error Still High

Diagnostic Errors Linked to Nearly 800,000 Deaths or Cases of Permanent Disability in US Each Year, Study Estimates

Misdiagnoses Cost the US 800,000 Deaths and Serious Disabilities Every Year, Study Finds

Cognitive Errors in Clinical Decision Making

What is Diagnostic Error?

Data Theft at 23andMe Leaks Genetic and Personal Information for Thousands, Targets Ashkenazi Jews and Chinese

Federal class action lawsuit looms as genetics company searches for what went wrong; a reminder to clinical laboratories of the importance of protecting patient information

Several years ago, security experts warned that biotechnology and genomics company 23andMe, along with other similar genetics companies, would be attacked by hackers. Now those predictions appear to have come true, and it should be a cautionary tale for clinical laboratories. In an October 6 blog post, the genetic testing company confirmed that private information from thousands of its customers was exposed and may be being sold on the dark web.

According to Wired, “At least a million data points from 23andMe accounts appear to have been exposed on BreachForums.” BreachForums is an online forum where users can discuss internet hacking, cyberattacks, and database leaks, among other topics.

“Hackers posted an initial data sample on the platform BreachForums earlier this week, claiming that it contained one million data points exclusively about Ashkenazi Jews,” Wired reported, adding that “hundreds of thousands of users of Chinese descent” also appear to be impacted.

The leaked information included full names, dates of birth, sex, locations, photos, and both genetic and ancestry results, Bleeping Computer reported.

For its part, 23andMe acknowledges the data theft but claims “it does not see evidence that its systems have been breached,” according to Wired.

Anne Wojcicki

Anne Wojcicki (above) is the co-founder and CEO of genetics company 23andMe, which on October 24 told its customers in an email, “There was unauthorized access to one or more 23andMe accounts that were connected to you through DNA Relatives. As a result, the DNA Relatives profile information you provided in this feature was exposed to the threat actor.” Clinical laboratories must work to ensure their patient data is fully secured from similar cyber theft. (Photo copyright: TechCrunch.)

23andMe Claims Data Leak Not a Security Incident

The data leaked has been confirmed by 23andMe to be legitimate. “Threat actors used exposed credentials from other breaches [of other company’s security] to access 23andMe accounts and steal the sensitive data. Certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts,” a 23andMe spokesperson told Bleeping Computer.

However, according to the company, the leak does not appear to be a data security incident within the 23andMe systems. “The preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials,” the spokesperson added.

What the genetics company has determined is that compromised accounts were from users choosing the DNA Relative feature on their website as a means to find and connect to individuals related to them. Additionally, “the number of accounts sold by the cybercriminal does not reflect the number of 23andMe accounts breached using exposed credentials,” Bleeping Computer noted.

Price of Private Information

Following the 23andMe data leak, the private genetic information was quickly available online … for a price.

“On October 4, the threat actor offered to sell data profiles in bulk for $1-$10 per 23andMe account, depending on how many were purchased,” Bleeping Computer reported.

Stolen medical records are becoming hotter than credit card information, the experts say. “Stolen records sell for as much as $1,000 each,” according to credit rating agency Experian, Bleeping Computer noted.

In its 2018 Global Security Report, “cybersecurity firm Trustwave pegged the black-market value of medical records at $250 each. Credit card numbers, on the other hand, sell for around $5 each on the dark web … while Social Security numbers can be purchased for as little as $1 each,” Fierce Healthcare reported.

Clinical laboratory managers and pathologists should take note of the value that the dark web places on the medical records of a patient, compared to the credit card numbers of the same individual. From this perspective, hacking a medical laboratory to steal patient health data can be much more lucrative than hacking the credit card data from a retailer.

Inevitable Federal Lawsuit

Regardless of what security measures the 23andMe site boasts, the breach quickly brought a proposed federal class action suit filed on October 9 in the US District Court for the Northern District of California. The suit, “filed by plaintiffs repressing all persons who had personal data exposed,” claims that information from Mark Zuckerberg, Elon Musk, and Sergey Brin were among the leak, Bloomberg Law reported.

“Victims of the breach are now at increased risk of fraud and identity theft, and have suffered damages in the form of invasion of privacy, lost time and out-of-pocket expenses incurred responding to the breach, diminished value of their personal information, and lost benefit of the bargain with 23andMe,” according to court documents.

“The lawsuit brings claims of negligence, breach of implied contract, invasion of privacy/intrusion upon seclusion, unjust enrichment, and declaratory judgment,” Bloomberg Law noted. Additionally, the claim states that 23andMe “failed to provide prompt and adequate notice of the incident.”

Plaintiffs are “seeking actual damages, compensatory damages, statutory damages, punitive damages, lifetime credit-monitoring services, restitution, disgorgement, injunctive relief, attorneys’ fees and costs, and pre-and post-judgment interest,” Bloomberg Law reported.

Preventing Future Data Leaks

Years of experts warning genetics companies like 23andMe that they need more strict data security have proven to be true. “This incident really highlights the risks associated with DNA databases,” Brett Callow, a threat analyst at data security firm Emsisoft, told Wired. “The fact that accounts had reportedly opted into the ‘DNA Relatives’ feature is particularly concerning as it could potentially result in extremely sensitive information becoming public.”

“Callow notes that the situation raises broader questions about keeping sensitive genetic information safe and the risks of making it available in services that are designed like social networks to facilitate sharing. With such platforms come all of the data privacy and security issues that have plagued traditional social networks, including issues related to data centralization and scraping,” Wired noted.

Clinical laboratory databases are full of protected health information (PHI). Wise lab managers will work to ensure that their medical lab’s patient data is secure from today’s cyberthreats.

—Kristin Althea O’Connor

Related Information:

23andMe Blog Post: Addressing Data Security Concerns

23andMe Sued Over Hack of Genetic Data Affecting Thousands

23andMe Notifies Customers of Data Breach into Its ‘DNA Relatives’ Feature

Genetics Firm 23andMe Says User Data Stolen in Credential Stuffing Attack

23andMe User Data Stolen in Targeted Attack on Ashkenazi Jews

Industry Voices—Forget Credit Card Numbers. Medical Records Are the Hottest Items on the Dark Web

Hacker Claims to Have Stolen Genetic Data from Millions Of 23andMe Users and Is Trying to Sell the Information Online

US District Court California Northern District (San Francisco) Civil Docket for Case #: 3:23-Cv-05147-EMC

2018 Trustwave Global Security Report

Ransomware Activity Targeting the Healthcare and Public Health Sector

23andMe Sued After Hacker Claims Massive Data Breach Impacting Ashkenazi Jews

Five Biggest Risks of Sharing Your DNA with Consumer Genetic-Testing Companies

The FTC Is Investigating DNA Firms Like 23andme and Ancestry over Privacy

;