Lawsuit is a strong reminder that clinical laboratories and pathology groups must take whatever steps necessary to secure their patients’ protected health information
Lehigh Valley Health Network (LVHN), one of the largest primary care groups in Pennsylvania, will pay out $65 million to settle a class-action lawsuit brought by the healthcare network’s own patients (identified only as “Jane Doe” in court documents) following a ransomware attack early last year in which LVHN refused to pay the ransom.
The payout may be the largest settlement for a single cyberattack to date and highlights the need for clinical laboratories and pathology groups to review their cyberattack defenses and incorporate steps to better secure patient protected health information (PHI), with one goal being to minimize the possibility of patients filing a class action lawsuit following a cyberattack.
LVHN blamed ransomware group ALPHV (a.k.a., BlackCat) for the attack, Fierce Healthcare reported. The hackers gained access to gigabytes of personal data belonging to 134,000 patients and staff members.
According to a news release LVHN issued in June, the private information the thieves obtained included, “names, addresses, phone numbers, medical record numbers, treatment and diagnosis information, including Current Procedural Terminology (CPT) codes, and health insurance information. For some individuals, the information included email addresses, banking information, Social Security numbers, and driver’s license numbers. The information for a limited number of individuals included clinical images of patients during treatment.”
The case is worth attention because it casts light on what the health system administration did/did not do to prevent the data breach that enabled the hackers to post nude photos of cancer patients undergoing treatment and other patient PHI on the Internet.
“When you go to the doctor’s office, that’s one place where you’re anticipating that everyone is working to maintain your privacy, even though you have to open yourself up to be treated,” said Patrick Howard, JD (above), partner at Philadelphia-based Saltz Mongeluzzi Bendesky P.C., who is representing the plaintiffs in the class action lawsuit. “It wasn’t lost on anyone that that was a very significant breach.” Clinical laboratories are particularly vulnerable since as much as 80% of a patient’s health record is lab test results and other data. (Photo copyright: Saltz Mongeluzzi Bendesky P.C.)
Lawsuit Details
The class action lawsuit was filed in March 2023 by a “Jane Doe” cancer patient whose data was hacked on behalf of herself and other victims of the cyberattack. The court documents recount how the unidentified plaintiff—a woman in her 50s—was “called by the hospital’s vice president of compliance on March 6, with news that that naked images of her were now online, before offering—‘with a chuckle’—two years of credit monitoring services. The Jane Doe plaintiff responded that she had no idea that the hospital had taken photographs of her while unclothed during her treatment for breast cancer, nor that it was storing them on corporate servers.”
“The pictures are really difficult to look at,” said Patrick Howard, JD, partner at Philadelphia-based Saltz Mongeluzzi Bendesky P.C. (SMB), who is representing the plaintiffs, in a news release. His legal team hired a cybersecurity expert who located the images the hackers had posted on the Dark Web, enabling them to “establish each person’s information that was actually online.”
The plaintiff’s attorney’s argued LVHN failed in its responsibility to protect patient information and were in violation of HIPAA (Health Insurance Portability and Accountability Act of 1996).
The class action lawsuit also alleges LVHN routinely took photos of naked cancer patients, sometimes without their knowledge. Some of those photos were published by BlackCat on the Dark Web.
“While LVHN is publicly patting itself on the back for standing up to these hackers and refusing to meet their ransom demands, they are consciously and intentionally ignoring the real victims,” the lawsuit states. “Rather than act in their patients’ best interest, LVHN put its own financial considerations first.”
The law firm also stated this settlement is “the largest of its kind, on a per-patient basis, in a healthcare data breach ransomware case,” The Register reported.
Patients affected by the security breach were placed in relief tiers based on the private information that was stolen and leaked. The compensatory breakdown for those patients is:
$50 to patients whose records were hacked.
$1,000 to patients who had their information posted online.
$7,500 to patients whose non-nude photos were posted online.
$70,000 to $80,000 for patients who had their nude photos posted online.
“We struck the right deal,” Howard told WHYY News. “The vast majority of that money is going to mostly women whose images were published online, in topless fashion, with both their face exposed and their name in the files.”
Game Changing Data Breach
LVHN originally announced an attack had been detected in February 2023. On March 4, 2023, the ALPHV hackers demanded a ransom in excess of $5 million from LVHN, threatening to distribute the stolen data unless the ransom was paid. LVHN refused to pay the ransom which led to the cybercriminals uploading the stolen data to the Dark Web.
“Attacks like this are reprehensible and we are dedicating appropriate resources to respond to this incident,” stated Brian Nester, DO, President and CEO, LVHN, in a news release.
“The type of data that was exposed, it’s a game changer,” said Carter Groome, founder and CEO of digital-risk firm First Health Advisory in the SMB news release. “This was so much more of a tangible, direct distress to those people who trusted the organization.”
“Pictures are part of medical care. That’s something that they do to track scarring and all sorts of things. But they are the most delicate and sensitive medical information,” Howard told WHYY News. “I think this case will be talked about in healthcare circles for some time in best practices in storing those types of images.”
Patients had until October 21, 2024, to exclude themselves from or object to the settlement. The deadline to submit a claim form was November 3, 2024, and the final approval hearing was held on November 15, 2024.
LVHN agreed to the terms of the settlement, whilst denying any wrongdoing on its part. Individuals in the settlement class who chose to participate in the lawsuit will be sent payment automatically.
LVHN has established a website for people seeking information about the cyberattack.
As ransomware attacks continue to increase, clinical laboratories and pathology groups should review their cyberattack defenses and determine how to better secure their patients’ protected health information. Taking necessary precautions could minimize the possibility of patient data being compromised and prevent another huge class-action lawsuit.
Dettwyler is set to retire at age 92 after a long career helping clinical laboratories with their coding and billing systems
When William Dettwyler, MT, began working in a clinical laboratory, Harry Truman was president of the United States and scientists had not yet discovered the structure of DNA. Now, as he approaches his 92nd birthday in March, he is finally ready to retire from a career that has spanned more than seven decades, from bench work as a medical laboratory technician (MLT) to assisting labs with their medical coding and medical billing challenges.
Along the way, one of his coding innovations helped the State of Oregon save substantial sums in its Medicaid program. He also helped many medical laboratories increase reimbursement by correcting their coding mistakes. This from someone who left school after eighth grade to help on his family’s farm in rural Oregon.
In an exclusive interview with Dark Daily, Dettwyler discusses his long career and offered pointers for labs on improving their coding and reimbursement procedures.
Back in the 1980s, when he began his consulting work for labs, “they were very poor at billing,” he recalled. “Hospital billing staff didn’t understand lab coding. Reference laboratories didn’t do a good job of picking the right codes or even billing all the codes. Up until around the 1970s, hospitals didn’t even have to bill individual lab procedures with CPT codes. They billed with a revenue center code for all their lab services.”
These days “people are much more sophisticated,” he notes. “There are fewer coding problems compared to what it was in the 1980s and 1990s up to the 2010s.” However, he says he still has a handful of clients who call on his expertise.
“It was not unusual to go to a large university medical center and in three days tell the CFO on my exit review that the following year their lab would bring in about a half million more in revenue, just from my coding review. But I did not reveal to them that I had only gone to the eighth grade in a little one room school and was the lone graduate in my eighth-grade class,” wrote William Dettwyler, MT (above), owner of Codus Medicus in Salem, Ore., in an article he penned for Medical Laboratory Observer. For 75 years Dettwyler worked in the clinical laboratory industry. For much of that time he helped labs all over America improve their coding and reimbursement systems. (Photo copyright: LinkedIn.)
How It All Began
Dettwyler got his first taste of lab work in the early 1950s as a teenager washing glassware for a medical laboratory technician at a local medical practice. A few years later he completed an MLT program at Oregon Institute of Technology in Klamath Falls and landed his first lab tech job at a clinic in Portland.
His entry to consulting came in the early 1970s while he was working for a medical group in Salem. “I was helping the accounting personnel with their billing and noticed that Medicaid was not paying for a common test for syphilis that I was performing,” he recalled. “I contacted Medicaid, and they told me they didn’t understand laboratory procedures.”
After that, “they started to call me frequently with laboratory questions,” he said. “It wasn’t long before they asked me to help them on a part-time basis.” He also assisted with questions related to radiology.
By 1976, Dettwyler was devoting 35 hours a week to assisting the state Medicaid agency while still working as a lab tech.
Simple Hack Ends Overpayments
One of his career highlights came around 1981, when he discovered that the agency was overpaying for some pathology and radiology procedures by as much as 200%.
“Pathologists and radiologists are paid based on whether they are performing the complete procedure—the technical component and the professional component—or just the professional component, where they interpret the results,” he explained.
When billing for just the professional component, the physicians would add two digits to the standard code, so it might come in as 88305-26. However, the state’s computer system could only accommodate a five-digit code, so the state was paying as if the providers had done everything.
“The computer techs said the software couldn’t handle a seven-digit number in a five-digit box, so I devised a way for the computer to read the equivalent of seven digits,” he recalled.
His solution was to modify the codes so that the last digit was an alphabetic character. Instead of billing for code 88305-26, the physicians would bill for 8830F, and the state would pay them correctly.
Around that time, Dettwyler also began assisting a Medicare office in Portland. This forced him to cut back on his work as a lab tech. But he still worked around 60 hours a week.
“For most of my life, I’ve worked three jobs,” he said. “Work is my hobby.” He also had a large family to support—by 1976, he and his wife had 10 kids.
Transition to Lab Consulting
In 1986, the state was facing a budget shortfall and cut its Medicaid consultants, so Dettwyler decided to seek consulting work with labs while continuing to work at the bench.
“I really liked the coding because I had very little competition,” he said. “But I wanted to keep working in the laboratory mainly to understand the problems.”
While working for the state, Dettwyler attended coding seminars and workshops. He noticed that labs were losing revenue due to poor billing practices. “They didn’t understand all the coding complexities, so they really hungered for this kind of assistance.”
But first, he had to find clients. So he partnered with another lab tech who was offering similar consulting services.
Business picked up after Dettwyler contributed an article to the trade publication Medical Laboratory Observer about his process, which he calls “procedure code verification and post payment analysis.”
“That went like gangbusters,” he said. “We started getting calls from all over the country.”
Dettwyler later split from his partner and went to work on his own.
“I would sit down with the person who was responsible for coding, usually the lab or radiology manager,” he explained. “We would go over the chargemaster and cover every procedure to make sure the code and units were correct. When I was done, I would give them a report of what codes we changed and why we changed them.”
Beginning in 1989, he signed on as a contractor for another consultancy, Health Systems Concepts on the East Coast, where he remained until 2019.
Advice to the Current Generation
What is Dettwyler’s advice for someone who wants to follow in his footsteps and assist labs with their coding? “I wouldn’t recommend it now,” he said. “There’s less need for that kind of assistance than in the past.”
However, he does find that labs still run into problems. The greatest need, he says, is in molecular diagnostics, due to the complexity of the procedures.
In addition, labs are sometimes confused by coding for therapeutic drug monitoring, in which a doctor is gauging a patient’s reaction to a therapy versus screening for substance abuse. “Those issues are often misunderstood,” he said.
Microbiology also poses coding challenges, he noted, because of the steps required to identify the pathogen and determine antibiotic susceptibility. “It requires quite a bit of additional coding,” he said. “Some labs don’t understand that they can’t just bill a code for culture and sensitivity. They have to bill for the individual portions.”
Labs that work with reference labs also have to be careful to verify codes for specific procedures. “I’ll review the codes used by reference labs and, surprisingly, they’re not always correct. Reference labs sometimes get it wrong.”
If someone does want to become a coding expert, Dettwyler suggests that “they should first have experience as a lab tech, especially in microbiology, because of the additional coding. And they should try to work with somebody who is already doing it. Then, they should work with the billing department to learn how it operates.”
He also advises clinical laboratory managers to follow the latest developments in the field by reading lab publications such as The Dark Report. “You have to do that to keep current,” he said.
Despite never completing high school, Dettwyler eventually received his GED and an associate degree. “But the degrees didn’t really help me,” he said. “Much of it was on-the-job training and keeping my eyes open and listening.”
Palmetto GBA’s Chief Medical Officer will cover how clinical laboratories billing for genetic testing should prepare for Z-Codes at the upcoming Executive War College in New Orleans
After multiple delays, UnitedHealthcare (UHC) commercial plans will soon require clinical laboratories to use Z-Codes when submitting claims for certain molecular diagnostic tests. Several private insurers, including UHC, already require use of Z-Codes in their Medicare Advantage plans, but beginning June 1, UHC will be the first to mandate use of the codes in its commercial plans as well. Molecular, anatomic, and clinical pathologist Gabriel Bien-Willner, MD, PhD, who oversees the coding system and is Chief Medical Officer at Palmetto GBA, expects that other private payers will follow.
“A Z-Code is a random string of characters that’s used, like a barcode, to identify a specific service by a specific lab,” Bien-Willner explained in an interview with Dark Daily. By themselves, he said, the codes don’t have much value. Their utility comes from the DEX Diagnostics Exchange registry, “where the code defines a specific genetic test and everything associated with it: The lab that is performing the test. The test’s intended use. The analytes that are being measured.”
The registry also contains qualitative information, such as, “Is this a good test? Is it reasonable and necessary?” he said.
Molecular, anatomic, and clinical pathologist Gabriel Bien-Willner, MD, PhD (above), Palmetto GBA’s Chief Medical Officer, will speak about Z-Codes and the MolDX program during several sessions at the upcoming Executive War College on Diagnostics, Clinical Laboratory, and Pathology Management taking place in New Orleans on April 30-May 1. Clinical laboratories involved in genetic testing will want to attend these critical sessions. (Photo copyright: Bien-Willner Physicians Association.)
Palmetto GBA Takes Control
Palmetto’s involvement with Z-Codes goes back to 2011, when the company established the MolDX program on behalf of the federal Centers for Medicare and Medicaid Services (CMS). The purpose was to handle processing of Medicare claims involving genetic tests. The coding system was originally developed by McKesson, and Palmetto adopted it as a more granular way to track use of the tests.
In 2017, McKesson merged its information technology business with Change Healthcare Holdings LLC to form Change Healthcare. Palmetto GBA acquired the Z-Codes and DEX registry from Change in 2020. Palmetto GBA had already been using the codes in MolDX and “we felt we needed better control of our own operations,” Bien-Willner explained.
In addition to administering MolDX, Palmetto is one of four regional Medicare contractors who require Z-Codes in claims for genetic tests. Collectively, the contractors handle Medicare claims submissions in 28 states.
Benefits of Z-Codes
Why require use of Z-Codes? Bien-Willner explained that the system addresses several fundamental issues with molecular diagnostic testing.
“Payers interact with labs through claims,” he said. “A claim will often have a CPT code [Current Procedural Technology code] that doesn’t really explain what was done or why.”
In addition, “molecular diagnostic testing is mostly done with laboratory developed tests (LDTs), not FDA-approved tests,” he said. “We don’t see LDTs as a problem, but there’s no standardization of the services. Two services could be described similarly, or with the same CPT codes. But they could have different intended uses with different levels of sophistication and different methodologies, quality, and content. So, how does the payer know what they’re paying for and whether it’s any good?”
When the CPT code is accompanied by a Z-Code, he said, “now we know exactly what test was done, who did it, who’s authorized to do it, what analytes are measured, and whether it meets coverage criteria under policy.”
The process to obtain a code begins when the lab registers for the DEX system, he explained. “Then they submit information about the test. They describe the intended use, the analytes that are being measured, and the methodologies. When they’ve submitted all the necessary information, we give the test a Z-Code.”
The assessment could be as simple as a spreadsheet that asks the lab which cancer types were tested in validation, he said. On the other end of the scale, “we might want to see the entire validation summary documentation,” he said.
Commercial Potential
Bien-Willner joined the Palmetto GBA in 2018 primarily to direct the MolDX program. But he soon saw the potential use of Z-Codes and the DEX registry for commercial plans. “It became instantly obvious that this is a problem for all payers, not just Medicare,” he said.
Over time, he said, “we’ve refined these processes to make them more reproducible, scalable, and efficient. Now commercial plans can license the DEX system, which Z-Codes are a part of, to better automate claims processing or pre-authorizations.”
In 2021, the company began offering the coding system for Medicare Advantage plans, with UHC the first to come aboard. “It was much easier to roll this out for Medicare Advantage, because those programs have to follow the same policies that Medicare does,” he explained.
As for UHC’s commercial plans, the insurer originally planned to require Z-Codes in claims beginning Aug. 1, 2023, then pushed that back to Oct. 1, according to Dark Daily’s sister publication The Dark Report.
Then it was pushed back again to April 1 of this year, and now to June 1.
“The implementation will be in a stepwise fashion,” Bien-Willner advised. “It’s difficult to take an entirely different approach to claims processing. There are something like 10 switches that have to be turned on for everything to work, and it’s going to be one switch at a time.”
For Palmetto GBA, the commercial plans represent “a whole different line of business that I think will have a huge impact in this industry,” he said. “They have the same issues that Medicare has. But for Medicare, we had to create automated solutions up front because it’s more of a pay and chase model,” where the claim is paid and CMS later goes after errors or fraudulent claims.
“Commercial plans in general just thought they could manually solve this issue on a claim-by-claim basis,” he said. “That worked well when there was just a handful of genetic tests. Now there are tens of thousands of tests and it’s impossible to keep up.
They instituted programs to try to control these things, but I don’t believe they work very well.”
Bien-Willner is scheduled to speak about Palmetto GBA’s MolDX program, Z-Codes, and related topics during three sessions at the upcoming 29th annual Executive War College conference. Clinical laboratory and pathology group managers would be wise to attend his presentations. Visit here (or paste this URL into your browser: https://www.executivewarcollege.com/registration) to learn more and to secure your seat in New Orleans.
Financial and clinical fortunes may soon shift for many medical laboratory organizations
By every measure, the clinical laboratory industry is entering a high-stakes period during the next 24 months. Powerful trends are reducing lab budgets and payers are cutting the prices paid for medical laboratory testing. The question on everyone’s mind is “will it get better or worse in the months ahead?”
This question will be asked plenty of times to speakers at the nation’s largest gathering of clinical lab executives and pathology business leaders. On April 30-May1, the upcoming 18th Annual Executive War College on Laboratory and Pathology Management will take place in New Orleans, Louisiana. A record crowd has already registered to attend. (more…)
Medical laboratories have yet to learn how much to expect in payment for molecular pathology test claims submitted to the Medicare program
Concern is rising among pathologists and clinical laboratory directors about what the Medicare program will pay this year for the 104 new molecular test CPT codes. These new CPT codes became effective on January 1, 2013.
Few–if any–medical laboratories have received payments for Medicare claims submitted early in January. That’s because contractors for the federal Centers for Medicare & Medicaid Services (CMS) are just beginning to process those invoices. The first payments for these molecular test claims are expected within the next several weeks.
Help for Clinical Laboratories and Pathology Groups
To help clinical labs and pathology groups address this problem, CodeMap, LLC, a billing and coding consulting company in Schaumburg, IL, is encouraging clinical labs to post the payment amounts for the molecular test claims they get from the nation’s Medicare Administrative Contractors on the CodeMap website at www.codemap.com. CodeMap then will make this information available to participating medical laboratories and the public.
To fill the knowledge vacuum that exists as different Medicare Administrative Contractors use the gap-fill method to develop reimbursement for the 104 new molecular test CPT codes, CodeMap, LLC, of Schaumburg, IL, is using the crowdsourcing solution. Also known as distributed problem solving, CodeMap is inviting clinical laboratories and pathology groups to voluntarily provide data about their payments for Medicare claims involving the new molecular test codes. (Graphic by HBS.edu.)