Home » News » Currently Reading:

Monday Morning Update 7/18/16

July 17, 2016 News 9 Comments

Top News



Hacker The Dark Overlord, who has breached at least three healthcare organizations and then listed their patient data for sale when they refused to pay him, advertises for sale the digital assets of a healthcare IT vendor that appears to be PilotFish Technology, which offers integration tools and middleware to several industries that include healthcare. He’s asking $500,000 for HL7 source code, signing keys, and a licensing database. He says he stole the information by gaining full root-level access to the company’s servers. The Dark Overlord listed the information for sale after the company declined to pay him the $500,000 to keep quiet.


The hacker says he has inserted a backdoor in PilotFish’s software that was pushed out in its most recent update and has since stolen the EHR records of all of the company’s customers.

Not only is PilotFish’s business at great risk, so is the information of its customers, among them Utah Health Information Network and the State of Connecticut. PilotFish launched its healthcare business in February 2014.


The Dark Overlord breaches systems using Remote Desktop Protocol exploits, so I’ll recommend again that everybody either secure it or shut it down. He also seems to prefer targeting SRS EHR clients. His latest round of tweets suggests that at least one of the providers he hacked paid him to keep quiet last week.

Reader Comments

From Sharon M: “Re; LabCorp. I’m surprised HIStalk did not cover the IT crash that affected five states. Are you so biased that you only print the favorable reports about HIT?” This comment comes from a frequent anti-EHR troll who assumes multiple identities in unsuccessfully trying to avoid being called out, which even without the technical clues would be obvious since 99 percent of readers complain that I’m too critical of health IT instead of accusing me of being a cheerleader for it. I haven’t seen any mention of LabCorp problems anywhere, so given that I did not personally have tests performed recently in those five states, I have zero information about any downtime and have received nothing from users (including the phony Sharon M). In other anti-technology news, a traffic light went out for an hour recently, so it’s time to replace all of those unreliable devices with stop signs.

From Lysander: “Re: redirects. Why do you redirect the link from HIStalk.com to HIStalk2.com? I know it was originally related to a hosting switch, although if I know your style, that inside joke might be part of the fun.” It’s been nearly 10 years since I switched from a proprietary-technology web host while temporarily running both sites to prevent readers from getting lost. That change isn’t easy to undo, I’ve learned. I had my web host look into it yet again Friday night after your inquiry and they messed things up a bit temporarily, plus the change would probably screw up links to years’ worth of articles. I’ll add that to my inside joke collection (along with smoking doctor logos) and the list of things I’m too lazy to worry about.


From Little Bit: “Re: mission and vision statements. I remember an academic medical center whose mission didn’t have one word about patients in it. There’s also an EHR vendor who talked a lot about their ‘Do Right’ principle, although I think they veered away from that one.” I’ve worked for executives who turfed off creation of mission and vision statements (they didn’t even understand the difference) to their underlings and it was a disaster. The back-stabbing, suck-up directors fought for attention in trying to distill a large, complex operation into a single overinflated, pithy sentence (it ended up with a lot of commas).  My takeaway: leaders without vision and character might as well have a crappy, eye-rolling vision statement that will be forgotten immediately because it’s not going to help anyway. My other takeaway is that committees are a poor substitute for leadership since they suck the life out of everything they do, and as such, should be limited to an advisory role to a clearly defined leader rather than to have actual power themselves. Give the buck a place to stop.

HIStalk Announcements and Requests


Three-quarters of poll respondents don’t think levying HIPAA fines improves privacy or security. New poll to your right or here: what is your overall opinion of the Affordable Care Act? You can’t just leave us hanging by voting without explaining, so click the poll’s Comments link afterward to elucidate.


Welcome to new HIStalk Platinum Sponsor Evariant. The Farmington, CT company offers enterprise-class CRM platforms for patients, consumers, and physicians that empower the marketing and physician relations teams of leading hospital networks. Evariant’s patient and consumer marketing CRM system drives targeted service line growth with attributable ROI, while its patient acquisition and engagement platform allows hospitals to target appropriate audiences for marketing as well as for education and wellness programs. Hospitals use its physician engagement technology to track referral patterns and physician loyalty in designing effective physician outreach activities. The company offers a free e-book titled “Creating Extended 360° Patient and Physician Views with Big Data Analytics.” Client success stories include Orlando Health, Wake Forest Baptist Health, University of Chicago Medicine, and Dignity Health. Thanks to Evariant for supporting HIStalk.

I found this Evariant client testimonial from University of Chicago Medicine on YouTube.

image image

Mrs. Roepke in Missouri had never had a DonorsChoose grant request fully funded until we provided her elementary school class with interactive math stations. She says her students cheered when they opened the box and saw the electronic flashcards and are using the many tools that were included in their small group work, to the point that they even refer to the game while working in other groups, which she calls “a proud teacher moment.”

I’ve realized what I hate about the phrase “pop health,” other than the fact that it’s an annoying shorthand for “population health,” which in this industry is invariably misused in describing “population health management” or “population health management technology,” which are entirely different things. Reporters and bloggers who bandy the term about from their cheap seats in their unwillingness to enunciate the daunting four syllables of “population” haven’t earned the right to lapse into jargon. Just like it’s insulting to Marines when people who have never served in the military shout out “Semper Fi.”

Listening: the almost-new album of one of my favorite bands, the highly listenable and brilliant Nada Surf, whose stock in trade is thoughtful lyrics, sweet harmonies, and ragged independence. Their catchy, sometimes jangly power-pop is hard to beat and they exhibit the maturity of a band whose lineup hasn’t changed in nearly 25 years. I’m offsetting that with the hard-rocking operatic Finnish metal of Nightwish, who I didn’t realize has commendably added the incomparable Floor Jansen (After Forever) as lead singer.

Last Week’s Most Interesting News

  • The VA takes more Congressional heat for lack of DoD interoperability and hints harder at replacing VistA with commercially available software in a Senate Appropriations Committee hearing.
  • A survey finds that most doctors haven’t heard of MACRA and hate the idea of tying their income to their quality.
  • OHSU pays $2.7 million to settle two HIPAA charges involving only 7,000 patients in incidents involving a stolen laptop and residents using Google Docs to store patient information.
  • Imprivata and Valence Health are acquired.
  • HHS issues ransomware guidance in declaring that a reportable HIPAA breach has occurred any time PHI is encrypted by malware.
  • CMS levies a death sentence on lab processor Theranos, banning Elizabeth Holmes from clinical laboratory ownership for two years and halting Medicare and Medicaid payments to the company.


None scheduled soon. Contact Lorre for webinar services. Past webinars are on our HIStalk webinars YouTube channel.

Acquisitions, Funding, Business, and Stock

GE Healthcare’s management consulting group signs a five-year collaboration agreement with ThoughtWire, which offers machine intelligence software that GE Healthcare will roll out as real-time process alerting and decision support.



University of Virginia Health System selects Evariant’s Physician Relationship Management and Physician Market Solver solutions for physician alignment.

The Medical Information Network – North Sound (WA) HIE adds Jiva Population Health Management to its ZeOmega rollout.



Commonwealth Health (PA) names Denis Tucker (Main Line Health) as CIO.

Government and Politics


England’s Secretary of State for Health and digital health supporter Jeremy Hunt is reappointed under new Prime Minister Theresa May.

The Defense Health Agency awards a five-year, $70 million to EHR Total Solutions. I found next to nothing about the company, which seems to exist purely to get military contracts. It previously reported $9 million in annual MHS contracts, so this will raise its total a lot.


A US District Court orders MedSignals CEO Vesta Brue to pay $4.5 million for grant fraud. Her Lexington, KY companies received five NIH grants to develop electronic pillboxes, but she spent the money on plastic surgery, jewelry, and massages. She will also pay restitution and serve jail time for grant fraud related to Telehealth Holdings, Inc., a company operated by her partner Jerome Hahn.


GE Healthcare sues 23-bed West Feliciana Parish Hospital (LA), complaining that it unfairly chose Hitachi Medical Systems to provide imaging equipment at a price below GEHC’s bid.


I’m tiring of the Pokemon Go phenomenon as quickly as I did other pointless, imitative fads like the Ice Bucket Challenge and the phrase “threw up in my mouth a little bit,” but this is cool: C.S Mott Children’s Hospital (MI) is using the game to get hospitalized children to leave their beds and interact with employees and other patients. That won’t be offset by the hospital influx of dolts who are hurting themselves in their rare interactions with their actual physical surroundings while staring at their phones, but it’s a small plus. Speaking of which, as I predicted last week, game developer Niantic announces monetization plans in which it will offer retailers the ability to sponsor locations on a cost-per-visit basis in hopes of boosting their foot traffic. I predict the game will be a cringingly-recalled embarrassment in six months, just like Second Life and Google Glass.


The former IT administrator of an Alaska health system faces 99 years in prison after pleading guilty to  possessing and distributing 2 million images and 13,000 videos of child pornography that obtained using the hospital’s network. He was not charged for distributing another disturbing image, the photo above from his LinkedIn profile.


The Houston paper covers the “cost versus choice” out-of-network conundrum in describing a 175-bed, oncologist-owned hospital that brings in annual revenue of $1.5 billion despite not accepting any form of insurance. Aetna sued after finding that the hospital was reducing the patient responsibility portion of its bills to in-network levels by applying a “prompt pay discount,” but was sticking Aetna for their full part of the out-of-network charges (such as $200,000 to treat an abscess). Aetna claimed racketeering, while the hospital counter-sued for being blacklisted. The judge denied Aetna’s demand for $225 million in refunds, saying it’s up to Aetna to decide what part of medical costs it pays in applying usual and customary limits.


Bizarre: several doctors in India, one of them a government official, are arrested for running a child trafficking ring from their hospital, caught as they tried to sell a four-month-old. Police are also investigating whether the doctors are running their hospital legally and whether they have actual medical degrees.

Sponsor Updates

  • T-System will exhibit at the FHIMA Annual Meeting July 18-21 in Orlando.
  • Stella Technology is sponsoring and exhibiting at the Redwood Mednet conference in Santa Rosa, CA this week.
  • Datanami.com profiles TransUnion’s management and use of big data.
  • Valence Health will host its value-based industry conference, Further 2016, September 14-16 in Chicago.

Blog Posts


Mr. H, Lorre, Jennifer, Dr. Jayne, Lt. Dan.
More news: HIStalk Practice, HIStalk Connect.
Get HIStalk updates.Send news or rumors.
Contact us.


View/Print Text Only View/Print Text Only

HIStalk Featured Sponsors


Currently there are "9 comments" on this Article:

  1. “My other takeaway is that committees are a poor substitute for leadership since they suck the life out of everything they do, and as such, should be limited to an advisory role to a clearly defined leader rather than to have actual power themselves. Give the buck a place to stop.”

    Strongest counsel you’ve offered in a while.

  2. Ice Bucket Challenge “pointless”? The point was to raise money for ALS research, and more than $100 million was raised.

  3. @peter crowley nearly all of it was donated by people who weren’t mugging for YouTube, like vendor executives challenging each other to get airtime.

  4. RE: Mission statements (which too often get the “purpose”, “mission” and “vision” statements all confused). Many years ago I worked for an insurance software vendor (business closed 20+ years ago) privately held by one guy. We were required to learn the company’s vision statement and be able to recite it when asked. It included two gems “Commitment to Excellence” yet this guy shortchanged his clients all over the place and made them pay to fix system errors, and “Respect for The Individual” which sounds wonderful, until it dawned on you that the only “individual” due this respect was him, as the employees basically hid behind their desks when he walked by. Although I lasted 2 years, I got hives working there.

  5. Pokemon Go seems to be everywhere. Someone here questioned its staying power likening the experience/use to google glass or second life. Others are mocking the game because it may seem childish, or to older generations it seems like another app/game that the youth are just staring at all day even while outside. I think most are missing the larger implications of this game. Augmented reality and Virtual Reality are likely where we are headed as a population in terms of media. Google couldn’t figure out how to make it work correctly with google glass, so it failed. The absolutely amazing thing is that this is the first piece of AR/VR technology to breach into the mainstream….so much so that you can literally walk around cities and physically see masses of people interacting in this semi virtual sphere. The amazing thing is not that this is a pokemon game…the amazing thing is that it took a pokemon game to adopt AR into the mainstream. This sort of mobile use is setting a huge precedent for the next type of media that will exist. One can only predict the end goal, but if you ask Mr. Kurzweil he will likely say this is just the next step in the end goal of full human/machine integration. The real power in pokemon go is to take lessons learned with this tech and adopt it to healthcare.

    At the very least gamifying the act of walking will do wonders for preventative health.

  6. Oddly I am familiar with the pilotfish software and they technically don’t host or create EHR records. I wonder if there would be some real followup before reporting on these. This article has created a nightmare for me since I support a company that uses this software.

  7. Re: Random:

    The software PilotFish developed is *used* by clients to interface with EHRs. They apparently were able to modify the source code and inject something malicious, and then that code was built and sent out to clients as the final product. From there they had a way to glean PHI directly from the clients using the product.

  8. From one developer to another, I feel for the Pilotfish folks and sorry for what happened to them. It’s hard enough to run a small business without dealing with this kind of event. I too am puzzled by the EHR claim(s) as well from the “Overlord”. It’s not uncommon for a hacker to embellish their exploit to buff their rep as well as drive up interest in their ‘haul’. That said, if sufficient access is gained, the individual can roam around looking for all sorts of data. Batten down the hatches folks.

Subscribe to Updates



Text Ads

Report News and Rumors

No title

Anonymous online form
Rumor line: 801.HIT.NEWS



Founding Sponsors


Platinum Sponsors



























































Gold Sponsors
















Reader Comments

  • Veteran: #fakenews...
  • Vaporware?: Secretary Shulkin: "the American healthcare system hasn’t yet figured out interoperability, but the VA can lead the wa...
  • Justa CIO: The reported go live date for McLaren Oakland is wrong. There are no dates set for activations for any locations. Post...
  • Brian Too: I admit I am partial to the quoted ICD-10-CM of "S07.9XXA Crushing injury of head, part unspecified, initial encounter....
  • Cosmos: As others in the comments section have pointed out before, GE's EMR for athletes is ironically a health record for the h...
  • HIT MD: I appreciate the thoughtful postings on this topic, particularly those by Ross Martin and LMNOP. I've never participate...
  • My Two Cents: Re: I wish we could all just get along and put the patient at the center of what we do. Yep, I get more and more disc...
  • bbc: Did you take the Hippocratic Oath in Med school? does the slightest thought of helping your patients concern you at all...
  • My Two Cents: I have a few concerns about the article Mr. Crane wrote on Drug Pricing Transparency and respectfully disagree and quest...
  • Brian Too: Aha! That makes more sense now. Thank you for clarifying....

Sponsor Quick Links