back to article Healthcare dev fined $155m for lying about compliance

A health records software company will have to pay $155m to the US government to settle accusations it was lying about the data protection its products offered. The Department of Justice said that eClinicalWorks (eCW), a Massachusetts-based software company specializing in electronic health records (EHR) management, lied to …

  1. kain preacher

    Wait it's not the company paying the fine but the jerks that did it ? wow this is news.

    1. veti Silver badge

      They're getting off lightly.

      The flip side of "self-certifying" that you comply with something is, you put your name to it under penalty of perjury. They could have been jailed for that.

      1. a_yank_lurker

        @ veti - Should have jailed given how damaging this could have been.

        1. yoganmahew

          "They're getting off lightly"

          Are they? Is this a first warning shot at the industry?

          I'm delighted; I'm sick of the state of the tech that it's okay to lie to customers. Power surge me hole.

  2. Kernel

    So it's not just the auto industry

    "At one point, it is alleged that the company configured the software specially to beat testing tools and trick the HHS into believing the products were far more robust and secure than they actually were."

    It's probably just a rogue engineer that did this without any knowledge of the senior management team - "lessons will be learnt, processes are being carefully reviewed, the health and well-being of the patients are our primary concern, etc., etc."

  3. FozzyBear
    Thumb Up

    And that folks is what should happen to the "C" execs that demand 10's of millions as their package, then deliberately lead the company down that path. Make them personally liable for their illegal decisions, rather than have them wash their hands of the matter and the company pays.

  4. John Smith 19 Gold badge
    Thumb Up

    OMG Greedy ba***ds made to actually hand over some of their own money for fu**up.

    If only the NHS had set up (or rather HMG had set up for it) this sort of regulatory framework maybe they would not still be running a 17YO OS in a VM on another obsolete OS.

    Thumbs up for the US regulator, not the p*** poor UK effort in this regard.

  5. Anonymous Coward
    Anonymous Coward

    If a person commits fraud against the government they are likely to face time. Can't quite fathom this ruling. Seems they got off too easy just because they have deep pockets..

    1. kain preacher

      because the DOJ are mostly lawyers. The DOJ are the folks that get involved when the US sues people for doing some thing naughty. if it had of been the FBI there would of gone to jail.

  6. Sam Haine

    It could never happen here!

    Fortunately, all electronic health records software used by the NHS is Data Protection Act compliant. We know this because... well, actually we didn't ask but it must be, right?

  7. Cuddles

    What were the users doing?

    "create the illusion that the software was able to access large databases"

    "lying about the software's ability to transfer records between doctors and audit transfers"

    It wasn't able to access databases and wasn't able to transfer records or audit said transfers. It might be possible to fake that in regulatory tests, but how did the people actually using the software not notice it couldn't do any of the things they actually needed it to do? This isn't like VW fixing the results of emissions tests, it's as though VW faked the results of their tests and when someone actually bought a car it turned out not to have an engine in it at all.

    1. dgc03052

      Re: What were the users doing?

      "create the illusion that the software was able to access large databases"

      "lying about the software's ability to transfer records between doctors and audit transfers"

      It wasn't able to access databases and wasn't able to transfer records or audit said transfers. It might be possible to fake that in regulatory tests, but how did the people actually using the software not notice it couldn't do any of the things they actually needed it to do?

      This was likely to fool certain minimal security testing, like not seeing the patient name or diagnosis in network traffic. Once the test is over, they go back to just storing plain text in the DB, because that is easier. You can fake "transferring" records by just allowing the other user access to the same data, so it would work for users, just you never took the information away from the original person, and it wouldn't actually work across different installations, or to anyone else's system. Or you do brain-dead serialization/deserialization, and worry about transferring it between different software versions later. And real users looking at audit reports, hardly...

      There are just so many ways of doing a crappy job that just tick a checkbox, as shown by "agile" in all sorts of places...

  8. Anonymous Coward
    Anonymous Coward

    programmers are in India

    their support is also. worked for 2 hospitals that looked into ECW. One in Billings gave up after 2 years trying to make it work for their clinics. Second hospital bought a small clinic that was already using their cloud based version. I've had no good experiences with them. Trying to get an ADT interface to work from their EMR to Evident should be an easy task except their sales team doesn't have a clue what they can actually interface so when you finally get to the people you'll be working with, you learn it just won't work.

  9. Fatman
    Alert

    eCW 'troubles'

    This bothers me as two of my doctors use it.

    Both have 'encouraged' me to set up an on-line portal; and so far, I have not done so, out of concerns that once an on-line account is created it could be hacked.

    But, I do like the idea that the execs get nailed for the fines, as opposed to the company. Now, if you really want to send a message, include a permanent ban on their being employed in the healthcare industry. Along the lines of how the SEC gets rogue traders thrown off Wall Street.

  10. Anonymous Coward
    Anonymous Coward

    Not limited to just their software....

    They insist on installing VNC on all workstations, which without the proper plugin is not encrypted. My experience with them was that the seemed to have a general disregard for complying with HIPAA regulation. There is probably a lot more violations outside of what was mention in this article...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like