Thursday, August 18, 2016

The Haunting of CVS - by the Ghosts of Its, Caremark's, MedPartners' and HealthSouth's Past

In our brave new neoliberal world of commercialized health care, many US health care organizations are products of numerous mergers, acquisitions, and other excercises in financial engineering. This makes it easier to obscure these organizations' history, especially their past sins.  Yet these past sins may continue to haunt them.

The MedPartners Settlement

For example, a recent story only recounted in detail in one Alabama newspaper, the Birmingham News, focused on the settlement of a lawsuit originally filed against a company called MedPartners.

A Jefferson County judge on Monday gave final approval to a $310 million settlement of a lawsuit that claims MedPartners, a health care company once led by former HealthSouth CEO Richard Scrushy, lied to more than 20,000 stockholders about how much the company could pay them under the settlement of a 1990s lawsuit.

The new settlement is one of the largest fraud recoveries in Alabama legal history, according to a statement from Hare, Wynn, Newell & Newton, LLP, one of the law firms that represented investors.

The opening of the story harkened back to one of the more notorious cases of health care corruption, that of HealthSouth and Richard Scrushy:

The original fraud allegations from the 1990s stemmed from a proposed deal by former MedPartners CEO Larry House for competitor PhyCor Inc. to pay $7 billion to buyout MedPartners. The deal, billed at the time as the biggest deal in Alabama history, fell through after PhyCor found questions about MedPartner's practices and bookkeeping.

House had been chief operating officer of HealthSouth at one point before taking over as CEO of MedPartners.

Scrushy, who had also been involved in MedPartner's founding while leading HealthSouth, for a time served on the MedPartner's board and later as its interim CEO.

HealthSouth is a chain of rehabilitation hospitals.  Its former CEO, Mr Scrushy, was acquited of federal fraud charges, but was eventually convicted in a state court of bribery, conspiracy, and mail fraud in 2006 (look here).   HealthSouth settled allegations of fraud and violating securities laws in 2006, and is still in operation, claiming to be the largest chain of US rehabilitation hospitals (look here).

Yet while HealthSouth has been haunted by its prior settlement and Mr Scrushy's conviction, this new story should primarily haunt another huge health care corporation, CVS Caremark.

MedPartners Became Caremark, Merged Into CVS Caremark

Back to the Birmingham News 2016 article,

The lawsuit against CVS Caremark Corp., the company that ended up owning the former MedPartners, is a class-action litigation in which investors claim they lost $3.2 billion in a 1990s securities fraud.

Twenty one lawsuits were filed by investors in 1998 against MedPartners. Those lawsuits claimed MedPartners made false and misleading statements to the public about its financial condition and prospects at the time.

The lawsuits were combined and settled for $56 million after MedPartners claimed it was teetering on the edge of bankruptcy and that $50 million was all its insurance would cover.

However, five years later investor John Lauriello, one of the original plaintiffs, filed a new lawsuit claiming MedPartners lied about having limited insurance coverage during the settlement negotiations. The lawsuit claims that in October 1998, prior to the original settlement being finalized, MedPartners paid for unlimited insurance coverage.

If the unlimited insurance coverage had been known at the time, Lauriello's suit claims, investors could have negotiated a higher settlement amount. Sam Johnson and the City of Birmingham Retirement and Relief System later became the named plaintiffs.

MedPartners changed its name in 2000 to Caremark and in 2007 merged with CVS.

CVS will be on the hook for good part of the current settlement's financial liability.

Under the terms of the settlement insurance company AIG will pay $230 million and CVS will pay $80 million.

CVS Health Denies the Meaning of its History

As is typical of most legal actions against big health care organizations, no individual who presided over, authorized, directed or implemented the bad behavior will apparently suffer any negative consequences.  And current CVS management said in effect, "it's not me."

In the settlement CVS denies it has any liability for the claims asserted against them and believes it has good defenses to those claims. But the company agreed to enter into the agreement 'to eliminate the burdens, distractions, expense, and uncertainty of further litigation and thereby to put this controversy to rest fully and finally by obtaining complete dismissal with prejudice of the Class Action,' according to the settlement.

In particular,

CVS issued a statement when the preliminary settlement was approved by Ballard.

'This relates to a 1999 settlement of a securities class action by MedPartners, the former parent company of Caremark and is not related in any way to the business practices of CVS Health, which was formed from the merger between CVS and Caremark in 2007,' according to the statement from Mike DeAngelis , Senior Director, Corporate Communications CVS Health.

'The company denies that its predecessor entity engaged in any wrongdoing and denies any liability in the action,' DeAngelis wrote. 'A settlement was reached in order to eliminate the burdens, expenses and uncertainty of continued litigation. We are pleased that the settlement agreement has been preliminarily approved by the court and we look forward to putting this matter behind us.' 

Let us briefly regard the logic, or lack thereof, in this public relations pronouncement.

In fact, in 1996, MedPartners, which was a small for-profit corporation that owned physician practices, and was hence on the cutting edge of the movement to bring the corporate physicians to main street, bought Caremark (per the Wall Street Journal).  In 1999, after divesting itself of the physician practices, MedPartners changed its name to CareMark Rx (see this news release.)  The merger of CVS and Caremark was announced in 2006 (per the NY Times).

Yet Mr DeAngelis asserted first that MedPartners was merely "the former parent company of Caremark" [italics added].  The use of the word "former" in that sentence seems to be pure obfuscation.  MedPartners became Caremark.  Then, Caremark and CVS merged to become CVS Caremark.

So Mr DeAngelis' assertion that the modern CVS Health business practices are "not related in any way" to MedPartners cannot even can be dignified as a logical fallacy.  It seems just flat out untrue, somewhat ironic given that the original charges against MedPartners, now a renamed piece of CVS Health, is that it "lied" about its insurance coverage.

Furthermore, I see no suggestion that the current CVS Caremark has specifically changed so as to provide assurance that the events that led to the current settlement could not occur again.  No manager at MedPartners (became Caremark, merged into CVS Caremark) who enabled, authorized, or directed the alleged deception of the shareholders was identified, or suffered any negative consequences.  There has been no obvious change in management processes that would prevent something similar from happening again.  So how did the company put "this matter behind" it?

Despite current management's attempts to deny that the settlement they just made has anything to do with their current company, I suspect the case may continue to haunt them, just like many other cases are haunting them. 

The Haunting of CVS Caremark

Just this week, according to the Charleston (WV) Gazette-Mail, CVS Caremark was one of three companies that settled allegations by the state that it shortchanged the state's Medicaid program.

And Caremark, CVS Caremark, and CVS Health have had a truly extensive record of other settlements since 2005.  Those that we have discussed on this blog, or that were in my files, are below.


- Caremark settled allegations that its AdvancePCS subsidiary took kickbacks from drug companies to give the companies favorable treatment in federal employee health programs (per the Philadelphia Inquirer, here.)  

CVS, CVS Caremark, CVS Health

- Rhode Island state legislator John A Celona pleaded guilty of fraud and sale of his honest services for taking money from CVS to advocate for legislation on the company's behalf (see post here).  (Note that two CVS executives were indicted for the bribery of Celona, but acquited by a jury, per USAToday.) 

- Rhode Island state legislator and former House Majority leader Gerard M Martineau pleaded guilty of sale of his honest services for taking money from CVS again to advocate for legislation on the company's behalf (see post here).  

- CVS Caremark settled charged by the state of Illinois of deceptive business practices (per the Chicago Tribune, here.)

- CVS Caremark settled charges by the US Federal Trade Commission (FTC) for false advertising (per the FTC, here.)  

-  CVS settled allegations made by the state of Massachusetts that it overcharged public entitites for drugs (see post here).
-  CVS settles allegations for violating the US Controlled Substances Acts in its stores in California, and Nevada (see post here).

- CVS Caremark settled allegations made in three whistleblower lawsuits that it defrauded three state pension plans, including that of California (see post here).

- CVS Caremark settled allegations made by the US Federal Trade Comission (FTC) that it deceived elderly patients about drug prices (see post here).

- CVS Caremark settled allegations made by the US Department of Justice that it violated the US Controlled Substances Act in Oklahoma (per the Wall Street Journal, here).
- CVS Caremark division settled allegations in multiple states that it failed to properly reimburse Medicaid programs (per the WSJ, here.)

-  CVS Health settled charged by Massachusetts public pension funds that it concealed its revenue loss (per Reuters, here.)


So CVS Health is another example of a huge modern health care company, formed out of mergers, acquisitions, and other examples of financial engineering, that should truly be regarded as haunted by the ghosts of its past sins.  Yet this history remains ghostly, and its clammy touch on present events is barely perceived.  None of the earlier settlements seemed to influence how the later settlements were made.  No judge refused a given settlement because of the company's history of past alleged misbehavior.  No company manager ever suffered any negative consequences of these settlements.  Thus they enjoyed impunity.

Hardly anyone remembers that what was once called MedPartners is now an integral part of CVS Caremark, much less that MedPartners was once a partial creature of HealthSouth and Richard Scrushy. 

So once more, with feeling....

Nearly every big US health care corporation now seems to now have a long history of bad behavior, sometimes criminal behavior, that has not stopped the revenues from flowing, and the top managers from becoming millionaires, or billionaires.  Is it any wonder that a few years ago, nearly a majority of US respondents to a Transparency International poll declared our health care system to tbe corrupt (look here)?

Their dark musings may be partially due to their awareness that health care corruption is a taboo topic.  As we wrote about it in 2016 (look here)...

 Essentially, there is so much money to be made through pharmaceutical (and by implication, other health care corruption) that the corrupt have the money, power, and resources to protect their wealth accumulation by keeping it obscure.  In the Transparency International 2016 Report on health care corruption in the pharmaceutical industry,
However, strong control over key processes combined with huge resources and big profits to be made make the pharmaceutical industry particularly vulnerable to corruption. Pharmaceutical companies have the opportunity to use their influence and resources to exploit weak governance structures and divert policy and institutions away from public health objectives and towards their own profit maximising interests.

Keep in mind that the money made from corruption does not just go to innocent peoples' retirement funds that are invested in pharmaceutical stocks.  It predominantly goes to top corporate executives and managers, and their cronies who preside over the corrupt practices.

I might as well repeat myself once again.  As I wrote in 2015,

If we are not willing to even talk about health care corruption, how will we ever challenge it? 

So to repeat an ending to one of my previous posts on health care corruption....  if we really want to reform health care, in the little time we may have before our health care bubble bursts, we will need to take strong action against health care corruption.  Such action will really disturb the insiders within large health care organizations who have gotten rich from their organizations' misbehavior, and thus taking such action will require some courage.  Yet such action cannot begin until we acknowledge and freely discuss the problem.  The first step against health care corruption is to be able to say or write the words, health care corruption.

If only we knew who you gonna call...

Tuesday, August 16, 2016

Yes, the OS and filesystems on our EHR servers were hacked and our data encrypted for ransom, but "no medical information was looked at or compromised"

On this blog I have an entire series of posts regarding EHR crashes that point out an absurd-on-its-face and, in fact, insulting boilerplate executive response to the EHR unavailability:

"BUT patient care has not been compromised." 

The posts can be accessed via the query link

It seems I may need another, related indexing term when EHRs get hacked and ransomware is inserted:

"BUT no information was looked at or compromised."

I've seen this in various incarnations several times now. 

For instance, see my Feb. 18, 2016 post "Hollywood Presbyterian Medical Center: Negligent hospital IT leaders allow hacker invasion that cripples EHRs, disrupts clinicians ... but patient safety and confidentiality not compromised" at and my March 29, 2016 post "Bad health IT at Medstar Health: FBI probing virus behind outage" at

This type of statement suggests that thieves who are able to gain access at highly granular levels of a server's filesystem and OS in order to encrypt the contents and insert the ransomware are "honest thieves" who would not look at the PHI for purposes of identity theft, or even sadistically alter data for purposes of causing harm.  In other words, it's the executives reassuring the populace that the thieves have honor.

The latest example:

Novato firm remains silent about ransomware attack on patient records
Richard Halstead, Marin Independent Journal
Officials at a Novato [California,,_California - ed.] company that provides medical billing and electronic medical records services to many Marin physicians aren’t talking about a ransomware attack on their system this month that left doctors unable to access patient records for more than 10 days.

Ten days without charts is unprecedented in the paper world, except perhaps after a major physical catastrophe.

Clearly, the refrain "BUT patient care has not been compromised" would be absurd under such conditions.

Lynn Mitchell, CEO of Marin Medical Practice Concepts, issued a terse email on Aug. 4 confirming that her company had paid a ransom to regain access to its data. She wrote, “To date, there is no evidence that any patient information was accessed, transferred or otherwise compromised.”

Honest thieves were involved.

Since then, Mitchell has declined to comment on how many patient medical records were involved, how Marin Medical determined that the records weren’t compromised and whether the company reported the security breach to law enforcement or — as required by law — the state Attorney General’s Office and U.S. Department of Health and Human Services.

“We have nothing further to add at this time,” Mitchell said in an email Thursday.

Not specifying how such a determination was made significantly decreases the credibility of an already non-credible assertion, in my view.

Joe Cohen, an information technology consultant based in Greenbrae, said, “They claim no information was looked at or compromised. I don’t believe it.”

Cohen, whose personal data is in Marin Medical’s system, said he is worried that whoever encrypted the company’s files may have copied the data before demanding the ransom.

That's a best-case scenario, considering the possibility of deliberate or accidental alteration or corruption.

Typically in such ransomware attacks, a sophisticated computer virus finds its way into a victim’s system when an unsuspecting employee opens an email attachment. The virus encrypts the system’s data and attackers essentially hold the data hostage until the owners of the information pay a ransom, typically in an untraceable digital currency such as Bitcoin.

"Finds its way into a victim's system" is a rather mild way of saying "invades a victim's system due to inadequate security precautions."

Carl Chapman, operations manager of the Northern California Computer Crimes Task Force and an inspector in the Marin County District Attorney’s Office, said Marin Medical did not report the extortion to his task force.

“Typically, people don’t report them because I think it is well known throughout information technology departments that we are unable to unlock the information,” Chapman said.

... In 2012, the state began requiring businesses and government agencies to notify the attorney general on breaches affecting more than 500 Californians. The law applies to any business or agency whose unencrypted personal information was acquired, or reasonably believed to have been acquired.

I'd say it's more likely that organizations that don't report such crimes want to keep their victimhood due to negligence out of the public spotlight.

According to a report issued by the Attorney General’s Office in February, in the past four years the attorney general has received reports on 657 data breaches affecting a total of more than 49 million records of Californians. ... health care, which accounted for 16 percent of breaches, is starting to see an increase in hacking breaches as the sector transitions to electronic medical records. ... the “most vulnerable information in health care was medical information, such as patient records, and Social Security numbers.”

That level of incidents leads me to state the following:

  • Lack of EHR interoperability, so often complained about, is actually a good thing in 2016, as it may limit the scope of individual breaches of EHR security; and
  • The utopian dream of a national health information network connecting the entire country's EHR systems is a very, very bad idea in 2016 and should be postponed.  Reality is a harsh master, and the risks are clearly great in 2016 due to the immaturity of computer security.

More on ransomware:

Gordon [Amy Gordon, a partner in the Chicago law firm of McDermott Will & Emery LLP] said in addition to encrypting data, ransomware may also transfer information to a remote location.

“In this day and age, people’s personal information is valuable,” Gordon said, “so unfortunately some of these hackers may be selling this information in addition to getting the ransom from the hacked entity.”

The thieves are already taking a significant risk, and smart thieves would certainly be expected to maximize their haul..

In February, Hollywood Presbyterian Medical Center in Los Angeles paid a ransom of $17,000 in the hard-to-trace digital currency Bitcoin in order to regain access to its data.

Then in March four more organizations fell victim: MedStar Health, which operates 10 hospitals throughout the District of Columbia and Maryland; Chino Valley Medical Center in Chino and Desert Valley Hospital in Victorville, California; and Methodist Hospital in Louisville, Kentucky.

The first two incidents are covered in the aforementioned posts.

John Hall, who operates Sausalito Networking, a small system integration firm, said, “If someone hits a hospital they can usually get a lot of money because the hospital needs to get the darn patient data.”

Indeed, making them among the most pliable of victims.

Hall said several of his clients — a small construction company, a tax advisory firm and a medical facility — have been hit by ransomware attacks recently. He said he is advising all of his clients to install special anti-ransomware software.

Bret Lowry is the founder of Florida-based WinPatrol, which produces the anti-ransomware software that Hall recommends.

“This year ransomware attacks have just exploded,” Lowry said, “because organized crime has gotten involved and is using it to make money.”

That is not surprising to me.   Further evidence the "ready, aim, fire" push to national health IT by our government and IT industry with little consideration to risk, now in a stage of coercive penalties for non-users, once again has been proven to have been reckless.  As examples of the government and industry leaders downplaying risk:

March 6, 2013
On EHR's: See No Evil, Hear No Evil, Speak No Evil: Part 1

March 8, 2013
On EHR's: See No Evil, Hear No Evil, Speak No Evil: Part 2

In the first post I noted this:
... The head of CCHIT, Mark Leavitt, has penned the following at iHealthBeat: 

June 19, 2009 - Perspectives 

Health IT Under ARRA: It's Not the Money, It's the Message

by Mark Leavitt 

... Before ARRA, most surveys concluded that cost was the No. 1 barrier to EHR adoption. But as soon as it appeared that the cost barrier might finally be overcome, individuals with a deeper-seated "anti-EHR" bent emerged. Their numbers are small, but their shocking claims -- that EHRs kill people, that massive privacy violations are taking placethat shady conspiracies are operating -- make stimulating copy for the media. Those experienced with EHRs might laugh these stories off, but risk-averse newcomers to health IT, both health care providers and policymakers are easily affected by fear mongering.

Fear mongering.  Right.

In the second I noted this:

... Blumenthal, at the time Director of ONC at HHS had reportedly stated that:

... [Blumenthal's] department is confident that its mission remains unchanged in trying to push all healthcare establishments to adopt EMRs as a standard practice. "The [ONC] committee [investigating FDA reports of HIT endangement] said that nothing it had found would give them any pause that a policy of introducing EMR's [rapidly and on a national scale - ed.] could impede patient safety," he said.

The "nothing" includes 44 injuries voluntarily reported to FDA and 6 reported deaths in an enviroment where few know where to report such things and where no reporting requirements exist, and a statement from the head of CDRH at FDA that due to systematic impediments to accurate knowledge the known figures likely are a small fraction ("tip if the iceberg") of the actual occurrence.


Chapman said, “In the cases we’ve investigated, all of the leads go to Eastern European countries for which we don’t have the ability to do any further investigation. I’m not aware of any federal agencies that are specifically working on ransomware.”

In other words, the hackers cannot be identified nor brought to justice.

Under these conditions, continued pushes for interoperability and mass networking of multiple EHR's is simply reckless.  The proper caution calls for a slowdown in those efforts until security issues are under reasonable control.  However, the past decade has shown that "caution" seems an abstract concept to our government and industry with respect to the health IT sector.


"BUT no information was looked at or compromised"
is a phrase that also needs to be backed up by robust proof, because it rings as hollow as, or perhaps more hollow than "BUT patient care has not been compromised." 

-- SS

Monday, August 15, 2016

Stanford authors: Evolutionary Pressures on the Electronic Health Record - "Deimplementing the EHR could actively enhance care in many clinical scenarios"

A brief post.  In this new JAMA article by Stanford authors:

Evolutionary Pressures on the Electronic Health Record 
Donna M. Zulman, MD, MS1,2; Nigam H. Shah, MBBS, PhD3; Abraham Verghese, MD4

I note the passage:

... Deimplementing the EHR could actively enhance care in many clinical scenarios. Simply listening to the history and carefully examining the patient who presents with a focused concern is an important means of avoiding diagnostic error.7 Many phenotypic observations (the outline of a cigarette packet in a shirt pocket, or spotting neurofibroma, fasciculation, or rash) change the diagnostic algorithm and are easy to miss when work revolves around the computer and not the patient.

I predict pushback against such a bold and contrarian "de-implementation" assertion (contrarian to the hyper-enthusiast and industry narratives, that is).

The authors continue:

There is building resentment against the shackles of the present EHR; every additional click inflicts a nick on physicians’ morale. Current records miss opportunities to harness available data and predictive analytics to individualize treatment. Meanwhile, sophisticated advances in technology are going untapped. Better medical record systems are needed that are dissociated from billing, intuitive and helpful, and allow physicians to be fully present with their patients.
I also wrote the primary author with a link to an alternate solution to de-implementation that can "allow physicians to be fully present with their patients", namely, my Aug. 9, 2016 post "More on uncoupling clinicians from EHR clerical oppression" at
-- SS

Politicians get a very bitter taste of the very same medicine they've forced onto clinicians and the public

This is a case of education - I hope - by fire on electronic information security, and why "going electronic" can be a risky business.  This is a lesson deeply needed by our government leadership who have been pushing an unfettered national rollout of electronic medical records systems, despite known and exploited security concerns of EHRs, among other concerns discussed at this blog.

I've written dozens of posts, just based on casual searches of news, illustrating breaches of healthcare information technology security and privacy of information, as have others focusing primarily on these issues such as Patient Privacy Rights DOT org (  

Examples of my own occasional posts in this domain are at query links such as:

Our wise political leaders, however, have been pushing this technology, despite its numerous drawbacks  - full steam ahead - on clinicians and patients, now under the gun of Medicare payment cuts for "refuseniks."

Now, the political leadership has just gotten a bitter taste of the dish they've been serving up:

Hacker releases cell phone numbers, personal emails of House Democrats
By Daniella Diaz, CNN
Updated 4:04 PM ET, Sat August 13, 2016

The hacker who goes by "Guccifer 2.0" is claiming credit for the release of personal cell phone numbers and private email addresses of Democratic House members.

The data -- posted to their WordPress blog on Friday night -- also contains the contact information for staff members and campaign aides.

In the trove of information released on Friday "Guccifer 2.0" also uploaded files to the blog post that contains login information to subscription services used by the Democratic Congressional Campaign Committee, including Lexis-Nexis and Washington newspapers ... In addition to lawmakers' personal information, the hacker uploaded documents analyzing candidates for Florida's 18th congressional district, and a fundraiser memo to House Minority Leader Nancy Pelosi about Morgan Carroll's congressional campaign in Colorado.

In a statement, DCCC Press Secretary Meredith Kelly said: "As previously noted, the DCCC has been the target of a cybersecurity incident, and we are cooperating with federal law enforcement in their ongoing investigation. We are aware of reports that documents claimed to be from our network have been released and are investigating their authenticity."

Rep. Adam Schiff of California, the ranking Democratic on the House Intelligence committee, suggested a law enforcement probe is necessary. 

Perhaps a probe of the competence of those responsible for electronic security hired by our wise government officials should come first.

"The unauthorized disclosure of people's personally identifiable information is never acceptable, and we can fully expect the authorities will be investigating the posting of this information," Schiff said.

But it's just fine to keep rolling out insecure electronic records systems.

... The hacker wrote in the blog post, "It's time for new revelations now. All of you may have heard about the DCCC hack. As you see I wasn't wasting my time! It was even easier than in the case of the DNC breach."

Remarkable incompetence on the part of the politicians.

... The hack of the DNC was originally discovered as being two separate breaches, both by hacking groups identified by cybersecurity experts as working for the Russian military and intelligence complex. One hack was said to have lasted a year and targeted internal communications, the other was for a few months and targeted opposition research on Donald Trump.
Federal investigators had tried to warn the DNC months before, sources told CNN, but by the time the suspected Russian hackers were kicked out of the systems damage had been done: Nearly 20,000 emails between a handful of DNC officials were dumped on the web by WikiLeaks as the Democratic National Convention was kicking off. The emails showing opposition to Vermont Sen. Bernie Sanders during the primary led to the resignation of DNC Chairwoman Debbie Wasserman Schultz on the eve of the convention and departure of more party officials later.

The politicians of both parties behind the EHR mandate, in effect at least since the HITECH Act of 2009, should have heeded those questioning EHR security before mandating a national rollout.  My only comment is that I hope the politicians unabashedly pushing EHR's on the public may have learned a valuable, needed, and well-deserved lesson about electronic information security from these events.  

However I am not optimistic about that.

-- SS

Ioannidis et al.: What Happens When Underperforming Big Ideas in Research [such as Healthcare IT Exceptionalism] Become Entrenched?

Some years ago, John P. A. Ioannidis, MD wrote this piece:

"Why Most Published Research Findings Are False", John P. A. Ioannidis, PLoS medicine, 2005 August; 2(8): e124

He wrote:

There is increasing concern that most current published research findings are false. The probability that a research claim is true may depend on study power and bias, the number of other studies on the same question, and, importantly, the ratio of true to no relationships among the relationships probed in each scientific field. In this framework, a research finding is less likely to be true when the studies conducted in a field are smaller; when effect sizes are smaller; when there is a greater number and lesser preselection of tested relationships; where there is greater flexibility in designs, definitions, outcomes, and analytical modes; when there is greater financial and other interest and prejudice; and when more teams are involved in a scientific field in chase of statistical significance. Simulations show that for most study designs and settings, it is more likely for a research claim to be false than true. Moreover, for many current scientific fields, claimed research findings may often be simply accurate measures of the prevailing bias.

In other words, in the all-too-common insufficiently powered studies, and even seemingly robust studies in domains with small effect sizes, financial interests, prejudices and other factors more often than not produce false results.

Ioannidis and co-authors recently took their sword to "underperforming Big Ideas in research" (including the "miracles" touted by hyper-enthusiasts such as in genomics and in cybernetics), via a new JAMA viewpoint piece:

What Happens When Underperforming Big Ideas in Research Become Entrenched?
Michael J. Joyner, MD1; Nigel Paneth, MD, MPH2; John P. A. Ioannidis, MD, DSc3
JAMA. Published online July 28, 2016. doi:10.1001/jama.2016.11076

For several decades now the biomedical research community has pursued a narrative positing that a combination of ever-deeper knowledge of subcellular biology, especially genetics, coupled with information technology will lead to transformative improvements in health care and human health. In this Viewpoint, we provide evidence for the extraordinary dominance of this narrative in biomedical funding and journal publications; discuss several prominent themes embedded in the narrative to show that this approach has largely failed; and propose a wholesale reevaluation of the way forward in biomedical research.

The key word is "narrative."   As per Hayek, those with little real-world operational experience, i.e., intellectuals and academics, often the uncritical cheerleaders for electronic records despite considerable downsides, have only the "narrative" upon which they base their beliefs in healthcare IT exceptionalism:

It is perhaps the most characteristic feature of the intellectual that he judges new ideas not by their specific merits but by the readiness with which they fit into his general conceptions, into the picture of the world which he regards as modern or advanced. . . . As he knows little about particular issues, his criterion must be consistency with his other views and suitability for combining into a coherent picture of the world. . . . It is the intellectuals in this sense who decide what views and opinions are to reach us, which facts are important enough to be told to us, and in what form and from what angle they are to be presented. Whether we shall ever learn of the results of the work of the expert and the original thinker depends mainly on their decision.

(I can add that blogs have to some small degree ameloriated "whether we shall ever learn of the results of the work of the expert and the original thinker", but only to a small degree.)

The "general conception" in cybernetics is that computers are a silver bullet in any domain, and can only result in massive improvements. 

My experience for the past twenty+ years in the Electronic Medical Records/clinical information technology domain, where quality, safety, usability, confidentiality, and other critical real-world issues have been ignored in favor of EHR hyper-enthusiasm, supports Hayek's observations regarding prevalent unfettered beliefs in healthcare IT exceptionalism.

Ioannidis et al. state the factual situation with EHR technology unapologetically, clearly and succinctly:

... The financial and clinical benefits predicted from shifting to EHRs have also largely failed to materialize because of difficulties in interoperability, poor quality, and accuracy of the collected information; cost overruns associated with installation and operation of EHRs at many institutions; and ongoing privacy and security concerns that further increase operational costs.

I would change "interoperability" to "operability."  Otherwise, they're quite correct.  For example, the "Big Data" hyper-enthusiasts quite irrationally believe data from these systems - as they are today -  will somehow "revolutionize" medicine, while at the very same time the IT industry itself and its pundits ignore fundamental precepts of computer science, information science, biomedical informatics, biomedicine and biomedical research itself. 

Some of the hyper-enthusiasts have made predictions that are astonishingly naive, delusionally grandiose and just plain perverse, e.g., see for instance my Jan. 2014 post "Computers + a few docs can manage 'an entire city', and other cybernetic miracles" at

The new JAMA paper continues:

... These features make the use of EHRs for research into the origins of disease, as proposed in the Precision Medicine Initiative, highly problematic.No clearly specified targets for either improved outcomes or reduced costs have been developed to assess the performance efficiency of EHRs.

Those targets were never specified, but The Market seems to have corrected for that, e.g., via this Jan. 2015 letter from ~40 different medical societies:

 Full letter to HHS available at

The authors continue:

... Although it is difficult to argue for a return to paper records, any claim of future transformation of the medical record should include well-defined accountability and review mechanisms. Otherwise, the health care system may become hostage, wasting increasing resources to continuously upgrade electronic technology without really helping patients.

It is clear to me that the health care system and its clinicians are already hostage to the cybernetic hyper-enthusiasts, as evidenced by letters such as the above and many other sources about the mayhem being caused, e.g., a small sampling on this blog at query links, and

Finally, I disagree with the authors that "it is difficult to argue for a return to paper records."

Paper has its proper place, and "paperless" is a utopian dream of the hyper-enthusiasts that causes significant damage to the primary role of clinicians - to take care of patients.  I make this argument (with a real-world, highly successful example of my own creation) at my Aug. 9, 2016 post "More on uncoupling clinicians from EHR clerical oppression" at

In summary, the authors of this JAMA piece clearly and succinctly break through the "narrative" about hyper-enthusiast dominated fields, including clinical information technology and the belief in 
healthcare IT exceptionalism.

Sadly, theirs is almost a single voice in a wilderness dominated by the hyper-enthusiasts - and the profiteers.

-- SS

Friday, August 12, 2016

Transparency International Asks Health Care Professionals About Health Care Corruption

Transparency International, the global NGO that studies and fights corruption, seeks information from health care professionals about health care corruption.  The details are in the official announcement below.  If you are a health care professional, please consider responding to this survey. 

Invitation to participate in a corruption in healthcare survey
Transparency International’s health programme has commenced a new research project to identify the major types of corruption in the health sector. We feel that this research piece will contribute to understanding the corruption vulnerabilities in the health sector and ultimately improve the availability and use of health information to hold governments accountable.

This will feed into the World Health Summit in October, where Transparency International has been invited to run the opening session. We'll also be displaying results from the research on our website and will feature interviews with people about their experiences.

As part of our research, we're keen to hear from as many healthcare professionals as possible. This is to enable us to hear about your experiences of corruption and what you consider corruption to be.

At this stage, we do not want to influence your thoughts - more capture them. A survey has gone online and we would be grateful if you could fill it in and distribute to your peers. 

The survey contains ten questions and can be completed in ten minutes. The survey will run until the end of September.

Given the sensitivity of the subject, the survey is anonymous unless you would like to talk to someone about your experience. At the end of the survey there is an option to leave your contact details.

We're looking forward to hearing your thoughts.

Best wishes,


Michael Petkov
Programme Officer
Pharmaceuticals & Healthcare Programme
Transparency International UK
michael dot petkov at transparency dot org dot uk

The link to the survey is here.

Wednesday, August 10, 2016

How the System is Rigged - Johnson and Johnson Board Member Pretends to be Independent Brookings Institution Scholar

Fears that "the system is rigged" may cause the lack of trust marring this year's political season. These fears are not baseless.

Dr McClellan of the Brookings Institution on Drug Prices

A recent series in the New York Times focused on the biases of the think tank "independent scholars" whose work is used to justify much policy making.  An article entitled "Think Tank Scholar or Corporate Consultant? - It Depends on the Day" actually provided a health care example that was much worse than what the title implied.

It noted that

Dr. McClellan, a former commissioner at the Food and Drug Administration who until January was a senior fellow at Brookings, has been a go-to expert for the federal government as it debates how to cope with surging costs of prescription drugs.

In particular, Dr McClellan has opined on the increasingly recognized problem of ever-rising drug prices, and on one class of drugs that we have discussed on Health Care Renewal.

At public events, Dr. McClellan emphasized the extraordinary progress by the pharmaceutical industry in coming up with treatments for diseases like diabetes, H.I.V. and hepatitis C.

'Lots of diseases have been transformed,' Dr. McClellan said at a hearing in November sponsored by the Department of Health and Human Services. He ran through a series of slides prominently stamped with Brookings’s name. He also argued that even though these drugs were very expensive, they were worth it given the improvement in a patient’s quality of life.

'They are, over all, a pretty good deal,' Dr. McClellan said, referring to treatments for hepatitis C. One such drug, manufactured by Johnson & Johnson, generated $2.3 billion in sales in its first full year, representing about 7 percent of the company’s overall drug sales in 2014. The pills cost $66,000 for a standard 12-week regimen.

Little Evidence that New Drugs for Hepatitis C Represent "Extraordinary Progress?"

Note that despite Dr McClellan's enthusiasm, there is no good data from clinical trials that show that the new drugs for hepatitis C have long-term clinical benefits.  As we wrote here last month....

In fact, starting in March, 2014, we have posted about the lack of good evidence from clinical research suggesting these drugs are in fact so wondrous.  The drugs are now touted as "cures," at least by the drug companies, (look here), and physicians are urged to do widespread screening to find patients with asymptomatic hepatitis C so they can benefit from early, albeit expensive treatment.

However, as we pointed out (e.g., here and here)
-  The best evidence available suggests that most patients with hepatitis C will not go on to have severe complications of the disease (cirrhosis, liver failure, liver cancer), and hence could not benefit much from treatment.
-  There is no evidence from randomized controlled trials that treatment prevents most of these severe complications
-  There is no clear evidence that "sustained virologic response," (SVR), the surrogate outcome measure promoted by the pharmaceutical industry, means cure. 
-  While the new drugs are advertised as having fewer adverse effects than older drugs, it is not clear that their benefits, whatever they may be, outweigh their harms.

Furthermore, health care professionals and researchers with heftier credentials in clinical epidemiology and evidence based medicine than mine have since published similar concerns.  These included
- a report from the German Institute for Quality and Efficiency in Health Care (the English summary is here)
- an article in JAMA Internal Medicine from the Institute for Clinical and Economic Review (1)
- a report from the Center for Evidence-Based Policy (link here)
- an article in Prescrire International (2)

These publications and your humble scribe noted that the clinical trials or other types of clinical research about new hepatitis C treatment published in the most prominent journals had numerous methodologic problems that all seemed likely to make the new drugs look better, perhaps intentionally.  (See posts herehere, and here.)

In July, 2016 we had written about the enthusiasm for these drugs expressed by Mr Bill Gates, chairman of the Gates Foundation.  Maybe one can somewhat excuse Mr Gates, who is hardly a clinical research expert, for this unjustified enthusiasm.  (Although maybe someone at his foundation, given its emphasis on global health, should have briefed him to the contrary.)

Why Was Dr McClellan So Unjustifiably Enthused?

Give Dr McClellan's background, why was he not more skeptical about the the supposed miraculous properties of hepatitis C drugs?.  His biography, provided for the US Department of Health and Human Services Pharmaceutical Forum, suggested he ought to know something about clinical research.  It stated,  

Mark McClellan, MD, PhD, is a senior fellow and director of the Health Care Innovation and Value Initiative at the Brookings Institution. Within Brookings, his work focuses on promoting quality and value in patient centered health care, and he leads the Richard Merkin Initiative for Payment Reform and Clinical Leadership.

A doctor and economist by training, he also has a highly distinguished record in public service and in academic research. Dr. McClellan is a former administrator of the Centers for Medicare & Medicaid Services (CMS) and former commissioner of the U.S. Food and Drug Administration (FDA), where he developed and implemented major reforms in health policy. These include the Medicare prescription drug benefit, the FDA’s Critical Path Initiative, and public-private initiatives to develop better information on the quality and cost of care. Dr. McClellan chairs the FDA’s Reagan-Udall Foundation, is co-chair of the Quality Alliance Steering Committee, sits on the National Quality Forum’s Board of Directors, is a member of the Institute of Medicine, and is a research associate at the National Bureau of Economic Research. He previously served as a member of the President’s Council of Economic Advisers and senior director for health care policy at the White House, and was an associate professor of economics and medicine at Stanford University.

From time to time, McClellan advises U.S. government officials on health care policy issues. In his capacity as a health policy expert, he is the co-director of the Bipartisan Policy Center’s Leaders’ Project on the State of American Health Care; co-chair of the Robert Wood Johnson Foundation Commission to Build a Healthier America; and chair of the FDA’s Reagan-Udall Foundation. McClellan is also co-chair of the Quality Alliance Steering Committee, sits on the National Quality Forum’s Board of Directors, is a member of the Institute of Medicine of the National Academy of Sciences, and is a research associate at the National Bureau of Economic Research.

McClellan holds an MD from the Harvard University–Massachusetts Institute of Technology (MIT) Division of Health Sciences and Technology, a PhD in economics from MIT, an MPA from Harvard University, and a BA from the University of Texas at Austin. He completed his residency training in internal medicine at Boston’s Brigham and Women's Hospital, is board-certified in Internal Medicine, and has been a practicing internist during his career.

However, that biography left out one important item.  Per the NY Times article,

There was no mention in a video of the event that Dr. McClellan joined Johnson & Johnson’s board of directors in October 2013, or that he earned nearly $530,000 over the past two years in overall compensation from the company. That is in addition to his salary at Brookings, where he is one of the top-paid scholars, with $353,145 in wages and other compensation from the think tank in 2014, tax records show.

I suspect that most attendees at the conference had not read our 2013 post on Health Care Renewal that noted Dr McClellan's transit through the revolving door that ended up with his position on the Johnson & Johnson board.

Dr McClellan's Chronic Failure to Disclose His Johnson and Johnson Board Membership

Despite the fact that Dr McClellan's position on the Johnson & Johnson board of directors is public, as are the identities of all the members of US publicly held corporations, Dr McClellan has seemingly made a point of avoiding its mention when he assumes the persona of health care policy expert.

For example, he did not disclose it in some recent publications on aspects of health policy that likely would relate to Johnson & Johnson's interests.  These included:
- a 2014 Brookings report entitled "Improving Health Care While Reducing Cost Growth: What is Possible?"(3) in which he is only described as "Director, Health Care Innovation and Value Initiative, Senior Fellow, Economic Studies; The Brookings Institution."
- a 2014 article on "Health Reform and Physician-Led Accountable Care" in JAMA(4) which simply noted Dr McClellan came from the Brooking Institution, and which contained the assurance that all authors completed "the ICMJE Forum for Disclosure of Potential Conflicts of Interest and none were reported."
- a 2015 article on increasing "pharmaceutical innovation" in Health Affairs(5) which similarly only described Dr McClellan as "senior fellow and director of the Health Care Innovation and Value Initiative at the Engelberg Center for Health Care Reform at Brookings."

Furthermore, Dr McClellan's new employer, Duke University, currently provides a biography which also omits any mention of his position on the Johnson & Johnson board.

Dr McClellan Denies any Conflict of Interest

The NY Times article suggested that Dr McClellan may think his position at Johnson & Johnson is irrelevant to his day job as health policy expert.

Dr. McClellan, in a statement, disputed any suggestion that he might have had a conflict.

'My entire career in academics, government and public policy has focused on evidence-based ways to improve health and restrain costs for consumers, and my extensive track record speaks for itself,' he said.

I suppose that Dr McClellan might have justified his failure to disclose his membership on the Johnson & Johnson board of directors by his perception that this membership caused no conflict of interest.

How Board Membership May Cause Severe Conflicts of Interest

I will omit detailed discussion of all the evidence that even receiving small gifts may affect thinking and actions through the social obligation to reciprocate.  Yet Dr McClellan did not just receive small gifts.  He is a member of a corporate board of directors.

 In 2006, we first noticed that leaders of academic medicine also were serving as board members of large for-profit health care corporations.  The first example we discussed was that of Marye Anne Fox, Chancellor (equivalent to president) of the University of California - San Diego, and hence the person to whom the University of California, San Diego School of Medicine and its academic medical center report. The conflict was between this position, and her service as a member of the board of directors of Boston Scientific, a medical device manufacture, and the board of directors of Pharmaceutical Product Development Inc., a contract research organization.

Later that year, we discussed a "new species of conflict of interest."  At that time we wrote:

Medical schools and their academic medical centers and teaching hospitals must deal with all sorts of health care companies, drug and device manufacturers, information technology venders, managed care organizations and health insurers, etc, in the course of fulfilling their patient care, teaching, and research missions. Thus, it seems that service on the board of directors of a such public for-profit health care company would generate a severe conflict for an academic health care leader, because such service entails a fiduciary duty to uphold the interests of the company and its stockholders. Such a duty ought on its face to have a much more important effect on thinking and decision making than receiving a gift, or even being paid for research or consulting services. Furthermore, the financial rewards for service on a company board, which usually include directors' fees and stock options, are comparable to the most highly paid consulting positions. What supports the interests of the company, however, may not always be good for the medical school, academic medical center or teaching hospital.

As Robert AG Monks put it, board members must "demonstrate unyielding loyalty to the company's shareholders" [Monks RAG, Minow N. Corporate Governance, 3rd edition. Malden, MA: Blackwell Publishing, 2004. P.200.]  (Of course, after the global financial collapse of 2008 made us sadder and a little wiser, we realized that many board members actually seem to have unyielding loyalty to their cronies among top management.)  However, in any case, the stated or actual interests of a member of the board of a health care corporation, like a pharmaceutical company or medical device company, could be very different and at odds with the mission of not only academic medical institutions, but of think-tanks professing to provide unbiased policy relevant research.

Presumably, were Dr McClellan in a situation in which he had an opportunity to promote Johnson & Johnson's interests, such as speaking at an influential conference about drug prices, and failed to uphold the company's interests, stockholders could consider legal action against him for failing in his fiduciary responsibilities.  Thus the mind boggles at how Dr McClellan could believe that his role as a corporate director does not pose a conflict of interest for him in his better publicized role as think tank and now academic health care policy expert.


It is hardly news that US health care is broadly dysfunctional, that it suffers from ever rising costs, and questionable quality, while access has only somewhat improved after the 2009 Affordable Care Act.  The big question is why these problems seem so intractable.

Our latest case illustrates that the problem may be that health policy making is dominated by people with conflicts of interest.  In the current case, one of the more influential voices on health care policy turns out not to have just a garden variety conflict of interest.  He actually has a duty to uphold the corporate interests of one of the biggest US drug, biotechnology and device companies.  Could one really expect such a man would have a serious interest in controlling health care costs, especially those driven by the prices charged by drug, biotechnology, and device makers?

A system in which the top "independent" health policy experts may have conflicts of interest, may even be members of boards of directors of health care corporations, certainly suggests a system that has been rigged. 

As we have said again and again, the web of conflicts of interest that is pervasive in medicine and health care is now threatening to strangle medicine and health care.  Furthermore, this web is now strong enough to have effectively transformed US health care into an oligarchy or plutocracy.  Health care is effectively run by a relatively small group of people, mainly professional managers plus a few (lapsed?) health care professionals, who simultaneously run or influence multiple corporations and organizations.

For patients and the public to trust health care professionals and health care organizations, they need to know that these individuals and organizations are putting patients' and the public's health ahead of private gain. Health care professionals who care for patients, those who teach about medicine and health care, clinical researchers, and those who make medical and health care policy should do so free from conflicts of interest that might inhibit their abilities to put patients and the public's health first.

Health care professionals ought to make it their highest priority to ensure that the organizations for which they work, or with which they interact also put patients' and the public's health ahead of private gain, especially the private gain of the organizations' leaders and their cronies.


1. Ollendorf DA, Tice JA et al. The comparative clinical effectiveness and value of simeprevir and sofosbuvir in chronic hepatitis C viral infection. JAMA Intern Med 2014;174(7):1170-1171. Link here.
2. Sofosbuvir (Sovaldi), active against hepatitis C virus, but evaluation is incomplete. Prescrire Int 2015; 24: 5- 10. Link here.
3.  McClellan M, Rivlin AM. Improving Health Care While Reducing Cost Growth: What is Possible?
Engelberg Center for Health Care Reform at Brooking; 2015.  Link here.
4.  Mostashari F, Sanghavi D, McClellan M. Health reform and physician-led accountable care: the paradox of primary care physician leadership. JAMA 2015; 311: 1855-56.  Link here.
 4.  Daniel GW, Caze A, Romine MH, Audibert C, Leff JS, McClellan M. Improving pharmaceutical innovation by building a more comprehensive database on drug development and use.  Health Aff 2015; 34: 319-327.  Link here.

Tuesday, August 09, 2016

More on uncoupling clinicians from EHR clerical oppression

At my August 6, 2016 post (link) I wrote of my belief that "best practices" for EHR evolution call for:

... a return to paper (specialized forms depending on the setting) for clinical data capture by busy doctors and nurses, and data entry into a computer via clerical personnel.

I presented a late 1990's real-world experiment in creating such a system for invasive cardiology in the Delaware hospital system, Christiana Care Health System, where I was CMIO at that time.

As at the links and (the latter a May 2002 article in the journal "Advance for Health Information Executives" written by myself and the project executive sponsor at the time), the "experiment" was a deliberate move away from the "doctors as clerical employees" article-of-faith of the health IT hyper-enthusiasts.

Hyper-enthusiasts ignore the downsides of what is a belief system based on articles of faith, one of whose 'sacraments' is that paper must be abolished in medicine.

In fact, an attempt to implement such a paperless system, "Apollo" as the commercial system was known, in a cath lab performing 6,000 procedures/year proved impossible.  The busy clinicians, doctors, nurses and technicians simply did not have enough time to enter data directly into a computer.  Maneuvering around a computer application, dealing with its designber-centric menus, drop-downs, icons, widgets, annoying messages, input limitations, outright crashes with data loss, etc. was both inappropriate, and in fact impossible, in such a setting.

In 2016, one of the largest complaints of hundreds of thousands of U.S. physicians and nurses is that they spend more time interacting with the computer than with patients.  Patients complain they cannot get eye contact from clinicians - who are tethered to a computer screen entering data - during "live" encounters.

It is my belief there is no solution to this problem, other than decoupling clinicians from data input and returning to paper for data entry, that is, specialized forms as in the aforementioned post.  Data input needs to be returned to clerical personnel as in the aforementioned invasive cardiology system.

The output side (with, of course, significant user-centered redesign) can remain computerized; as long as the paper forms are also made available via document imaging.

The forms for invasive cardiology looked like this, and were subject to revisions as needed.

Physician's data collection form, side 1.  Click to enlarge.
Physician's data collection form, side 2
Cath technician/nurse's data collection form, side 1
Cath technician/nurse's data collection form, side 2

The EHR itself was freed from "legacy" limitations regarding rapid customization, essential in medicine.  It was designed with the ability to rapidly incorporate changes and modifications to the dataset as needed, matching the changes to the forms.

Below I am showing some of the reports that this system produced regularly, as designed by the team of programmers, executives and cardiologists, under my medical informatics leadership. I used to do "real" informatics, e.g., leading the data modeling of entire clinical subspecialty domains and developing advanced IT based on those models, until seeing that the commercial sector was damaging the field of HIT, and medicine itself, with horribly bad health IT leading to letters such as the January 21, 2015 letter to HHS at  It was then, in the early 2000s, that I turned my attention to writing about the industry's deficits.

The major advantage of the cardiology reports shown below concerned accuracy, including the case report itself whose language and organization was also developed for optimal clinical organization and  readability -- unlike the reams of "legible gibberish" that emanates from commercial EHRs then and today.  See my post "Two weeks, two reams" at l for more on that issue.

Quality data input into the system, being freed from the accuracy-impairing aspects of busy clinicians as clerical employees, and the resultant reports saved the organization close to $1 million in the first year and led to a better understanding of what worked and what didn't in treating blocked coronary arteries.

Click to enlarge:

Some statistical reports, and sample computer-generated case report front page

An evaluation of the project by the national organization, the Society for Cardiac Angiography and Interventions, was that the accomplishments were "exceptional."

All this was achieved without direct clinician data entry - and deliberately so due to the distractions of that process having failed in the same setting in prior organizational attempts, without medical informatics expertise.  Perhaps, more accurately, I should say "medical informatics expertise in someone who also thinks critically about all issues involved, including adverse effects, of IT."  Clinicians could supplement each section of the forms data if needed via dictation, which was directly transcribed by humans into the cardiology server.

"Clerical work for clerical employees, clinical work for clinicians" was the theme of the project.

Breaking from the almost religious belief that paper is to be abolished at all costs was the key to creating really useful and well-accepted health IT, even in this exceptionally busy critical care setting.  It was still being used over a decade later, ca. 2008 and may still be now.  I have not been back for a visit since then.

One argument might be made that hospitals cannot afford enough clerical employees to do all the data input.  I maintain that, with hospitals spending upwards of $100 million for EHRs, and with the data being used and sold profitably by a wide variety of stakeholders who contribute nothing for the medical data they obtain (EHR makers, insurers, regulators to name just a few), transcriptionists could be afforded.

Of course:

Physicians with simply too much free time on their hands - the majority, it might seem, based on the behavior of the EHR hyper-enthusiasts and government pundits - and who enjoy giving away the fruits of their labor for others' profits could still enter data directly into the computer.  If they want to.

I note that if physicians really were empowered, the current status quo of clinicians as unpaid data-input personnel for those who profit from the data likely would never have come to pass.

Entering orders would still be done by clinicians, although that process and the process of alerts and reminders also needs a major reworking, such as use of advanced NLP to allow a more natural input of orders.

In summary, in the late 1990s the gospel of eliminating paper from medicine, and of clinicians needing to perform clerical work, were challenged and shown to be false narratives and injurious to health IT progress in a critical care setting, invasive cardiology.

The lessons learned are more valuable today as they were then, considering that health IT experiment is failing on a wide scale today, with significant clinician rancor.  The CEO of the American Medical Association perhaps summed it up best when he referred to HIT as "the digital snake oil of the early 21st century" as at

Correction calls for abandoning cybernetic fetish words like "paperless" and a more appropriate allocation of computer-related tasks.  "Clerical work for clerical employees; clinical work for clinicians."

-- SS

Monday, August 08, 2016

Weird emails from Independence Blue Cross via its IT outsourcing partners: showing yet more health IT industry trust-destroying incompetence

In the past week I've received two emails that made me highly suspicious of medical/insurance identity theft.

The emails came from Independence Blue Cross,, into the email account I receive normal mailings from them, and seemed to indicate someone had created an unauthorized user account (I redacted my email address below):

Aug. 5, 2016:

Date: Fri, Aug 5, 2016 at 7:19 PM
Subject: User Created
[my email address redacted]

User Created With UserId - userId20392, Password - password20392

July 27, 2016: 

Date: Wed, Jul 27, 2016 at 1:59 PM
Subject: User Created
To: [my email address redacted]

User Created With UserId - userId1546, Password - S04bd9u3tR

These userid's and passwords did not work at's website, but my concern was that, if these were false accounts, the creator could have logged in and changed the password.

After the first email I left a message with the IBX fraud line, but heard nothing in response.

The metadata (IP headers) of the messages looked like this (I redacted my email address):

Delivered-To: [my email address redacted]
Received: by with SMTP id f62csp1992388qtd;
        Fri, 5 Aug 2016 16:20:27 -0700 (PDT)
X-Received: by with SMTP id l139mr7340323itb.19.1470439227798;
        Fri, 05 Aug 2016 16:20:27 -0700 (PDT)
Received: from ([])
        by with ESMTP id q123si19839234iof.67.2016.
        for ;
        Fri, 05 Aug 2016 16:20:27 -0700 (PDT)
Received-SPF: softfail ( domain of transitioning does not designate as permitted sender) client-ip=;
       spf=softfail ( domain of transitioning does not designate as permitted sender)
Received: from ([]) by with Microsoft SMTPSVC(8.5.9600.16384);
  Fri, 5 Aug 2016 19:19:39 -0400
Received: from ([]) by with Microsoft SMTPSVC(8.5.9600.16384);
  Fri, 5 Aug 2016 19:19:58 -0400
To: [my email address redacted]
Message-ID: <1180377472 .11989.1470439198021.javamail.ibcsgusgaa01="" ibcsgusgaa01="">
Subject: User Created
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 05 Aug 2016 23:19:58.0024 (UTC) FILETIME=[E1DD4C80:01D1EF6F]
Date: 5 Aug 2016 19:19:58 -0400

User Created With UserId - userId20392, Password - password20392

After the second, I called IBX.  I was told it is a "malfunction", that these emails were not anything nefarious, other subscribers were affected, and that it "would be corrected soon."

I had already looked up the "Received from" header []:

# ARIN WHOIS data and services are subject to the Terms of Use
# available at:
# If you see inaccuracies in the results, please report at
# The following results may also be obtained via:

Connecture, Inc. INFLOW-7524-7780 (NET-216-183-110-192-1) -
Inflow Inc. INFL-AR-1 (NET-216-183-96-0-1) -

Other IP's in the header appear to be of local (internal) workstations at the companies involved.

Who are these mysterious companies from which these emails seem to have originated?

Connecture, Inc:

Health insurance has entered the consumer age. Be ready. (We are.)

While there is almost universal agreement that health insurance will predominantly be distributed online in the near future, few American consumers have yet to experience it. In fact, most Americans have very little experience shopping for health insurance at all – let alone while making sense of numerous and often deceptively similar plans.

All of that is changing. Reform, the health insurance industry’s efforts to become more efficient, and Americans’ affinity for doing business online are all converging in the form of health insurance exchanges that present users with unprecedented freedom of choice.

Choice, of course, leads to questions. Which plans does my doctor participate in? Do they address my health needs? What about my family and my children? What happens if I need to go to the emergency room? How much will it cost – not just this month but year round? Am I eligible for a subsidy, and if so how much? In short, what’s the best plan for me and my family?

In health insurance, there are no cookie-cutter answers. That’s why health insurance exchanges and online distribution systems must do far more than enable consumers to enroll for coverage.

That’s where we come in. For more than 15 years we’ve focused on a singular goal: To create online systems and exchanges that empower Americans to choose the right health insurance plan online with confidence the first time, and every time.

Inflow Inc.

As of January 4, 2005, Inflow, Inc. was acquired by SunGard Availability Services, Inc. Inflow, Inc. provides facilities-based information technology outsourcing solutions to companies with critical business and network applications. The company offers its services in three primary lines: application hosting and management, business continuance and disaster recovery, and enterprise data-center management. Its application hosting and management services include application hosting and colocation, multi homed internet access, security services, application and infrastructure management, and network and system development. The company’s business continuance and disaster recovery services consist of business continuance planning/consulting, managed storage services, and content distribution services. Inflow’s enterprise data-center management services comprise onsite data-center management, operational support system management, data-center development, data-center audit services, data-center migration assistance, and business process documentation. Inflow, Inc. was founded in 1997 and was based in Thornton, Colorado.

Emphases mine.

So, perhaps millions of Independence Blue Cross customers are receiving emails that would reasonably cause suspicion in this day and age for identity theft, from companies that gloriously promise:

To create online systems and exchanges that empower Americans to choose the right health insurance plan online with confidence the first time, and every time.

To provide facilities-based information technology outsourcing solutions to companies with critical business and network applications

Confidence is the last thing the emails I received on behalf of inspire in me.

If this information is being spilled (to the subscriber's own email account, but who knows where else?), I can only fear that other information is not quite secure, and wonder if these "ghost accounts" are just a glitch, or insiders spying on PHI, or other effects of either massive bugs or hacker attacks.

IT companies and companies that outsource their critical IT to others (including health IT makers and health IT buyers such as hospitals) - and the IT service providers themselves - need to really, really get their houses in order.

They need to stop beta-testing buggy software upon their customers (or live patients in the case of clinical IT).

Problems like this reflect significant and trust-busting incompetence, at best.

-- SS