Practice Fusion, a San Francisco-based health information technology developer, will pay $145 million to resolve criminal and civil investigations relating to its electronic health records (EHR) software (1). The Department of Justice announced on January 27th that the company admitted it solicited and received kickbacks from a major opioid company in exchange for utilizing its software to influence physicians prescribing opioid pain medications. The pharmaceutical company is widely speculated to be Purdue Pharma which faces U.S. Justice Department probes and sprawling litigation over allegations it played a central role in the deadly opioid crisis (2).

The DOJ said Practice Fusion extracted kickbacks from pharmaceutical companies in exchange for implementing a clinical decision support (CDS) system in its electronic health records (EHR) software designed to increase prescriptions for their drug products. In exchange for “sponsorship” payments from pharmaceutical companies, Practice Fusion allowed the companies to craft CDS alerts to increase sales of the companies’ products, resulting in alerts that did not always reflect accepted medical standards. In their criminal probe of opioid makers, federal prosecutors have indicted pharmaceutical company executives, physicians and pharmacists. This is the first criminal action against an EHR vendor and no indictments of any Practice Fusion executives were made.

Founded in 2005, Practice Fusion offers an EHR tailored for smaller, independent physician practices. It supports practices that comprise 112,000 health care workers who see 5 million patient visits per month. Practice Fusion had expected to go public at a valuation of about $1.5 billion, but was instead acquired in 2018 by Chicago-based Allscripts for $100 million in cash.

Our practice at Arizona Chest and Sleep Medicine uses Practice Fusion in its outpatient clinics. None of us were aware of receiving any alerts advising prescribing opioids.

References

1. Johnson T. S.F.-based Practice Fusion Inc. admits to opioid kickback scheme. San Francisco Business Times. January 28, 2020. Available at: https://www.bizjournals.com/sanfrancisco/news/2020/01/28/s-f-based-practice-fusion-inc-admits-to-opioid.html (accessed 2/3/20).
2. Spector M, Hals T. OxyContin maker Purdue is 'Pharma Co X' in U.S. opioid kickback probe – sources. Reuters. January 28, 2020. Available at: https://www.reuters.com/article/us-purdue-pharma-investigation-opioids-e/exclusive-oxycontin-maker-purdue-is-pharma-co-x-in-us-opioid-kickback-probe-sources-idUSKBN1ZR2RY (accessed 2/3/20).

Cite as: Robbins RA. Practice Fusion admits to opioid kickback scheme. Southwest J Pulm Crit Care. 2020;20(2):63. doi: https://doi.org/10.13175/swjpcc010-20 PDF

A large-scale computer cyberattack at Banner Health compromised the records of up to 3.7 million patients, health-insurance-plan members, food and drink customers, and doctors according to the an Arizona Republic article by Ken Alltucker (1). Banner Health discovered unusual activity on its computer servers in late June and uncovered evidence of two attacks, with hackers accessing both patient records and payment-card records of food and beverage customers. The Phoenix-based health-care provider said it will mail letters to those affected notifying them about details of the cyberattack and steps they can take to protect themselves. Banner employees, many of whom are patients and covered by Banner Health insurance plans, also are believed to be victims of the attack.

The Banner Health attack is the largest among 32 known data breaches involving Arizona-based health and medical providers since 2010 according to an U.S. Department of Health and Human Service list. The breach exceeds all other breaches in Arizona combined by over 1,000,000 affected individuals. Banner also has the dubious distinction of the previous high in Arizona when records of 55,207 were compromised in 2014 (2).

Banner Health officials said they thus far have not received reports of hackers misusing the information, but the health-care provider will offer a free one-year membership in credit-monitoring services to patients, health-plan members and others affected by the cyberattack. The hackers apparently accessed Banner computer systems that process payment-card data at food and beverage outlets at some Banner Health locations. Potential victims can view a list of affected Banner locations in Arizona, Alaska, Colorado and Wyoming at http://bannersupports.com/customers/affected-locations/. On July 13, Banner Health discovered that hackers also may have accessed patient and health-insurance records, which may have included information about doctors and health-care providers. Those records may have included names, birth dates, addresses, doctors' names, dates of service, claims information, health-insurance information and Social Security numbers.

Bob Gregg, chief executive of Portland, Ore.-based ID Experts. said health-care providers are increasingly facing attacks from criminal organizations that resell the information for profit. According to Gregg. a record containing a name, address and Social Security number sells for $1 to $3 on the black market but detailed medical records with unique patient identifying numbers can fetch up to $100 per record.

Banner Health has established a website that details information about the data breach at http://bannersupports.com. Patients or other customers who have questions or concerns about the cyberattack can call 1-855-223-4412.

References

1. Ken Alltucker. Banner Health cyberattack breaches up to 3.7 million records. Arizona Republic. August 3, 2016. Available at: http://www.azcentral.com/story/money/business/health/2016/08/03/banner-health-cyberattack-breaches-up-3-7-million-records/88035474/ (accessed 8/6/16).
2. Robbins RA. Banner prints social security numbers. Southwest J Pulm Crit Care. 2014;8(2):140-1. [CrossRef]

Cite as: Robbins RA. Banner hacked-3.7 million at risk. Southwest J Pulm Crit Care. 2016;13(2):80-1. doi: http://dx.doi.org/10.13175/swjpcc075-16 PDF