With help from Arthur Allen (@arthurallen202) and Darius Tahir (@dariustahir)

Editor’s Note: This edition of Morning eHealth is published Mondays, Wednesdays and Fridays at 10 a.m. POLITICO Pro eHealth subscribers hold exclusive early access to the newsletter each morning at 6 a.m. Learn more about POLITICO Pro’s comprehensive policy intelligence coverage, policy tools and services at politicopro.com.

Quick Fix

We’re back after a two-week hiatus. Here’s what we’ve got:

— What the Iran situation means for health data: The Health Information Sharing and Analysis Center issued an urgent warning on potential cyber threats amid escalating tensions with Tehran.

— Security snag in Germany’s health data digitization plan: Reporters and hackers found it was quite easy to access, and misdirect, identifying information.

— Illuminia nixes merger proposal: The gene sequencing giant abandoned its proposal to take over competitor Pacific Biosciences under pressure from the Federal Trade Commission.

eHealth tweet of the day, including a screenshot: Olive Rae Brinker @olivebrinker “welcome to 2020: an AI in a mental health app is telling me to pay up”

It’s MONDAY at Morning eHealth, where your author is just back from visiting her grandmothers in India. Let her know what she missed stateside at [email protected]. Tell the team what you’re tracking at @arthurallen202, @dariustahir, @ravindranize, @POLITICOPro and @Morning_eHealth.

Driving the Day

H-ISAC WARNS HEALTH SYSTEMS TO BACK UP DATA FOLLOWING IRAN NEWS — The Health Information Sharing and Analysis Center is warning of “significant risk that Iran will target critical infrastructure though cyberspace” as tensions with Iran escalate following the death of Qassem Soleimani in a drone strike, according to an email shared with Morning eHealth. H-ISAC is a nonprofit organization that shares cybersecurity threat intelligence with its members. “Historically, Iran has not deliberately targeted the healthcare sector,” the bulletin reads. “However, we must be vigilant facing” attacks in which data could be deleted, it continues.

... Among recommended steps: Network administrators for health care providers should keep systems updated with the latest security patches, and health systems should prioritize Iran-related threats when triaging cybersecurity incidents, the bulletin reads. The nonprofit also recommends that health systems keep an off-site backup of critical data to guard against data loss in case of a breach.

SPOT CHECK ON GERMAN PATIENT ID PLAN — Germany’s plan to enable the country’s 83 million residents to access their medical data through chip cards by 2021 may have some security glitches to be worked out.

A group of white-hat hackers and journalists ordered doctor and patient ID cards of the type that eventually will allow doctors, patients and insurers to access a vast amount of personal health data. The journalists from NDR television and Spiegel magazine, working with the Chaos Computer Club, had an ophthalmologist’s ID delivered to a cheese monger in the town of Lunenberg. There was no one to sign for it so the postman left it on the counter. The journalists were able to order the cards online with readily accessible identifying information such as addresses and phone numbers. The cards don’t have any patient data on them yet, so no one’s privacy was compromised in the investigation.

... Elsewhere in Europe, tech regulators are increasingly despairing over lack of enforcement of the world’s toughest privacy law, the General Data Protection Regulation, our POLITICO Europe colleague Nicholas Vinocur writes.

It’s been more than 18 months since the European Union began implementing GDPR, and the law has been viewed as a model for the United States and other nations looking to rein in data collection by tech companies.

... “But that promise has not been fulfilled,” Nicholas writes. “Aside from a €50 million fine that France’s privacy regulator imposed on Google in January, there have been no fines or remedies levied at a U.S. giant since the GDPR came into effect. And the two nations most directly responsible for policing the tech sector — Ireland and Luxembourg, where the largest tech firms have their European headquarters — have yet to wrap up a single investigation of any magnitude concerning a U.S. firm.”

The Irish regulator overseeing tech giants such as Google, Facebook, Microsoft and Twitter says its first decision won’t be delivered until early next year. Regulators in other countries are speaking up about their doubts, Nicholas writes. “Hamburg’s data protection authority says that the current ‘one-stop-shop’ system, in which many major investigations are carried out by authorities in Dublin or Luxembourg, creates serious bottlenecks and an ‘unsatisfactory’ situation for millions of web users.”

... “After nearly one and a half years we must concede that we have a huge problem with the enforcement of cross border processing especially by globally acting companies,” a spokesperson for the authority, one of 16 in Germany, told POLITICO, referring to cases that concern web users in more than one country. “It is absolutely unsatisfactory to see that the biggest alleged data protection violations of the last 15 months with millions of individuals [concerned] are far away from being sanctioned.”

ILLUMINA NIXES MERGER PROPOSAL — The FTC alleged that the gene sequencing giant’s proposed takeover of Pacific Biosciences would eliminate one of three competitors, entrenching San Diego-based Illumina’s dominance over the market, our Darius Tahir reports. “This deal threatened to let a monopolist extinguish nascent competition,” said Gail Levine, deputy director of the FTC’s Bureau of Competition. She said the decision would allow innovative companies to “develop faster, better, and less expensive next-generation DNA sequencing technologies.”

MORE ON THAT BLUE BUTTON 2.0 API BUG — CMS said at the end of last month it was restoring the Medicare data access site after correcting the bug that may have affected nearly 10,000 beneficiaries, Darius reports. The problem in the Blue Button 2.0 API, which allows beneficiaries to send their claims information to developers, stemmed from an identification system and affected about 30 apps, an agency spokesperson said. That flaw allowed demographic and treatment information to flow to the wrong app or wrong beneficiaries, but no financial information or Social Security numbers were exposed.

... A review by CMS showed that 236 beneficiaries’ data flowed to the wrong app; nearly 10,000 other individuals’ data went to the right app but possibly to the wrong beneficiary. The 30 apps that may have incorrect data will be reinstated after they submit plans to deal with the issue. The agency is mailing letters to all affected beneficiaries in the coming weeks.

EYE ON BIG TECH: FACEBOOK REMOVES MISLEADING ADS ABOUT TRUVADA FOR PREP — The social media giant has disabled some ads that suggested that side effects of the HIV treatment Truvada could also apply to people who use the drug for HIV prevention, the Washington Post reports. Several public health and LGBTQ-focused organizations, including GLAAD, had urged Facebook to remove the ads they say were placed by law firms recruiting people for lawsuits alleging that the drug causes harmful side effects such as a reduction in bone density or kidney damage. Truvada can be used both for HIV treatment and prevention, and research suggests that those side effects generally only occur among patients using it for treatment, those groups say.

NAMES IN THE NEWS — Anand Shah, CMS administrator Seema Verma’s senior medical adviser for innovation, will soon become a top deputy to FDA Commissioner Stephen Hahn, our POLITICO colleagues Dan Diamond and Sarah Karlin-Smith report.

... American Medical Informatics Association CEO Doug Fridsma departed the organization Jan. 1, the association announced. Karen Greenwood, the association’s chief operating officer, will serve as interim CEO while a search begins for Fridsma’s replacement. AMIA said Fridsma, who had been the association’s leader since 2014, didn’t know what his next role would be.

Last month President Donald Trump named Robert Blair, a security adviser to his acting chief of staff Mick Mulvaney, as a key point person on 5G wireless technology, POLITICO Tech’s John Hendel reports. “Mr. Blair will lead the strategic prioritization of United States efforts to promote a secure and reliable global communications system,” White House press secretary Stephanie Grisham said in a statement.

... The National Quality Forum named Jonathan Perlin, CMO of the Hospital Corporation of America, its new board chair. Cristie Upshaw Travis, CEO of Memphis Business Group on Health, is vice chair.

Mayo Clinic named Rita Khan chief digital officer; Khan will establish the Mayo Clinic Center for Digital Health.

What We're Reading

—MarketWatch’s Jeremy C. Owens reports on One Medical’s IPO plans.

—Fred Schulte and Erica Fry write about efforts to cover up EHR flaws to obtain federal subsidies.

Follow us on Twitter


• Mohana Ravindranath @ravindranize
• Darius Tahir @dariustahir

Follow Us