Getting your Trinity Audio player ready...
|
Children’s medical records in the possession of government entities are sacrosanct. Inviolable. As such, they must be safeguarded from breaches – and protected from exploitation – at all costs. Also, those entrusted with these indispensable obligations must uphold them to the letter (and be held accountable in the event they fail).
Not only are tens of millions of taxpayer dollars at stake… but the safety of our children (and their futures) are at stake, as well. There is no room for error… nor is there any room to play fast and loose with the truth.
Accordingly, entities tasked with these vital responsibilities must be honest brokers in our marketplace – or, at the very least, be willing to face legitimate criticism and provide credible answers when questions are raised about alleged shortcomings.
Is that happening?
A recent data breach – and some curious corporate “citizenship” in response to it – has raised questions. Among them? Whether the companies impacted by this breach are being honest about their exposure to it as they seek to obtain new government contracts which would entrust them with even more children’s medical data – including the data of South Carolina children.
What happened? Let’s rewind the tape 24 months.
***
On August 26, 2022, Pennsylvania-based software provider Connexin “detected a data anomaly within its internal network.” That’s according to The HIPAA Journal, a trade publication which bills itself as “the leading provider of news, updates and independent advice for HIPAA compliance.”
HIPAA, of course, is the Health Insurance Portability and Accountability Act of 1996, a landmark piece of federal legislation which endeavored, among other things, to establish federal guidelines for the handling of personally identifiable health information.
According to Steve Adler of The HIPAA Journal, Connexin conducted a “subsequent forensic investigation” which confirmed that an “unauthorized third party had obtained an offline set of patient data that was used for data conversion and troubleshooting.” By mid-September of 2022, the company confirmed the unauthorized third party had not only “accessed its network,” but that “some of (its) data was exfiltrated in the attack.”
“The compromised data included the protected health information of 2,675,934 patients, the majority of whom were children,” Adler noted. “The compromised data included names, guarantor names, parent/guardian names, addresses, email addresses, dates of birth, Social Security numbers, health insurance information, medical and treatment information, and billing and claims data.”
For those of you unfamiliar with the economics of data breaches, information belonging to minors is highly coveted on the black market because it can be exploited for longer periods of time – and also because it generally takes longer for misuse to be detected.
***
***
In November 2022, Connexin reported the breach to the U.S. Health and Human Services (HHS)’ office for civil rights – and sent numerous notices to state governments about their potential exposure. Within months, multiple lawsuits were filed – which were ultimately consolidated into a class action. That case settled on July 24, 2024 – with the company creating a $4 million fund to provide those impacted with three years of expanded identity theft and fraud monitoring. The settlement also provided for reimbursements of up to $7,500 per person for individuals who incurred out-of-pocket losses related to the breach.
The company further vowed “to undertake certain security commitments and business changes intended to strengthen (its) data and information security over a period of four years” as part of the agreement.
Did the Connexin breach impose an affirmative obligation on other companies, though?
Last fall, Newsweek published a guest column by David Balto – an antitrust and consumer protection attorney – which argued on behalf of more stringent digital privacy protections for minors. According to Balto, it was (and still is) incumbent upon congress to “fully protect children and families from misuse of confidential information on the internet.”
In the original version of his column, Balto referenced a company called SchoolCare – a subsidiary of “public benefit” corporation Findhelp – which, according to him, had been “affected by a data breach.”
Was this claim accurate?
Six months prior to the Connexin breach, Findhelp acquired SchoolCare – a company which partners with K-12 school nurse’s offices. In fact, Findhelp boasted of SchoolCare’s expansive presence in Tennessee in a recent proposal, noting its electronic health record platform was being used in 321 schools in six counties in the Volunteer State – serving nearly 170,000 students.
***
***
Documents provided by Connexin’s attorneys during the breach notification process clearly listed SchoolCare as being among the impacted providers. In fact, a document (.pdf) submitted in Washington State expressly cited nearly 1,000 “impacted individuals” as being tied to SchoolCare.
Nonetheless, Balto’s column drew a sharp rebuke from Findhelp’s attorneys – who referred to his claim about the breach as “objectively false.”
“The target of the data breach you referenced was a company called Connexin, not SchoolCare,” they wrote in a letter to the attorney (.pdf).
Newsweek ultimately pulled the reference from Balto’s article, but a red flag had been raised – one which would seem to run counter to the corporate values espoused by SchoolCare’s new owners.
Findhelp’s chief executive officer, Erine Gray, editorialized in RealClearPolicy just a few short weeks ago about the need to “ensure that personal information remains confidential” and the need for health care consumers to “seek the support they need without fear of privacy breaches or exploitation.”
“The need for federal regulation in protecting social care data is undeniable,” Gray wrote. “As technology advances and data collection becomes more pervasive, proactive measures are essential to safeguard individual privacy.”
But is Gray’s company doing everything within its power to “safeguard individual privacy?” Including the private data of children? And based on SchoolCare’s exposure to the Connexin breach, is it making honest representations to the governments trusting it with this data in exchange for millions of dollars?
In a document (.pdf) submitted to the Oklahoma Health Care Authority (OHCA) in response to a June 2023 request for proposal, Findhelp made the following affirmative declaration regarding its “breach management” capabilities.
“In our nearly thirteen years of experience, serving more than 25 million users, Findhelp has never had a material breach of the PII, PHI and other confidential material housed in our Solution (emphasis original),” the company noted.
Take a look…
***
***
That statement may be technically accurate, but the exposure of SchoolCare via the Connexin breach – which occurred after Findhelp acquired the company – raises legitimate questions about the veracity of such sweeping declarations. At the very least, the Connexin breach seems like the sort of thing the company ought to disclose in its pitches to government entities.
Perhaps it’s just an asterisk… but it would seem to be an important asterisk.
Findhelp won the Oklahoma contract in March of this year, incidentally. It also won a contract in Tennessee last December – a four-year, $4.6 million deal from the state’s Medicaid agency (which serves 53 percent of the state’s children). In South Carolina, SchoolCare has shown up on a list of 2025 expenses for the Charleston County School District (CCSD) – although we have just begun our research on the company in the Palmetto State so a complete assessment of its footprint here is something we will be exploring in future posts.
We have reached out to Findhelp in the hope of getting its take on these matters – and look forward to providing the company every opportunity to share its perspectives as our coverage advances. As regular members of our audience are aware, we have an open microphone policy which encourages anyone – especially individuals and entities referenced in our reporting – to share their views with our audience.
And unlike other media outlets, we publish those responses front-and-center.
So stay tuned…
***
UPDATE |
Not long after publishing our story, we received the following response from Findhelp vice president Amy Gordona. Here, unedited and in its entirety, is Gordona’s response.
***
I saw the article dated September 11, 2024. The ‘facts’ you present in the article are false. And, whoever is supplying you with this information is not accurate in their knowledge of either our company or Schoolcare, and its company history.
Here are the facts:
- Healthy Schools (founded in 2013) provided vaccination clinics in school districts in select states
- Healthy Schools used a product called Office Practicum (owned by Connexin) for Revenue Collections Management (RCM) after vaccine clinics were conducted
- CareDox (eventually renamed to Schoolcare) acquired Healthy Schools on June 1, 2018
- SchoolCare (formerly CareDox) shut down the product that used Office Practicum (owned by Connexin) in late 2019
- The product platform that Findhelp purchased from SchoolCare is completely different (and was a separate business) from their other platform (vaccination clinics) and did NOT and does NOT integrate with the Office Practicum product used in their seperate business
- Findhelp acquired the assets of SchoolCare (the software platform only; not the company and not the product that used Office Practicum) in early 2022
- The Connexin breach was announced in August 2022 and SchoolCare was listed as a company (amongst 119 customers impacted) because SchoolCare acquired Healthy Schools (however, it’s Connexin’s breach and Findhelp never acquired the assets that were breached)
The bottom line is that no student health data was at risk via the software we purchased.
I also just saw via our contact form that you reached out to Findhelp via our website just hours before you published the article. I don’t consider this ethical given the defamatory content of the article. Reputable reporters make every effort to ensure they have their facts correct before publishing an article.
Regards,
Amy Gordona
***
ABOUT THE AUTHOR …
Will Folks is the owner and founding editor of FITSNews. Prior to founding his own news outlet, he served as press secretary to the governor of South Carolina, bass guitarist in an alternative rock band and bouncer at a Columbia, S.C. dive bar. He lives in the Midlands region of the state with his wife and eight children.
***
WANNA SOUND OFF?
Got something you’d like to say in response to one of our articles? Or an issue you’d like to address proactively? We have an open microphone policy! Submit your letter to the editor (or guest column) via email HERE. Got a tip for a story? CLICK HERE. Got a technical question or a glitch to report? CLICK HERE.
***
*****
1 comment
This article is false. These are the facts: Findhelp purchased the SchoolCare platform in January 2022. Findhelp did not purchase the company itself, SchoolCare, Inc. f/k/a CareDox, Inc. or any other assets. Connexin/Office Practicum was used by CareDox, Inc. for revenue collections management for their vaccine clinic business until 2019, and it was NOT part of the purchase of the SchoolCare platform. Therefore, your accusations and assertions are inaccurate and untrue.