Still More Electronic Medical Data Chaos, Pandemonium, Bedlam, Tumult and Maelstrom: But Don't Worry, Your Data is Secure

Case 1. Tumult

October 5, 2011
New York Times
Patient Data Landed Online After a Series of Missteps

By KEVIN SACK

Private medical data for nearly 20,000 emergency room patients at California’s prestigious Stanford Hospital were exposed to public view for nearly a year because a billing contractor’s marketing agent sent the electronic spreadsheet to a job prospect as part of a skills test, the hospital and contractors confirmed this week. The applicant then sought help by unwittingly posting the confidential data on a tutoring Web site. [Got all that? - ed.]

In an e-mail sent to a victim of the breach, the billing contractor, Joe Anthony Reyna, president of Multi-Specialty Collection Services in Los Angeles, explained that his marketing vendor, Frank Corcino, had received the data directly from Stanford Hospital, converted it to a new spreadsheet and then forwarded it to a woman he was considering for a short-term job.

The position was with Mr. Corcino’s one-man shop, Corcino & Associates, Mr. Reyna wrote in the e-mail, which was authenticated by his lawyer, Ellyn L. Sternfield. The job applicant apparently was challenged to convert the spreadsheet — which included names, admission dates, diagnosis codes and billing charges — into a bar graph and charts, Stanford Hospital officials said.

Not knowing that she had been given real patient data, the applicant posted it as an attachment to a request for help on studentoffortune.com [I wrote about that earlier here - ed.], which allows students to solicit paid assistance with their work. First posted on Sept. 9, 2010, the spreadsheet remained on the site until a patient discovered it on Aug. 22 and notified Stanford.

My, how electronic data can travel when mishandled. Try that trick with 20,000 paper charts ...

The hospital, located on the campus of Stanford University in Palo Alto, demanded that the spreadsheet be removed, and the Web site quickly complied. Pressed for time, the job prospect wound up completing the assignment herself and, in the end, did not get hired, Ms. Sternfield said.

Ironically, this was all for naught.

Mr. Corcino, in his first public statement, attributed the breach to “a chain of mistakes which are far too easy to make when handling electronic data.”

Far too easy to make - especially by the dyscompetent.

... Breaches of private medical data have become distressingly commonplace, with two substantial ones disclosed in the last week alone. [We don't know the details of those yet; that's for next week - ed.]

Case 2: Pandemonium (from same NYT article)

In Orlando, officials with Florida Hospital reported that three employees had improperly combed through emergency department records of 2,252 patients, apparently to forward information about accident victims to lawyers. The employees were fired, and law enforcement officials are investigating.

Trolling for Torts - is this a new EMR TV game contestant show? Perhaps it could be followed by "Trolling for Tarts?"


Case 3: Bedlam (from the same NYT article)

Meanwhile, Science Applications International Corporation disclosed that computer backup tapes containing medical data for 4.9 million military patients [that number also amounts to almost 2% of the total U.S. population - ed.] had been stolen from an employee’s car in San Antonio. The data included Social Security numbers, clinical notes, laboratory test results and prescriptions. The company said the risk of harm was low because retrieving data from the tapes would require specialized knowledge, software and hardware. [Who's to say the theft was not by someone with that specialization, or someone paid by same to steal the tapes? - ed.]

The Texas breach is by far the largest since September 2009, when a new federal law began requiring disclosures of medical privacy violations involving at least 500 people. Some 330 such episodes have been tallied, including four others that affected more than one million people each.

We'd all be buried in stray clinical paper by now if it weren't for computers. Thank god for them!

Officials at the Department of Health and Human Services said the new reporting requirements had exposed deep vulnerabilities and encouraged renewed vigilance.

Exposed to whom? The blind, deaf and dumb?

“We’re moving in the right direction in terms of a culture of compliance,” said Leon Rodriguez, director of the department’s Office for Civil Rights, which investigates medical privacy cases. “Are there still a lot of problems out there? Yeah, my sense is there are still a lot of problems.”

The Titanic was moving in the right direction - towards New York Harbor, in fact, when it met a little unexpected obstacle. Perhaps a culture of brains would be better than a culture of compliance...

The Stanford breach was notable for the duration of public exposure, and for spotlighting the vulnerability created by a medical provider’s business relationships with outside parties.

Last week, lawyers filed suit in state court in Los Angeles, seeking certification as a class action and $20 million in damages from Stanford Hospital & Clinics and Multi-Specialty Collection Services, which is known as MSCS.

$20 million might hurt a bit, and might help motivate the organization to hire better and/or more appropriate clinical information management expertise - in house where it belongs (see below).

The threat of liability set off a predictable round of finger-pointing.

In written responses to questions, Lisa Lapin, Stanford University’s assistant vice president for university communications, said, “MSCS bears the complete and sole responsibility for the breach.”

It's their fault, not ours.

Ms. Lapin said the hospital had sent the data in encrypted form to Mr. Corcino, who requested it on behalf of MSCS to analyze a strategy for improving billing collections. She said Mr. Corcino had regularly represented himself as MSCS’s executive vice president and had been Stanford’s “primary contact” during a seven-year relationship. MSCS, a five-person firm that audits hospital accounts to maximize reimbursement, possessed the passwords to unencrypt the data, she said.

It was all about money and outsourcing.

“This mishandling of private patient information was in complete contravention of the law and of the requirements of MSCS’s contract and is shockingly irresponsible,” the hospital said in a statement.

It is foolish to believe that someone else can run critical aspects of your business, and it is even more foolish to believe that it is OK for someone else to run critical aspects of your business.

Ms. Sternfield, Mr. Reyna’s lawyer, said Mr. Corcino had never been an MSCS employee, but rather was paid a monthly fee to drum up business, typically in face-to-face meetings with health care executives. Mr. Reyna, she said, had no knowledge that the Stanford data had been sent to Mr. Corcino, or that he had passed it on.

Mr. Corcino was not authorized to use an MSCS title, Ms. Sternfield said, but she declined to say whether Mr. Reyna was aware of the practice. She acknowledged that Mr. Corcino sometimes used an MSCS e-mail account.

In his e-mail to the breach victim, who shared it with The Times, Mr. Reyna wrote that Stanford had sent the file to Mr. Corcino “for a potential MSCS project that would audit paid accounts to verify that the reimbursement was correct.”

For his part, Mr. Corcino said in a statement that he was an independent contractor but was “the marketing face of the company,” and that MSCS “allowed me to use the title of executive vice president.” He wrote: “Stanford sent the file to me at MSCS, and I imported the data into a spreadsheet that was forwarded to the job applicant as part of a skills test. I did not intend to provide any personal health information in the file. This was a marketing project.”

Without explaining how or why he sent the data to the applicant, Mr. Corcino said MSCS had not trained him properly and faulted Stanford for sending him private information that he did not need. That, he said, was the “first link in a chain of mistakes.”

“I regret that Stanford released a file containing unnecessary information,” Mr. Corcino said, “that MSCS did not have an appropriate training and audit system for the handling of electronic data and that I was not more careful with the file. While Stanford and MSCS left the information in the file I received, it was my mistake to not catch its inclusion and remove the data.” ... The hospital has terminated its relationship with MSCS, and Mr. Reyna has done the same with Mr. Corcino.

Even I can't follow all that. This will be one convoluted court case...

Stanford Hospital has reassured affected patients that the posted spreadsheet did not contain Social Security numbers, birthdates or credit card numbers, and has offered free identity theft protection services. The hospital said it had not uncovered any misuse of the exposed data.

Yet, that is. (Is it no wonder that sedatives are among the most highly-prescribed medications?)

Moving from the NYT article:

Case 4: Tumult (I'm running out of descriptors)

A large class action lawsuit again Health Net and IBM:

California Legal
Westlaw Journal Insurance Coverage

Health Net’s, IBM’s negligence compromised medical data, suit says

June 7 (Westlaw Journals) - Health Net Inc. and IBM face a class-action lawsuit seeking $5 million in damages over the loss of computer storage devices that held the medical histories, financial data and Social Security numbers of 2 million people.

Health Net Policyholder Alana Bournas’ class-action complaint in the U.S. District Court for the Eastern District of California alleges that the insurer and IBM breached their duty of confidentiality and negligently allowed the release of highly personal and confidential information of millions of Health Net employees and policyholders.

The complaint alleges violation of California’s Confidentiality of Medical Information Act, Cal. Civ. Code § 56; Cal. Civ. Code § 1798.2, which concerns the unauthorized disclosure of customer records; Cal. Bus. & Prof. Code § 17200, the state’s unfair-competition law; and public disclosure of private facts.

Companies will either pay the going price for competent employees, or pay for the mistakes of incompetent ones. It would probably be better for society, however, to do the former habitually.

The suit says IBM agreed to manage Health Net’s information technology database for five years beginning in 2008.

IBM informed Health Net Jan. 21 that it had lost nine disk drives containing the confidential information of 2 million people, including Health Net policyholders and employees.

Health Net failed to alert the victims of the breach until March 14, the complaint says.

IBM allegedly also failed to encrypt the data, thereby enabling anyone who possesses the hard drives to easily access the confidential information. This puts the victims at an increased risk of identity theft and “other unauthorized uses of plaintiff and class members’ personal information” the suit says.

Encryption, a feature now built into mainstream OS's by Microsoft and Apple? (Oh wait...IBM...)

Health Net’s attempt to compensate the victims by providing two years of free credit monitoring services through TransUnion is an inadequate remedy for the defendant’s conduct, Bournas says. This “remedy” fails to address unauthorized disclosures of medical information, and the monitoring services only protect against new account fraud but do not address fraudulent activity with existing accounts, the suit says.

These executives apparently can't even get the fix straight.

Moreover, the complaint says, Health Net has previously been accused of a similar breach of confidential information. In 2009 it lost the same types of records of nearly 1.5 million people and waited six months before notifying the victims. In settling the state of Connecticut’s lawsuit stemming from that security breach, the company promised “to enhance security procedures and training,” the suit says.

What can I say?

The current breach could have been avoided had Health Net and IBM taken proper precautions and implemented security policies to maintain consumers’ confidential data, according to Bournas. Therefore, the protections granted under California law require that Health Net be penalized for its negligence, she says.

The plaintiff notes that millions of people entrusted Health Net with their private data.

“At best, defendants’ actions allowed this private information to go astray. At worst, the private information is being viewed, sold, resold, and used for illegitimate and illegal purposes,” the complaint says.

The suit is seeking injunctive relief, compensatory damages, declaratory relief, and attorney fees and costs.

Bournas v. Health Net Inc., No. 2_11-CV-01262, complaint filed (E.D. Cal. May 11, 2011).

I would revise that to say "The current breach could have been avoided had Health Net and IBM hired personnel in adequate numbers with the qualifications and true gravitas (and not laid them off, of course) to maintain consumers’ confidential data."

Case 5: Maelstrom (I am reaching to the bottom of the barrel for such descriptors).

Wellpoint recently settled class-action suit in CA.

AMA news
By Pamela Lewis Dolan, amednews staff.
Posted Aug. 1, 2011.

WellPoint reaches tentative accord in data breach suit

It is the second settlement to come from lawsuits claiming that the company failed to protect the privacy of individual insurance applicants online.

WellPoint has reached a preliminary settlement that will, if approved, bring an end to a class-action lawsuit filed more than a year ago.

The lawsuit, filed in the Superior Court of the State of California, involves the potential exposure of data belonging to more than 600,000 individual health insurance applicants on a company-run website that allowed insurance applicants to track their applications.

The situation came to light when an applicant to WellPoint-owned Anthem Blue Cross of California sued the company in March 2010. The applicant was able to manipulate the web address within the site to gain access to other applicants' information, including names, addresses, dates of birth, Social Security numbers and health and financial information.

In other words, probably changing a simple number in the URL brought up someone else's records. Good going there, Wellpoint. What were the programmers thinking? (Were they thinking?)

When the suit was filed, the company said an upgrade to the system caused the information to become exposed. The company said a third-party vendor validated that all security measures were in place when, in fact, they were not. Changes were made to the system soon after the situation was discovered.

Blame someone else, yet again.

In addition to the class-action suit, the company was sued by Indiana Attorney General Greg Zoeller in July 2010. The suit, filed in Marion County Civil Superior Court, alleged that the company violated the Indiana Disclosure of Security Breach Act by failing to notify Zoeller, and the 32,051 Indiana residents affected by the incident, in a timely manner. That suit was settled in early July, when WellPoint agreed to pay a $100,000 fine. As part of the settlement, WellPoint admitted it had a security breach and failed to properly notify the attorney general's office as required by law.

Gevalt.

Under the preliminary settlement in the California class-action matter, WellPoint agreed to offer credit monitoring for two years to all affected individuals. Class members are eligible to receive reimbursement for identity theft losses of up to $50,000 per incident, as well as additional time to file identity theft claims until May 31, 2016. Those making identity theft claims are eligible for an additional five years of credit monitoring. The company also will donate a total of $250,000 to two nonprofit organizations whose efforts are directed at protecting consumers' privacy on the Internet.

It might have been cheaper and better for goodwill not to outsource a vital function...those third-party vendors can really hurt you. (I'd really like to know - was this "third party vendor" domestic, or overseas?)

WellPoint did not admit wrongdoing in the case, nor was it found guilty. A fairness hearing is scheduled for November, and the courts then will decide whether to approve the settlement.

Large corporations are immune from such formalities as admitting wrongdoing or being found guilty.

-----------------------

But don't worry. Your medical data's safe.

Sort of. See also:

• "Networked EMR's and Healthcare Information Security: Practical When Massive IT Security Breaches Continue?",

• "Networked, Interoperable, Secure National Medical Records a Castle in the Sky?",

• "Operation Aurora And a Widespread Reluctance to Discuss IT Flaws: Is Universal Healthcare IT Really a Good Idea in 2010?",

• "Medical data breach of the week - but your EMR data is secure, trust us, we're IT experts",

• "Insurers Test Data Profiles to Identify Risky Clients",

• and others

-- SS

Medical Data Breach of the Month Department: Health Net Once Again a Star in the Healthcare Renewal Theatre

I have written frequently about the breaches of electronic information security, such as at my posts:

"Networked EMR's and Healthcare Information Security: Practical When Massive IT Security Breaches Continue?"

"Networked, Interoperable, Secure National Medical Records a Castle in the Sky?"

"Operation Aurora And a Widespread Reluctance to Discuss IT Flaws: Is Universal Healthcare IT Really a Good Idea in 2010?"

Medical data breach of the week - but your EMR data is secure, trust us, we're IT experts

and others.

This latest medical information breach only affected a mere 2 million people this time.

Perhaps we should go for 20 million next time?

And then - there were substantial delays in notification (to give identity thieves time to get rich?)

Health Net Delays Notification of Data Breach Involving 2 Million People

By: Brian T. Horowitz
2011-03-16

Insurer Health Net waited until March 14 to disclose a data breach discovered on Jan. 21 involving the loss of nine server drives and the data of 2 million customers, employees and health care providers.

Health Net, a provider of health insurance to about 6 million people across the United States, has come under fire for reporting the loss of nine server drives at its data center in Rancho Cordova, Calif., nearly two months after it occurred.

More than 2 million Health Net members, employees and health care providers may have been affected by the data breach, including about 845,000 California policyholders, according to The San Francisco Chronicle. California regulators are investigating the breach, the newspaper reports.

How did this happen?

The insurer found out about the security lapse on Jan. 21, when IBM, which manages the company's IT infrastructure, informed Health Net that it was unable to locate server drives, according to a recording on Health Net's data breach hotline (855-434-8081).

These drives perhaps are of a new technology, with motorized robotic legs that allow them to walk away.

Or perhaps the drives were like this, where the round drive platter stacks perform double duty as wheels:

A "mobile" hard drive. Click to enlarge.

The drives just rolled away - to the tune of Steppenwolf's "Born to be Wild" ...

These drives were just Born to be Wild! Click to play.

Get your motor runnin' ... head out on the highway ...

The health benefits provider began its investigation at that time and learned that the nine drives included personal information for former and current Health Net members, employees and health care providers. The company didn't report the breach to the public until March 14.

Gee, thanks.

Health Net spokesman Brad Kieffer declined eWEEK's request for additional information on the breach but said, "We continue investigating unaccounted for server drives, and out of an abundance of caution we are notifying our members."

"Abundance of caution" and an almost 2-month delay do not belong in the same news story.

... "Given the size and type of data lost, this is a serious breach, and those affected should have been notified and protected immediately when IBM notified Health Net of the loss," Rob Enderle, principal analyst for the Enderle Group, wrote in an e-mail to eWEEK.

Indeed.

"While the delay was likely due to the belief that these drives were either misplaced or reused and not logged and the hope they would turn up on a maintenance rotation, the exposure to those that may have been compromised is excessive, and for an insurance company not to immediately mitigate this exposure—unforgivable," Enderle said.

"Hope/keeping your fingers crossed" and "due diligence/corporate responsibility" also do not belong in the same paragraph.

Information included names, addresses, health information, Social Security numbers and/or financial information, Health Net reports. .

All the news that's fit to print.

The Health Net breach could be the most serious health care data breach since 2008, when incidents affected 2.2 million people at the University of Utah and 2.1 million people at the University of Miami, according to the San Francisco Chronicle report.

Since 2008, eh, way back when, ancient history, when dinosaurs ruled the earth?

In May 2009, Health Net suffered another security breach in which a portable disk drive holding the medical and financial data on 1.5 million members disappeared from its Connecticut headquarters.

The portable disk drives must have robotic legs, too.

Data breach penalties for Health Net could be severe, according to Enderle.

Perhaps that's why they were crossing their fingers hoping the drives would turn up somehow?

Finally, I note that this company has also been busy in recent years making a name for themselves in the Healthcare Renewal Theatre in other ways. They're stars! See http://hcrenewal.blogspot.com/search/label/Health%20Net

-- SS

Health Insurers Sanctioned, Fined

It has not been a good few weeks for big US health insurance companies.  First was a report (e.g., per the Wall Street Journal) that three companies had been suspended from selling Medicare Advantage plans:

The U.S. government's Medicare program has ordered three health insurers--Universal American Corp. (UAM), Health Net Inc. (HNT) and Arcadian Health--to stop marketing to and enrolling new members in their Medicare Advantage health and prescription-drug plans, saying the companies violated regulations.

In particular,

Universal American was told to stop marketing to and enrolling people in its Medicare Advantage plans effective Dec. 5. The action doesn't affect current members or the enrolling of beneficiaries in the company's stand-alone Medicare prescription-drug plans.

Health Net had to suspend the marketing of and enrollment in its Medicare Advantage plans and stand-alone Medicare prescription-drug plans as of Friday, as the government said the company's conduct poses a 'serious threat' to enrollees. The sanction doesn't affect the status of current enrollees, however.

In a letter Friday to Theodore Carpenter, head of Universal American's Medicare Advantage business, the Centers for Medicare and Medicaid Services alleged the company has a 'longstanding pattern of prohibited marketing practices targeted to highly vulnerable populations in violation' of federal law and guidelines as well as contractual terms with CMS.

Universal American is a 'chronic poor performer' with respect to the regulations, according to CMS, which said the company's agents engaged in aggressive sales tactics and abusive behavior, and misled or confused beneficiaries or misrepresented the plan.

The agency's letter to Health Net government-programs executive Scott Kelly said the company's conduct 'poses a serious threat to the health and safety of its enrollees,' as a result of the company's 'intractable failure to provide its enrollees with prescription drug benefits in conformance" with laws, guidelines and contract terms.' CMS cited a 'history of non-compliance.'

Then, the state of California fined and ordered restitution from multiple companies, as reported by the San Francisco Chronicle:

State regulators Monday fined seven of California's largest health insurers nearly $5 million for systematically failing to pay doctors and hospitals fairly and on time.

The California Department of Managed Health Care issued the fines following an 18-month audit in which investigators looked at a small but statistically significant sample of claims. The investigation found the plans were paying on average about 80 percent of the claims correctly, far below the legal threshold of 95 percent.

'Our clear and consistent message is that California's hospitals and physicians must be paid fairly and on time,' said Cindy Ehnes, director of the Department of Managed Health Care, which is charged with regulating the states' health maintenance organizations, or HMOs.

In addition to the fines, the companies must pay the doctors and hospitals restitution that is expected to run into the "tens of millions of dollars," Ehnes said. The plans will also be required to come up with a plan to correct the problem and submit to future audits.

Failing to pay providers properly makes it tougher for them to survive in the struggling economy, Ehnes said. 'If providers are not paid, patient care and access suffer,' she said.

Regulators fined Anthem Blue Cross and Blue Shield of California $900,000 each. United/PacifiCare was fined $800,000 and Kaiser Foundation Health Plan and Health Net were both hit with fines of $750,000.


The fines for Cigna and Aetna were $450,000 and $300,000, respectively, for a total of $4.85 million.

Please note that some of these companies have become "frequent flyers" on the Health Care Renewal blog.  Anthem Blue Cross in California is a subsidiary of WellPoint. WellPoint, in particular, just appears again and again on Health Care renewal.  A list of all posts about that company is here, and see this post for a list of past ethical and management missteps.  Health Net appeared in both stories above, and appeared on Health Care Renewal here.  Posts on Aetna are here.

Having been writing for this blog now for several years, I am struck by how often the conduct of particular health care organizations has been discredited, without any discernible effect on the organization's leadership or course.  It is particularly striking how the attention paid and pay given to the leaders of some health care organizations contrasts with the public record of their organization's bad behavior.

In particular, contrast the long catalog of misbehavior by WellPoint, noted above, with the enormous earnings of the company's CEO (more than $13 million in 2009), and her status as a prominent speaker on health care policy (see post here). 

In the laissez faire, anything goes, wild, wild west economy of today, spearheaded by the financial service companies that lead us to the global economic collapse, it seems that ethical leadership counts for nothing.  This is bad when it applies to the leadership of financial services, whose bad leadership can cost us all a lot of money.  It is worse when it applies to health care, whose bad leadership can cost us our health and our lives.

As I have said ad infinitum, to really reform health care, we will need to get accountable, ethical, transparent leadership of health care organizations.

Managed Care Executives Will Not Limit Rescissions

We have posted before about how certain health care insurance companies/ managed care organizations in California were found to have cancelled individual health insurance policies after the people holding them made substantial claims, supposedly rationalized by minor errors or omissions in the information the people supplied to the companies on their individual applications found after the claims were made. Several companies were subsequently disciplined by the state government for these "rescissions." See posts on rescissions by WellPoint here, here, and here, and by Health Net here.

Executives of several such companies testified before a US congressional committee recently, with remarkable results, as reported by Lisa Girion writing in the Los Angeles Times. First, by way of background, the article suggested that rescissions are widespread:

An investigation by the House Subcommittee on Oversight and Investigations showed that health insurers WellPoint Inc., UnitedHealth Group and Assurant Inc. canceled the coverage of more than 20,000 people, allowing the companies to avoid paying more than $300 million in medical claims over a five-year period.

Furthermore,

The committee's investigation found that WellPoint's Blue Cross targeted individuals with more than 1,400 conditions, including breast cancer, lymphoma, pregnancy and high blood pressure. And the committee obtained documents that showed Blue Cross supervisors praised employees in performance reviews for rescinding policies.

One employee, for instance, received a perfect 5 for 'exceptional performance' on an evaluation that noted the employee's role in dropping thousands of policyholders and avoiding nearly $10 million worth of medical care.

Nonetheless, the executives were not prepared to abandon rescissions:

Executives of three of the nation's largest health insurers told federal lawmakers in Washington on Tuesday that they would continue canceling medical coverage for some sick policyholders, despite withering criticism from Republican and Democratic members of Congress who decried the practice as unfair and abusive.

The executives -- Richard A. Collins, chief executive of UnitedHealth's Golden Rule Insurance Co.; Don Hamm, chief executive of Assurant Health and Brian Sassi, president of consumer business for WellPoint Inc., parent of Blue Cross of California -- were courteous and matter-of-fact in their testimony.

But they would not commit to limiting rescissions to only policyholders who intentionally lie or commit fraud to obtain coverage, a refusal that met with dismay from legislators on both sides of the political aisle.

Sassi said rescissions are necessary to prevent people who lie about preexisting conditions from obtaining coverage and driving up costs for others.

'I want to emphasize that rescission is about stopping fraud and material misrepresentations that contribute to spiraling healthcare costs,' Sassi told the committee.

But rescission victims testified that their policies were canceled for inadvertent omissions or honest mistakes about medical history on their applications. Rescission, they said, was about improving corporate profits rather than rooting out fraud.

Also,

Late in the hearing, Stupak, the committee chairman, put the executives on the spot. Stupak asked each of them whether he would at least commit his company to immediately stop rescissions except where they could show 'intentional fraud.'

The answer from all three executives:

'No.'

This is just amazing. Here are executives of three of the country's largest for-profit health care insurance companies/ managed care organizations asserting they will continue cancelling peoples' policies after they make claims, simply because of minor errors or omissions in the application documents that have no bearing on the particular claims, or on discrepancies between information provided by patients and doctors, given that patients may not have full access to or understanding of what is in their charts. What good is an insurance policy that is liable to be cancelled as soon as one makes a claim on it?

Whatever these companies are selling, it is not insurance. Basing our health care system on their products is foolish, but that is what we are doing, and what many political leaders would continue to do.

In my humble opinion, if we are going to have a system based on privately provided insurance, that insurance has to be honest, unlike what some of our largest insurance companies seem to be peddling.

The Judge Cites Health Net's "Egregious" and "Reprehensible" Business Practices

More than two years ago, we noted that Health Net Inc,, the large US health insurer/ for-profit managed care organization, had settled a class-action lawsuit brought by California physicians under the RICO (Racketeer Influenced and Corrupt Organizations) standard. Late last year, we noted that HealthNet was fined by the state of California for offering bonuses to employees who retroactively cancelled the most individual health policies after their holders got sick and filed claims, and that the company was under investigation in Connecticut for allegedly sending deceptive messages to pharmacists that denied payment for some low-income childrens' medication.

Last week, Florida Health News reported,

Medicare officials have ordered Health Net, Inc., one of the largest publicly traded health insurers in the nation, to stop marketing its “Health Net Orange” prescription drug plans.

The U. S. Centers for Medicare and Medicaid Services also froze enrollment in the drug plans, according to an obscure notice on a government Web site.

The government acted against the California company because it fell behind in processing enrollment applications and sent members incorrect information about changes in their coverage for 2008, said CMS spokeswoman Allison Henry.

Also last week, Lisa Girion wrote in the Los Angeles Times, that Health Net was being sued by the Los Angeles City Attorney for allegedly retroactively canceling individual insurance policies after their holders got sick, and was opening a criminal investigation of allegations that the company paid bonuses to employees who cancelled the largest number of policies.

To top it all off, Lisa Girion also reported in the Los Angeles Times,

One of California's largest for-profit insurers stopped a controversial practice of canceling sick policyholders Friday after a judge ordered Health Net Inc. to pay more than $9 million to a breast cancer patient it dropped in the middle of chemotherapy.

The ruling by a private arbitration judge was the first of its kind and the most powerful rebuke to the state's major insurers whose cancellation practices are under fire from the courts, state regulators and elected officials.

Calling Woodland Hills-based Health Net's actions 'egregious,' Judge Sam Cianchetti, a retired Los Angeles County Superior Court judge, ruled that the company broke state laws and acted in bad faith.

'Health Net was primarily concerned with and considered its own financial interests and gave little, if any, consideration and concern for the interests of the insured,' Cianchetti wrote in a 21-page ruling.

When Health Net dropped her in January 2004, Bates was stuck with more than $129,000 in medical bills and was forced to stop chemotherapy for several months until she found a charity to pay for it.

Amazingly enough, Health Net's top leader actually promised to stop retroactive cancellations of individual policies, and expressed what appeared to be remorse for his company's actions.

Health Net Chief Executive Jay Gellert ordered an immediate halt to cancellations and told The Times that the company would be changing its coverage applications and retraining its sales force.

'I felt bad about what happened to her,' he said. 'I feel bad about the whole situation.'

Gellert said he would move quickly to 'give people the confidence that they can count on their policy.' Specifically, he pledged to stop all cancellations until an external review process could be established to approve all cancellations.

Until Friday, the companies had uniformly defended cancellations, saying they were necessary to hold down costs by weeding out people who may have failed to disclose pre-existing conditions on applications for coverage. They say cancellations happen infrequently.

It is also noteworthy that documents produced during the trial appeard to confirm previous allegations that Health Net paid bonuses to employees who retroactively terminated the most individual policies.

At the arbitration hearing, internal company documents were disclosed showing that Health Net had paid employee bonuses for meeting a cancellation quota and for the amount of money saved.

'It's difficult to imagine a policy more reprehensible than tying bonuses to encourage the rescission of health insurance that keeps the public well and alive,' the judge wrote.

HealthNet has now quite a record of bad behavior, from settling a racketeering-influenced corrupt organization (RICO) lawsuit, being fined for paying bonuses to employees for retroactively canceling individual health policies, being forbidden to market specific policies by the US Center for Medicare and Medicaid Services (CMS) because the company provided policy-holders misleading information, to now being subject to punitive damages for a single, "egregious" retroactive policy cancellation. That's quite a track record. Yet despite this record, so far no individual company leader has had to pay any penalty, and while the company is lead by the same people who were apparently responsible for all these previous messes, the company's business has not suffered.

This illustrates a huge problem with the current way health care operates in the US. There are no major disincentives of any kind for leadership that puts the company's and their "own financial interests" ahead of patients' interests. The leaders do not have to fear for their jobs, reputations, or pocketbooks. After all was said and done, at the most they might have to say "sorry."

Until our system and culture start to provide for major disincentives for unethical business practices by leaders of health care companies, such practices will continue unabated. The results will continue to be "egregious" and "reprehensible."

One wonders with all the hand-wringing about health care going on during the current US presidential campaign, whether anyone will notice that mismanagement and unethical business practices in health care organizations likely account for much of our excess costs, poor access, and degrading quality. Revamping health care financing might change the nature of the mismanagement and unethical business practices that afflict health care, but it won't eliminate them. We will have more cases like that of HealthNet, worse cases than that of HealthNet as long as we ignore these elephants in health care's living room.

ADDENDUM (29 February, 2008) - See also comments on the Effect Measure blog, and The Health Care Blog.

Health Net Statements Inoperative in California and Connecticut

A little while ago we posted about accusations that Health Net Inc, a for-profit managed care organization, cancelled individual health insurance policies after the policy-holders became ill and filed claims. Now the company is also accused of trying to conceal related information from state regulators.

The San Francisco Chronicle reported that

State health regulators fined Health Net Inc. $1 million Thursday for lying to investigators about paying employees bonuses based on the number of contracts they canceled after those policyholders got sick.

The penalty was the first levied on a health insurer for withholding information about incentives given to its employees.

Health Net, along with other major health insurers, is being investigated for combing through applications of members after they have filed claims to find mistakes or omissions that would justify revoking policies. Insurers say they resort to rescinding policies only when members lie about their health histories, but consumers say the questionnaires often are vague and misleading.

As part of the investigation, state regulators asked Health Net officials on two separate occasions whether the company gave financial bonuses to its employees for rescinding policies. State law prohibits tying compensation to claims decisions. Both times, plan officials denied doing so.

Health Net executives apologized Thursday for 'any misunderstanding' with the state regulators. The company, based in Woodland Hills (Los Angeles County), accepted a consent agreement and promised to stop compensation practices linked to rescission.

Meanwhile, in Connecticut, the state subsidiary of Health Net has also been accused of deception. According to the Hartford Courant,

Health Net of Connecticut is under fire from state officials for sending pharmacies fraudulent computer messages that deny some low-income children medications, and for allegedly misleading a state inquiry into thinking it didn't use the messages.

Attorney General Richard Blumenthal, who has initiated an investigation into the matter, said Wednesday he is calling for sanctions against Health Net.

'The claims are credible and compelling, and so serious and significant and so egregious it could require very strong remedies and sanctions,' Blumenthal said.

Health Net, one of four managed care organizations that provide health care to Medicaid recipients, uses a 'not covered' pharmacy computer message that falsely leads some pharmacists to believe prescriptions aren't covered when all that is required is prior authorization from the insurer.

During a DSS investigation earlier this year into the computer messages of the state's four managed care organizations, Health Net misled the state into thinking that its primary message read by pharmacists wasn't a 'not covered' message, [Connecticut Legal Services attorney Randi] Mezzy said.

Alice Ferreira, a spokesperson for Health Net, said the company did not intentionally mislead the state and that it will correct the problem immediately.

It seems that Health Net operations in at least two states have a problem with producing "inoperative" statements, in the immortal words of US President Nixon's former press secretary.

To extend an argument I have made before about the pharmaceutical industry, if health care insurers and managed care organizations want to be regarded as trustworthy, perhaps they ought to consider actually acting in ways that might inspire trust.

Health Net Stalls Surgery for Rare Disease

The San Francisco Chronicle has been covering a case of a young boy with metatropic dysplasia, a disease so rare, according to the Chronicle, that it appears there is only one surgeon in the US, Dr. William MacKenzie at the duPont Hospital for Children in Delaware, who has experience treating it.
(A quick PubMed search did corroborate the disease's rarity, revealing only 27 articles ever published on it. The most recent case report, from 2005, noted that only 67 cases have been reported world-wide.)
Yet, Health Net, the family's managed care organization, has resisted four appeals to authorize payment to Dr. MacKenzie.
Chronicle columnist, C. W. Nevius, wrote, "HMOSs never want to hear about rare diseases." He quoted a local health care advocate, "When you have to fly a patient out to the East Coast, it is a fundamental HMO no-no. It is the M.O. [modus operandi] of health care providers [presumably meaning HMOs] to deny access to expensive treatments. They give you the runaround and hope you go away."
The HMO in question, Health Net, which initially failed to respond to Nevius' requests for comments, apparently was not moved by a note from the patient's primary care physician that "it is imperative" that he see the East Coast specialist. The Chief of Pediatric Orthopedics of University of California- San Francisco, Dr. Mohammad Diab, admited he had no experience with the necessary surgery, but suggested it be done fast, "the door is closing, if not closed."
After the story appeared in the Chronicle, Health Net partially relented, according to Nevius' next column, authorizing a consultation with the specialist, but no further treatment. David Olson, the Senior Vice President for Corporate Communications, dismissed the notion that the patient is in imminent danger, calling it a "typical lawyer ploy. There is nothing in the record to indicate that something has to happen right now."
This sort of heavy-handed approach to cost-containment is what sparked the anti-managed care backlash in the 1990's. As is usual for managed care, the emphasis seems to be on restricting access to care, rather than on bargaining down the costs of egregiously high-priced goods and services.
Moreover, focusing on restricting treatments for patients with rare diseases will almost never be truly evidence-based, because rare diseases will not be subject to studies of sufficient statistical power to demonstrate that particular treatments will not work. But focusing on such restrictions will not even save much money in the aggregate, since rare diseases are, well, rare.
So the main result of this approach will be to reinforce managed care's reputation for heartlessness. In the case of Health Net, it seems particularly distinct from the preamble to the company's statement about business conduct and ethics, "Health Net, Inc. is dedicated to helping people be healthy, secure and comfortable. To succeed in our mission, we must maintain our customers' trust...."
Perhaps managed care would do better if it were lead by people who have some knowledge of the clinical context. In contrast, Mr. David Olson, the one Health Net official who has spoken publicly about this case, according to his his official biography seems to have no obvious direct health care experience. Mr. Olson is now responsible "for the company's investor relations function and internal and external communications, and also oversees government relations and charitable contributions." He previously served as "vice president, Investor and Public Relations, for Health Systems International, Inc. (HSI)," and " vice president, Corporate Communications for National Medical Enterprises, Inc. (NME), having joined NME in 1989 as director of Shareholder Communications." His only academic qualifications are "a BA in English from Washington and Lee University." Maybe he needs to talk to a doctor.