Federal class action lawsuit looms as genetics company searches for what went wrong; a reminder to clinical laboratories of the importance of protecting patient information
Several years ago, security experts warned that biotechnology and genomics company 23andMe, along with other similar genetics companies, would be attacked by hackers. Now those predictions appear to have come true, and it should be a cautionary tale for clinical laboratories. In an October 6 blog post, the genetic testing company confirmed that private information from thousands of its customers was exposed and may be being sold on the dark web.
According to Wired, “At least a million data points from 23andMe accounts appear to have been exposed on BreachForums.” BreachForums is an online forum where users can discuss internet hacking, cyberattacks, and database leaks, among other topics.
“Hackers posted an initial data sample on the platform BreachForums earlier this week, claiming that it contained one million data points exclusively about Ashkenazi Jews,” Wired reported, adding that “hundreds of thousands of users of Chinese descent” also appear to be impacted.
The leaked information included full names, dates of birth, sex, locations, photos, and both genetic and ancestry results, Bleeping Computer reported.
For its part, 23andMe acknowledges the data theft but claims “it does not see evidence that its systems have been breached,” according to Wired.
Anne Wojcicki (above) is the co-founder and CEO of genetics company 23andMe, which on October 24 told its customers in an email, “There was unauthorized access to one or more 23andMe accounts that were connected to you through DNA Relatives. As a result, the DNA Relatives profile information you provided in this feature was exposed to the threat actor.” Clinical laboratories must work to ensure their patient data is fully secured from similar cyber theft. (Photo copyright: TechCrunch.)
23andMe Claims Data Leak Not a Security Incident
The data leaked has been confirmed by 23andMe to be legitimate. “Threat actors used exposed credentials from other breaches [of other company’s security] to access 23andMe accounts and steal the sensitive data. Certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts,” a 23andMe spokesperson told Bleeping Computer.
However, according to the company, the leak does not appear to be a data security incident within the 23andMe systems. “The preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials,” the spokesperson added.
What the genetics company has determined is that compromised accounts were from users choosing the DNA Relative feature on their website as a means to find and connect to individuals related to them. Additionally, “the number of accounts sold by the cybercriminal does not reflect the number of 23andMe accounts breached using exposed credentials,” Bleeping Computer noted.
Price of Private Information
Following the 23andMe data leak, the private genetic information was quickly available online … for a price.
“On October 4, the threat actor offered to sell data profiles in bulk for $1-$10 per 23andMe account, depending on how many were purchased,” Bleeping Computer reported.
Stolen medical records are becoming hotter than credit card information, the experts say. “Stolen records sell for as much as $1,000 each,” according to credit rating agency Experian, Bleeping Computer noted.
In its 2018 Global Security Report, “cybersecurity firm Trustwave pegged the black-market value of medical records at $250 each. Credit card numbers, on the other hand, sell for around $5 each on the dark web … while Social Security numbers can be purchased for as little as $1 each,” Fierce Healthcare reported.
Clinical laboratory managers and pathologists should take note of the value that the dark web places on the medical records of a patient, compared to the credit card numbers of the same individual. From this perspective, hacking a medical laboratory to steal patient health data can be much more lucrative than hacking the credit card data from a retailer.
“Victims of the breach are now at increased risk of fraud and identity theft, and have suffered damages in the form of invasion of privacy, lost time and out-of-pocket expenses incurred responding to the breach, diminished value of their personal information, and lost benefit of the bargain with 23andMe,” according to court documents.
“The lawsuit brings claims of negligence, breach of implied contract, invasion of privacy/intrusion upon seclusion, unjust enrichment, and declaratory judgment,” Bloomberg Law noted. Additionally, the claim states that 23andMe “failed to provide prompt and adequate notice of the incident.”
Plaintiffs are “seeking actual damages, compensatory damages, statutory damages, punitive damages, lifetime credit-monitoring services, restitution, disgorgement, injunctive relief, attorneys’ fees and costs, and pre-and post-judgment interest,” Bloomberg Law reported.
Preventing Future Data Leaks
Years of experts warning genetics companies like 23andMe that they need more strict data security have proven to be true. “This incident really highlights the risks associated with DNA databases,” Brett Callow, a threat analyst at data security firm Emsisoft, told Wired. “The fact that accounts had reportedly opted into the ‘DNA Relatives’ feature is particularly concerning as it could potentially result in extremely sensitive information becoming public.”
“Callow notes that the situation raises broader questions about keeping sensitive genetic information safe and the risks of making it available in services that are designed like social networks to facilitate sharing. With such platforms come all of the data privacy and security issues that have plagued traditional social networks, including issues related to data centralization and scraping,” Wired noted.
Clinical laboratory databases are full of protected health information (PHI). Wise lab managers will work to ensure that their medical lab’s patient data is secure from today’s cyberthreats.
In filing Monday, lawsuit seeks to force HHS to comply with PAMA’s statutory requirements and to withhold applying the new Clinical Laboratory Fee Schedule until HHS has revised the final rule appropriately
Many clinical laboratory executives will welcome the news that a lab industry trade association has filed a lawsuit in federal court in an effort to delay and fix the final rule for Protecting Access to Medicare Act of 2014 (PAMA) private payer lab test market price reporting that Medicare officials used to lower prices on the Medicare Part B Clinical Laboratory Fee Schedule (CLFS) that is scheduled to take effect on Jan. 1, 2018.
The ACLA asked the US District Court for the District of Columbia to force HHS to comply with PAMA’s statutory requirements, to withhold applying the new CLFS until HHS has revised the final rule appropriately. The CLFS is due to take effect on Jan. 1.
Final Prices for the 2018 Part B Clinical Laboratory Fee Schedule
Last month, the federal Centers for Medicare and Medicaid Services (CMS) issued the final CLFS rates and said at the time that it did so in compliance with the 2016 final rule implementing changes to the Medicare clinical laboratory fee schedule under PAMA section 216.
“We have repeatedly advised CMS that there are significant, substantive deficiencies in the final rule, which fail to follow the specific commands of the PAMA statute,” said ACLA President Julie Khani in an ACLA press release. “Contrary to Congress’ intent, instead of reforming Medicare reimbursement rates to reflect the broad scope of the laboratory market, the Secretary’s final rule will disrupt the market and prevent beneficiaries from having access to the essential laboratory services they need.”
Shown above is Julie Khani, President of the American Clinical Laboratory Association (ACLA) speaking at the Executive War College on Laboratory and Pathology Management last May in New Orleans. In a press release announcing ACLA’s lawsuit against the Department of Health and Human Services, Khani emphasized that many clinical laboratories had advised officials at the federal Centers for Medicare and Medicaid Services (CMS) about the “significant, substantive deficiencies in the final rule” for private payer market price reported that CMS designed. (Photo copyright: The Dark Report.)
22 Healthcare Organizations Opposed Cuts to Clinical Laboratory Test Prices
The ACLA, the American Hospital Association (AHA), and more than 20 other organizations had urged CMS to suspend implementation of the new CLFS rates, which are scheduled to take effect Jan. 1. The organizations cited concerns over the data-collection process used to establish the rates, and the fact that the rates would cause clinical laboratories to struggle financially and possibly close. If the rates set under PAMA affect Medicare beneficiaries’ access to clinical lab testing, the law would have the opposite effect of its intent.
To bring the lawsuit, ACLA retained Mark D. Polston, JD, of the Washington, DC, law firm of King and Spaulding. A specialist in representing healthcare systems seeking to navigate Medicare regulations, Polston is the former Chief Litigation counsel for CMS and specializes in complicated Medicare reimbursement litigation. Recently, he successfully challenged Medicare’s so-called “two-midnight” rule that imposed a 0.2% rate cut on hospitals billing for some patients.
Medicare Program Prohibited Most Medical Laboratories from Reporting
Contrary to Congress’ directives, most laboratories were prohibited from reporting private payer data under CMS’ market-rate data-collection process, ACLA said in a prepared statement. “As a result, CMS failed to protect access to laboratory services for Medicare beneficiaries. This flawed process could cause serious financial harm to potentially thousands of hospitals, independent and physician office laboratories, and make it harder for Medicare beneficiaries to get access to medical testing, particularly in remote rural areas and in nursing homes that depend on laboratory testing services,” ACLA said.
In the lawsuit, ACLA alleged that more than 99.3% of hospitals were prohibited from reporting their market-rate data. It is believed that this is the first time this figure has been reported. In 2015, the lawsuit charged, more than 261,500 entities received Medicare payment for laboratory services but only 1,942 laboratories reported market-rate information in 2016 under the PAMA final rule. The 1,942 labs that reported market-rate data is about 0.7% of the total number of laboratories that serve Medicare beneficiaries, the lawsuit said.
Only 21 of 7,000 Hospital Laboratories Reported Data
“Moreover, contrary to Congress’ intent, the laboratories that did report information are not representative of the market as a whole,” the lawsuit added. “For example, although approximately 7,000 hospital laboratories billed Medicare for laboratory services in 2015—accounting for 24% of the Medicare payments made under the Clinical Laboratory Fee Schedule—no more than 21 hospital laboratories (and probably even fewer) reported information to the secretary, leaving hospital laboratories effectively unrepresented in the data collected by the secretary.
“Hospital laboratories are often the only laboratories available to patients in certain areas of the country, and the private payer rates they receive are often much higher than other laboratories, due to differences in competitive markets, volumes of services, and other factors,” the lawsuit charged.
The Dark Report, Dark Daily’s sister publication, provided a compelling example of the serious flaws in the market price study conducted by CMS. Writing about the state of Michigan, The Dark Report noted: “At Joint Venture Hospital Laboratory Network (JVHL), CEO John Kolozsvary said Michigan’s hospitals serve 70% of the office-based physicians in the state with outreach lab testing services. Included among these hospitals are the 120 JVHL member laboratory facilities.”
“Since our network, plus the outreach programs of another 25 or 30 hospitals, hold a significant share of outreach lab testing in Michigan, how can CMS conduct an accurate, representative market study of what private insurers pay for lab tests in Michigan if it doesn’t collect data on what private payers reimburse hospital lab outreach programs in Michigan?” stated Kolozsvary in his interview with The Dark Report.
Did CMS ‘Disregard and Violate’ PAMA Statute?
In the ACLA’s announcement of the lawsuit, Polston said, “CMS clearly disregarded and violated the statute’s specific, unambiguous directives requiring commercial rate information to be reported and collected from a broad, diverse group of market participants. Instead, information was collected from less than 1% of US laboratories.”
In the press announcement, ACLA Board Chair Curt Hanson, MD, Chief Medical Officer of Mayo Medical Laboratories said, “This lawsuit reflects our obligation to those who are providing critical testing services, and to those millions of Americans who rely on the services our industry provides.” Others supporting the lawsuit include Laboratory Corporation of America and Quest Diagnostics.
Compliance with PAMA Law’s Statutory Requirements
In the lawsuit, ACLA seeks to require HHS to comply with the statutory requirements and to set aside the provisions in the final rule, “that unlawfully exempts thousands of laboratories from the reporting obligations that Congress imposed” under PAMA. A central feature of PAMA Section 216 is that laboratories must report market rate data so that HHS can ensure that Medicare reimbursement rates closely reflect the rates laboratories receive from private payers, the lawsuit said.
“ACLA was a strong supporter of Congress’ market-based reforms, which resulted in the most extensive changes to the system for reimbursing clinical laboratories since 1984,” the lawsuit said.
In challenging the final regulations, the lawsuit said HHS disregarded and violated, “the statute’s specific, unambiguous directives requiring that all applicable laboratories report relevant data.”
Congress Specified Which Medical Laboratories Are Obligated to Report
“In imposing these requirements, Congress took care to specify which laboratories would be obligated to report market data to ensure that information would be collected from a broad, diverse group of market participants,” the lawsuit said. “Congress made clear that any ‘laboratory’ would be required to report data if, ‘with respect to its revenues under [the Medicare program], a majority of such revenues are from’ the Physician Fee Schedule or the Clinical Laboratory Fee Schedule,” the lawsuit charged.
In promulgating the regulations, however, HHS, disregarded Congress’ instructions and “unreasonably and arbitrarily exempted significant categories and large numbers of laboratories that meet the statutory definition from the reporting requirements that Congress imposed,” the lawsuit said.
“The secretary’s final rule fatally undermines one of PAMA’s purposes, which is to require a broad spectrum of Medicare-participating laboratories to report market information to the secretary. Instead, in ultra vires (Latin for “beyond the powers”) fashion, the secretary has carved out large categories of laboratories—ultimately resulting in the exclusion of some 99.3% of the laboratory market—from the statutory reporting requirements,” the lawsuit charged. Ultra vires acts fall outside the authority of the organization in question.
In the lawsuit, the ACLA claims under:
count 1: ultra vires agency action not in accordance with law, in excess of statutory authority;
count 4: violation of the Administrative Procedure Act, injunctive and declaratory relief.
Seeking an Injunction to Have HHS Secretary to Withhold or Suspend Final Rule
In its final section, “Prayer for Relief,” the lawsuit asks the court to vacate, “any agency action found to be arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law;” to require the Secretary of HHS to comply with the statutory requirements, “including faithfully implementing the statutory definition of ‘applicable laboratory;’” and enter an “injunction that (1) directs the Secretary to withdraw or suspend his final rule until such time as it can be brought into compliance with the statute, and (2) directs the Secretary to withhold applying the new Clinical Laboratory Fee Schedule until such time as the Secretary has made appropriate revisions to his final rule.” The lawsuit also asked the court to award to the ACLA “costs and disbursements of this action and reasonable attorneys’ fees.”
Recent federal Justice Department memorandum issues guidance designed to seek accountability from individuals and combat corporate misconduct
Pathologists and clinical laboratory managers who want a tougher crackdown on labs and physicians that violate anti-kickback laws welcome the news that in the past year federal courts have sentenced 13 physicians to jail terms of 12 to 63 months for accepting bribes from a discredited medical laboratory company as part of a scheme to defraud the federal Medicare program.
These criminal convictions were part of the federal case prosecuted against Biodiagnostic Laboratory Services (BLS), in Parsippany, N.J..
In addition to those 13 jail sentences, one doctor got 10 months of home confinement, two doctors got 12 months probation, and sentencing for six other physicians is pending. Prosecutors expect more defendants will be sentenced in the coming months. (more…)
HDL also got approval to question executives from UnitedHealthcare in court over unpaid claims, its third dispute with a health insurance company
Following a string of major setbacks, Health Diagnostic Laboratory (HDL) of Richmond, Virginia, put itself up for sale last week. This action comes after HDL’s announcement in April that it would pay more than $100 million to settle charges with federal investigators that it violated the False Claims Act. Then, early last month, the clinical laboratory company filed for bankruptcy protection.
On Tuesday, July 14, U.S. Bankruptcy Court Judge Kevin R. Huennekens approved HDL’s request to put itself up for sale through a court-monitored auction, the Richmond Times-Dispatch reported. No potential buyer has been named, but the clinical laboratory company has businesses that are interested in acquiring HDL, the Times-Dispatch added. (more…)
A newspaper in San Francisco featured a story about the patient’s complaint about being overcharged thousands of dollars by the hospital for medical laboratory tests
Here’s how a community hospital that charges inpatient prices for clinical laboratory testing to a walk-up customer find itself at the center of a media news storm. In California, a newspaper trumpeted the story of an unhappy consumer stuck with a $4,316.55 bill for a panel of medical lab tests that a national lab would have performed for just $464, about 90% cheaper!
Cautionary Tale for Medical Laboratories and Pathology Groups
Price transparency is a major trend in healthcare and consumers are catching on quickly. This raises the stakes for any hospital, medical laboratory, and anatomic pathology group that is slow to respond to the growing number of consumers who now price-shop whenever they need clinical laboratory tests. (more…)
