Clinical laboratories can play a critical role in helping doctors to order correct tests and interpret the results
Nearly 800,000 Americans die or are permanently disabled each year due to diagnostic errors. That’s according to research conducted at Johns Hopkins School of Medicine that found most misdiagnoses are due to cognitive errors on the part of the treating physicians. Many diagnoses typically begin with–and are often achieved through—clinical laboratory testing. For that reason, the range of diagnostic errors identified in this study will interest pathologists and lab managers.
Of course, many types of diagnostic errors have nothing to do with lab tests. That said, the research team noted that some diagnostic errors take place when physicians do not pay attention to test results that indicate a patient is not doing well, or do not understand the significance of the test results. There are also examples where doctors order the wrong lab tests for patients’ symptoms.
The Johns Hopkins study findings were published in the journal BMJ Quality and Safety titled, “Burden of Serious Harms from Diagnostic Error in the USA.” The research team determined that only 15 diseases “accounted for 50.7% of total serious harms” and nearly 40% of those harms involved just five medical conditions:
These can be narrowed down even further to just three categories, the researchers noted in BMJ Quality and Safety. They are:
Major vascular events,
Infections, and
Cancers.
In an interview with CNN Health, lead author of the study David Newman-Toker, MD, PhD, a neurology professor at Johns Hopkins and Director of the Division of Neuro-Visual and Vestibular Disorders, said “These are relatively common diseases that are missed relatively commonly and are associated with significant amounts of harm.”
“We focused here on the serious harms, but the number of diagnostic errors that happen out there in the US each year is probably somewhere on the order of magnitude of 50 to 100 million,” neurologist David Newman-Toker, MD, PhD (above), professor and Director of the Division of Neuro-Visual and Vestibular Disorders at Johns Hopkins, who led the study, told STAT. “If you actually look, you see it’s happening all the time.” Clinical laboratories play a key role in ensuring correct understanding of the tests they perform. (Photo copyright: Johns Hopkins University.)
Changes to Healthcare Risk Management
According to Newman-Toker, the Johns Hopkins study is “the first population health estimate of the number of patients seriously harmed. It also provides more information about the distribution of the diseases that are involved,” Relias Media reported.
The sheer volume of this issue is not lost on the researchers. Newman-Toker likens it to measuring an iceberg.
“You dive below the surface, and you measure the circumference of the iceberg, and [you] will say, ‘Oh my gosh, it’s really big down here.’ And then you go five more feet, and you measure the circumference, and it keeps getting bigger. By the time you’re 20 feet below the surface, you realize this is huge,” he told Relias Media.
Newman-Toker believes his team’s research offers an opportunity for physicians and healthcare risk managers to better understand how exactly to prioritize their resources and focus their efforts. “In terms of how it informs their day-to-day decision-making, it really is rebalancing some of the efforts a little bit in the direction of conditions that are more common and more commonly misdiagnosed than perhaps indicated by simply looking at claims data,” he noted.
Vascular events can present in symptoms typical of much less serious conditions. Strokes, for example, can present with vague symptoms such as a headache or dizziness. This is similar to heart attacks, which can just present as chest pains. However, heart attacks are far less misdiagnosed than strokes because of a decades-long effort to eradicate those diagnostic errors.
“Diagnostic errors are errors of omission,” Daniel Yang, MD, an internist and Program Director for the Diagnostic Excellence Initiative at the Gordon and Betty Moore Foundation, told CNN Health. “The question is: Could [the outcome] be prevented if we had done something differently earlier on? Oftentimes, that’s a judgment call that two doctors might disagree on.”
Physicians and risk managers can work together to determine the best course of action to identify vague symptoms and prevent the deaths and serious injuries that can come from diagnostic errors.
“A patient comes into the ED with a headache or dizziness, and they get told it’ll go away, and then they go home. And then a week later, you find out that they [had] a stroke,” he explained. “By then, the stroke has compounded so much that what could have been addressed in the moment … for $10,000 now becomes a $100,000 issue. … So, there’s a margin of $90,000 that has been added to the US health system burden because of the misdiagnosis.”
Padula estimates that the total cost for these misdiagnoses could come to as much as $100 billion on the healthcare system.
What’s the Solution?
How can physicians avoid misdiagnoses and keep their patients safe? Newman-Toker suggests that physicians consult with other doctors. “I believe that the quickest way to solve the diagnostic error problem in the real world would be to construct approaches that basically rely on the ‘phone a friend’ model,” he told STAT News.
“This doesn’t mean that the patient should have to seek a second opinion, but rather that providers should make it standard practice to consult with a colleague before providing a diagnosis or dismissing a patient,” STAT News added.
Clinical laboratory professionals should note that while these misdiagnoses do not take place in the lab, doctor may order incorrect tests for patients by misreading their symptoms. Thus, clinical pathologists and lab scientists can play a critical role in helping doctors to order the correct tests for their patients and accurately interpret the results.
Federal class action lawsuit looms as genetics company searches for what went wrong; a reminder to clinical laboratories of the importance of protecting patient information
Several years ago, security experts warned that biotechnology and genomics company 23andMe, along with other similar genetics companies, would be attacked by hackers. Now those predictions appear to have come true, and it should be a cautionary tale for clinical laboratories. In an October 6 blog post, the genetic testing company confirmed that private information from thousands of its customers was exposed and may be being sold on the dark web.
According to Wired, “At least a million data points from 23andMe accounts appear to have been exposed on BreachForums.” BreachForums is an online forum where users can discuss internet hacking, cyberattacks, and database leaks, among other topics.
“Hackers posted an initial data sample on the platform BreachForums earlier this week, claiming that it contained one million data points exclusively about Ashkenazi Jews,” Wired reported, adding that “hundreds of thousands of users of Chinese descent” also appear to be impacted.
The leaked information included full names, dates of birth, sex, locations, photos, and both genetic and ancestry results, Bleeping Computer reported.
For its part, 23andMe acknowledges the data theft but claims “it does not see evidence that its systems have been breached,” according to Wired.
Anne Wojcicki (above) is the co-founder and CEO of genetics company 23andMe, which on October 24 told its customers in an email, “There was unauthorized access to one or more 23andMe accounts that were connected to you through DNA Relatives. As a result, the DNA Relatives profile information you provided in this feature was exposed to the threat actor.” Clinical laboratories must work to ensure their patient data is fully secured from similar cyber theft. (Photo copyright: TechCrunch.)
23andMe Claims Data Leak Not a Security Incident
The data leaked has been confirmed by 23andMe to be legitimate. “Threat actors used exposed credentials from other breaches [of other company’s security] to access 23andMe accounts and steal the sensitive data. Certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts,” a 23andMe spokesperson told Bleeping Computer.
However, according to the company, the leak does not appear to be a data security incident within the 23andMe systems. “The preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials,” the spokesperson added.
What the genetics company has determined is that compromised accounts were from users choosing the DNA Relative feature on their website as a means to find and connect to individuals related to them. Additionally, “the number of accounts sold by the cybercriminal does not reflect the number of 23andMe accounts breached using exposed credentials,” Bleeping Computer noted.
Price of Private Information
Following the 23andMe data leak, the private genetic information was quickly available online … for a price.
“On October 4, the threat actor offered to sell data profiles in bulk for $1-$10 per 23andMe account, depending on how many were purchased,” Bleeping Computer reported.
Stolen medical records are becoming hotter than credit card information, the experts say. “Stolen records sell for as much as $1,000 each,” according to credit rating agency Experian, Bleeping Computer noted.
In its 2018 Global Security Report, “cybersecurity firm Trustwave pegged the black-market value of medical records at $250 each. Credit card numbers, on the other hand, sell for around $5 each on the dark web … while Social Security numbers can be purchased for as little as $1 each,” Fierce Healthcare reported.
Clinical laboratory managers and pathologists should take note of the value that the dark web places on the medical records of a patient, compared to the credit card numbers of the same individual. From this perspective, hacking a medical laboratory to steal patient health data can be much more lucrative than hacking the credit card data from a retailer.
“Victims of the breach are now at increased risk of fraud and identity theft, and have suffered damages in the form of invasion of privacy, lost time and out-of-pocket expenses incurred responding to the breach, diminished value of their personal information, and lost benefit of the bargain with 23andMe,” according to court documents.
“The lawsuit brings claims of negligence, breach of implied contract, invasion of privacy/intrusion upon seclusion, unjust enrichment, and declaratory judgment,” Bloomberg Law noted. Additionally, the claim states that 23andMe “failed to provide prompt and adequate notice of the incident.”
Plaintiffs are “seeking actual damages, compensatory damages, statutory damages, punitive damages, lifetime credit-monitoring services, restitution, disgorgement, injunctive relief, attorneys’ fees and costs, and pre-and post-judgment interest,” Bloomberg Law reported.
Preventing Future Data Leaks
Years of experts warning genetics companies like 23andMe that they need more strict data security have proven to be true. “This incident really highlights the risks associated with DNA databases,” Brett Callow, a threat analyst at data security firm Emsisoft, told Wired. “The fact that accounts had reportedly opted into the ‘DNA Relatives’ feature is particularly concerning as it could potentially result in extremely sensitive information becoming public.”
“Callow notes that the situation raises broader questions about keeping sensitive genetic information safe and the risks of making it available in services that are designed like social networks to facilitate sharing. With such platforms come all of the data privacy and security issues that have plagued traditional social networks, including issues related to data centralization and scraping,” Wired noted.
Clinical laboratory databases are full of protected health information (PHI). Wise lab managers will work to ensure that their medical lab’s patient data is secure from today’s cyberthreats.
Proposal comes as patient advocacy group reports poor compliance by hospitals with the federal price transparency regulation; AHA pushes back
Recent data compiled by Patient Rights Advocate, a non-profit group dedicated to nationwide healthcare transparency, appears to indicate that as many as two thirds of US hospitals continue to ignore hospital transparency rules established by Congress in 2021, according to an op-ed published in the Washington Examiner.
This may be why the Biden Administration has now proposed new amendments aimed at strengthening those requirements. According to KFF Health News (formerly Kaiser Health News), this new proposal “aims to further standardize the required data, increase its usefulness for consumers, and boost enforcement.”
However, “the goal of exact price tags in every situation is likely to remain elusive,” KFF Health News noted.
“Noncompliant hospitals are preventing patients and payers from shopping around for high-value care—and inflating healthcare costs in the process,” wrote Sally C. Pipes, President and CEO of Pacific Research Institute, in her Washington Examiner column.
Pathologists who were near the top of a Health Care Cost Institute (HCCI) list of medical specialties that most often billed out of network may be affected by CMS’ proposed new amendments to the transparency rule.
“The nonprofit group Patient Rights Advocate just published its fifth report exploring how hospitals are complying with federal price transparency requirements. About two-thirds are still flouting the rules. That’s unacceptable,” wrote Sally Pipes (above), President and CEO of Pacific Research Institute, in an op-ed she penned for the Washington Examiner. Federal law also requires clinical laboratories to post their prices for testing. (Photo copyright: The Heartland Institute.)
Hospitals, Clinical Laboratories Required to Post Chargemaster Prices
That rule also required hospitals to provide a list of charges for at least 300 “shoppable services,” including at least 14 laboratory and pathology tests.
“We’re closer to that, but we’re not there,” Gerard Anderson, PhD, a professor at the Johns Hopkins Bloomberg School of Public Health, told KFF. The goal may be the kind of pricing transparency that consumers are accustomed to when purchasing goods and services, but healthcare, he said, poses unique challenges.
“Each patient is unique and uses a slightly different bundle of services,” Anderson added. “You might be in the operating room for 30 minutes, or it might be 45. You might need this lab test and not that one.”
The KFF Health News story noted that health insurers have been subject to even stricter regulations, “with more prescriptive details and tougher penalties for noncompliance,” since 2022. CMS’ latest proposed amendments would bring requirements for hospitals that are more in line with those that apply to payers, KFF reported.
As described in the Federal Register, the proposed rule aims to:
Require hospitals to include a new data element known as the “consumer-friendly expected allowed charges,” KFF Health News noted.
Require hospitals to “affirm the accuracy and completeness of their standard charge information displayed in the MRF.”
Require hospitals to place a link to pricing information in the footers of their web pages.
The rule also includes provisions for enhanced enforcement of pricing transparency requirements. Under one proposal, CMS would publicly identify hospitals that are not in compliance.
Jeffrey Leibach, MBA, a healthcare finance strategist and Partner with the consulting firm Guidehouse, told KFF Health News that the new rules will make it easier for third-party data firms to create online price comparison tools. “And, ultimately, consumers who want to shop will then find this data more easily,” he said.
The proposal comes on the heels of a July report from Patient Rights Advocate (PRA) indicating that only 36% of US hospitals were in full compliance with the current transparency requirements. The report was based on an analysis of 2,000 hospital websites. However, that was an improvement over earlier reports. In February, the group reported that 24.5% were fully compliant, compared with 16% in August 2022.
Most hospitals in the report posted negotiated prices, but in many cases, “their pricing data was missing or significantly incomplete,” PRA contended. A total of 69 hospitals “did not post a usable standard charges file,” the report stated.
PRA Uses Humor to Highlight Discrepancies, AHA Pushes Back
According to KFF Health News, PRA is running a satirical ad campaign in which retailers adopt the “hospital pricing method,” listing estimates on store shelves instead of actual prices.
“When they ask for a price, we give them an estimate,” says one retail manager in the video ad. “Then we bill them whatever we want.”
This new video pokes fun at the lack of price transparency in healthcare. The American Hospital Association took issue with the clip’s tone.
“People need price certainty,” PRA founder and Chairman Cynthia Fisher, MBA, told KFF Health News. “Estimates are a way of gaming the people who pay for healthcare.”
However, executives from the American Hospital Association (AHA) pushed back on the video ad and PRA’s claims about HPT compliance. AHA contends that hospitals were flagged as being noncompliant if they left spaces blank or used formulas, both of which are permitted under the current rules.
“Very few health services are so straightforward where you can expect no variation in the course of care, which could then result in a different cost than the original assessment,” AHA Group Vice President for public policy Molly Smith, MS, told KFF. “Organizations are doing the best they can to provide the closest estimate. If something changes in the course of your care, that estimate might adjust.”
As for the July PRA report, in a July 25 AHA press release, Smith stated, “Patient Rights Advocate has put out a report that blatantly misconstrues, ignores, and mischaracterizes hospitals’ compliance with federal price transparency regulations.”
CMS, she said, “has found that as of last year 70% of hospitals had complied with both federal requirements and over 80% had complied with at least one. Due to the ongoing efforts of the hospital field, these numbers are surely higher today. Third party analyses have agreed that hospitals have made tremendous progress.”
But then what is motivating the government’s new amendments to the price transparency rule? Regardless, clinical laboratories and pathology groups should continue to monitor progress of these new amendments to the federal hospital transparency rule.
Little-known Polish company relied on suspect arbitration court to demand thousands of euros from conference speakers
Clinical laboratory and pathology professionals may want to heed the phrase “caveat emptor” (“let the buyer beware”) if invited to speak at events organized by little-known entities. That appears to be the lesson from a rather bizarre story coming out of Poland involving scholars from multiple countries who agreed to speak during a series of online COVID-19 webinars and who were later billed thousands of euros for their participation.
But months after the event, the organizer demanded payment for the researchers’ participation, and in some cases, turned to a Polish arbitration court to enforce the demand. But in a curious twist, the legitimacy of that court has itself been called into question.
“I was interested in the topic, and I agreed to participate,” Björn Johansson, MD, told Science. “I thought it was going to be an ordinary academic seminar. It was an easy decision for me.” Johansson, a physician and researcher at the Karolinska Institute in Sweden, has since “come to regret that decision,” the publication reported.
Villa Europa is now seeking €80,000 ($86,912 in current US dollars) from Johansson, including legal costs and interest, after turning to a Swedish court. Others have received demands for €13,000 to €25,000 ($14,123 to $27,156) in fees, late payment penalties, and court costs, Science reported.
Researchers Axel Brandenburg, PhD (left), and Björn Johansson, MD (right), are two of the 32 scholars from six countries who are now being billed thousands of euros for their participation in the Villa Europa COVID-19 modeling webinars. Pathology and clinical laboratory leaders who receive similar invitations may want to thoroughly read the contracts before agreeing to participate. (Photo copyright: Axel Brandenburg, Björn Johansson.)
How Did It All Happen?
According to Science, the ordeal began when an individual named Matteo Ferensby invited the scientists to speak at the webinars. His email signature indicated an affiliation with the University of Warsaw, but the university “has no employee by that name, according to the institution’s press office,” Science reported, adding that “there is no track record of scientific publications from a Matteo Ferensby.”
By one speaker’s count, the company produced at least 11 webinars between April 2020 and June 2021. “The speakers themselves—about 10 people in each session—were the only audience, but participants were told the recordings would be published open access afterward,” Science reported.
Ferensby did not disclose that speakers would be charged conference fees. In fact, one speaker was told explicitly that no fees would be requested, Science noted.
However, the speakers were later asked to sign a license agreement that would allow the organizer to publish the recordings. It included a clause on the last page stating that they would have to pay fees of €790 and €2785 (US$859 and $3,029) related to publication.
The financial amounts were written in words rather than numbers with no highlighting, according to Science, which reviewed some of the contracts.
“Many of the speakers, already busy studying COVID-19 and under pressure from the transition to remote teaching, did not notice these clauses,” Science reported. Said one speaker: “The contract was unreadable [but] I eventually sent it.”
Questionable Arbitration
Some of the webinar participants told Science that they later received altered versions of the contracts with “an additional page where the fees are made explicit, and [with] modified clauses, one of them stating that disputes can be settled by a Polish arbitration court.”
“In my opinion this is fraud,” Durlik said. Nevertheless, Villa Europa used alleged rulings by PESA to go after some of the speakers in their own local courts.
“For the researchers now under pressure from the courts, ignoring the demands is not an option,” Science reported. “They have all submitted court filings supporting their case.”
The speakers claim that “the demands are illegitimate and that they were deceived about what they were signing in the contracts,” Science noted. One speaker, Axel Brandenburg, PhD, of the Nordic Institute for Theoretical Physics (NORDITA), is awaiting a ruling in September, Science reported.
Warnings against Predatory Conferences
The story comes amid increasing concerns about so-called “predatory conferences,” in which scientists are invited under false pretenses to participate in what appear to be legitimate meetings.
“Would-be attendees should expect missing plenary speakers, multiple fields of research smashed together in a Frankenstein program, and an absence of the important academic rigor that fuels the conferences that scientists know and love,” wrote senior science writer Ruairi J. Mackenzie in Technology Networks. “The companies organizing these events are motivated by profit above all else.”
Mackenzie offered several tips to help both speakers and attendees spot fake conferences:
Examine the promotional materials. “Whether you are studying an unprompted email or a conference webpage, look for shoddy writing quality or outlandish layouts.”
Check with your colleagues. “The dominant conferences in your field are probably in that position because they have proved time and time again that they can deliver a valuable experience for attendees.”
Look at other conferences from the same producer. If a company produces a high volume of conferences on a wide range of topics, that can be a sign that the quality will be shoddy, he suggested.
Look at the contact information. A legitimate conference should have ties to an established society or conference organizer. Get the address, and then look at that location in Google Street View to see if it’s the kind of building where you’d expect a legitimate company to be located.
The experience of these 32 scientific and medical scholars demonstrates that there is always a new twist in how honest citizens can be defrauded. For that reason, clinical laboratory managers and pathologists should be wary when approached by unknown organizations with speaking invitations, particularly in Europe.
Plaintiffs claim state is criminalizing speaking the truth about their earned advanced degrees
Doctorate of Nursing Practice (DNP) is the highest degree that can be acquired by a nurse practitioner (NP). But can NPs who achieve this degrees call themselves doctors? What about others who hold doctorates, such as PhDs in clinical laboratories?
According to the State of California—which has enacted a law restricting the use of the word “doctor” or the prefix “Dr.” in titles, online, or in business communications solely to physicians and surgeons—the answer is no.
They are seeking to block enforcement of the law, according to The Washington Post.
“The word ‘doctor’ doesn’t belong to physicians,” Jacqueline Palmer, DNP, one of the three NPs suing over California’s law restricting non-physician medical providers from using that word, told The Washington Post. Palmer argues that NPs should be able to use the word “doctor” or the prefix “Dr.” when describing themselves much like PhDs and other non-physicians do who hold doctorates. (Photo copyright: Jacqueline Palmer, DNP.)
Section 2054 of the statute states, “Any person who uses in any sign, business card, or letterhead, or, in an advertisement, the words doctor or physician, the letters or prefix Dr., the initials M.D., or any other terms or letters indicating or implying that he or she is a physician and surgeon, physician, surgeon, or practitioner under the terms of this or any other law, or that he or she is entitled to practice hereunder, or who represents or holds himself or herself out as a physician and surgeon, physician, surgeon, or practitioner under the terms of this or any other law, without having at the time of so doing a valid, unrevoked, and unsuspended certificate as a physician and surgeon under this chapter, is guilty of a misdemeanor.”
In their complaint, the three lawsuit plaintiffs state, “Defendants are California state officials charged with enforcing a law that criminalizes the truthful use of the title ‘Dr.’ by any healthcare professional who is not a licensed physician or surgeon. That means veterinarians, dentists, pharmacists, physical therapists, and nurse practitioners are subject to severe penalties if they truthfully refer to themselves as ‘doctor.’ This is true even where the doctor specifies the specific profession in which he or she has obtained his or her doctorate degree. The statute that mandates this regime goes far beyond patient protection and violates the First Amendment rights of doctors to truthfully describe themselves and their credentials.”
California is not the only state that restricts the use of the word “doctor” or “Dr.” but it is the strictest, according to Donna Matias, JD, Pacific Legal Foundation, the attorney representing the three plaintiffs.
“If you read the law literally, it appears to prohibit even PhDs and university professors from using the title,” she told the Post.
Previous Case Led to Stiff Penalties for Nurse Practitioner
In November of 2022, California Nurse Practitioner Sarah Erny, DNP, was fined a total of $22,500 by both the State of California and the State Medical Association for describing herself as a doctor on several professional online platforms without also including that she was a nurse, not a physician.
“While in most instances Ms. Erny indicated that she was a nurse practitioner, she failed to advise the public that she was not a medical doctor and failed to identify her supervising physician. Adding to the lack of clarity caused by referring to herself as ‘Dr. Sarah,’ online search results would list ‘Dr. Sarah Erny,’ without any mention of Ms. Erny’s nurse status,” wrote County of San Luis Obispo District Attorney Dan Dow, JD, in a statement.
Dow went on to say, “All forms of professional medical services advertising, including websites and social media accounts, must be free of deceptive or misleading information and must clearly identify the professional license held by the advertiser. Providing patients upfront with the proper title of our healthcare professionals aids consumers in making a more informed decision about their healthcare.”
Along with the financial penalties, Erny was ordered to “refrain from referring to herself as ‘doctor’ in her role of providing medical treatment to the public. [The judgement] also requires Ms. Erny to identify and make reasonable efforts to correct information on internet sites referring to her as ‘doctor’ or ‘Dr.’” the statement noted.
Speaking Truthfully about Advanced Degrees
Palmer spent 14 years in school pursuing her degrees. She feels her patients are smart enough to know the difference between her and a physician. “It’s not an ego trip; it’s not a power trip,” Palmer told the Post, “It’s just validation that I worked hard to get where I am today.”
The Pacific Legal Foundation argues in favor of the nurses by virtue of their advanced and in-depth training: “[After] years earning their advanced degrees and qualifications … they should be able to speak truthfully about them in their workplaces, on their business cards, the internet, and social media, so long as they clarify that they are nurse practitioners.”
Until the dust settles, NPs in California are taking precautions. Palmer said she has asked her patients to stop calling her “doctor” out of fear of being fined like Erny, a move she also claimed her patients protested against. “They all have said that they know that I worked hard for it,” she told the Post.
Clinical laboratory PhDs and others with advanced degrees may want to investigate their state’s requirements as to how they can legally refer to themselves.
Lapses in security measure testing can give healthcare employees a false sense of protection against data breaches, says cybersecurity expert
Cyberattacks on our nation’s hospitals, clinical laboratories, other healthcare organizations, and health plans, continue to plague the healthcare industry. As of July 7, 2023, 324 data breaches have occurred and are currently under investigation, according to the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) data breach portal.
This has affected more than 39 million people, HealthITSecurity reported.
Below is a list of the data breaches this year that affected the most people.
“The way that computer network environments work today, users are acknowledged as the weakest link and offer the most potential for access to a hacker,” Ben Denkers (above), former Chief Innovation Officer at CynergisTek, told Dark Daily’s sister publication The Dark Report. He added that data breaches at clinical laboratories can start with “missteps” by lab employees who have a false sense of protection caused by lapses in testing a lab’s security measures. CynergisTek merged with Clearwater in 2022. (Photo copyright: CynergisTek.)
Top Data Breaches in First Six Months of 2023
Here are healthcare’s top 10 data breaches for the first half of 2023, listed by organizations with the most people affected, according to HHS:
Enzo Clinical Labs, clinical reference laboratory, Farmingdale, New York, 2.4 million individuals affected.
ZOLL Services, medical equipment, Pittsburgh, Pennsylvania, 997,097 individuals affected.
Community Health Systems, healthcare provider with 15,000 licensed beds at 89 acute care hospitals in 16 states, Brentwood, Tennessee, 962,884 individuals affected.
CentraState Healthcare System, healthcare provider with a 284-bed acute care medical center, an ambulatory campus, and an urgent care clinic, Freehold, New Jersey, 617,901 individuals affected.
Clinical Laboratory Brings in Cybersecurity Experts
Following a ransomware incident in April on its computer network, Enzo Clinical Labs in Farmingdale, New York, “immediately took steps to secure our systems and began an investigation with the assistance of a cybersecurity firm,” the lab’s Notice of Data Security Incident explains.
“The investigation determined an unauthorized party accessed files on our systems,” the notice continues. “The files contained patient names, dates of service, clinical test information, and, in some instances, Social Security numbers.”
Enzo “has incurred, and may continue to incur, certain expenses related to this attack, including expenses to respond to, remediate and investigate this matter,” according to the lab’s Securities and Exchange Commission (SEC) filing.
Multiple Large Health Systems Suffer Data Breaches
At Community Health Systems (CHS) it was a security incident at Fortra, a cybersecurity firm engaged by CHS, that resulted in “unauthorized disclosure of patient information,” according to CHS’s Notice of Third Party Security Incident.
The extent of data theft from the breach of Fortra’s GoAnywhere MFT secure managed file transfer software was not immediately clear, HIPAA Journal reported.
“The personal information may have included full name, address, medical billing and insurance information, certain medical information such as diagnoses and medication, and demographic information such as date of birth and Social Security number,” the CHS notice explained.
At CentraState Healthcare System, “an unauthorized person obtained a copy of an archived database that stored certain patient information,” the healthcare provider’s Notice of Security Incident states.
“There was no financial account and/or payment card information involved in this incident,” CentraState noted.
Financial Impact of Data Breaches
One of the effects on healthcare providers is costly settlement of lawsuits following data breaches that allege failure to secure patients’ PHI. For example, according to Becker’s Health IT:
UMass Memorial Medical Center in Worcester, Massachusetts, paid $1.2 million “to settle a March 2022 lawsuit regarding a data breach of its payroll management system Kronos.”
Advent Health in Altamonte Springs, Florida, paid $500,000 “to settle a data breach lawsuit alleging that the health system failed to protect patients’ confidential information after a September 2021 data breach.”
CommonSpirit Health in Chicago spent $150 million recovering from a ransomware attack in October 2022 that also sparked lawsuits over stolen PHI.
Tips for Clinical Laboratories on Securing Patient Data
In “Labs Must Audit Their Cybersecurity Measures,” Ben Denkers, former Chief Innovation Officer at CynergisTek, an Austin-based cybersecurity company which has since merged with healthcare cybersecurity and compliance company Clearwater, told Dark Daily’s sister publication The Dark Report, “The way that computer network environments work today, users are acknowledged as the weakest link and offer the most potential for access to a hacker.”
Denkers advises that while training employees is important for cybersecurity because it aims at changing human behavior, laboratories and other healthcare organizations also need to audit the technological measures they have in place to protect data.
“What we find is that organizations have security technology or processes in place that are either not effective or not working as designed,” he said, adding that when data breaches do occur “it’s a complete blindside for a lot of organizations that think they have protections in place because they bought a product, or they developed a policy.
“Testing, validating, and auditing whether measures are working as designed is a change of mentality for a lot of organizations. I would recommend taking those steps,” he added.
Clinical laboratories hold vast amounts of patient data and cannot afford disruptions to testing and results reporting. Vigilance can help labs avoid catastrophic cyberattacks, secure their patients’ protected health information from being stolen, and prevent the subsequent lawsuits that ensue following a data breach.
