Homeland Security warns of critical flaws in Medtronic defibrillators

Homeland Security has issued a warning for a set of critical-rated vulnerabilities in Medtronic defibrillators which put the devices at risk of manipulation.

These small implantable cardio-defibrillators are implanted in a patient’s chest to deliver small electrical shocks to prevent irregular or dangerously fast heartbeats, which can prove fatal. Most modern devices come with wireless or radio-based technology to allow patients to monitor their conditions and their doctors to adjust settings without having to carry out an invasive surgery.

But the government-issued alert warned that Medtronic’s proprietary radio communications protocol, known as Conexus, wasn’t encrypted and did not require authentication, allowing a nearby attacker with radio-intercepting hardware to modify data on an affected defibrillator.

Homeland Security gave the alert a 9.3 out of 10 rating, describing it as requiring “low skill level” to exploit.

It doesn’t mean that anyone with an affected defibrillator is suddenly a walking target for hackers. These devices aren’t always broadcasting a radio frequency as it would be too battery intensive. Medtronic said patients would be most at risk when patients are getting their implant checked while they’re at their doctor’s office. At all other times, the defibrillator will occasionally wake up and listen for a nearby monitoring device if it’s in range, narrowing the scope of an attack.

More than 20 different Medtronic defibrillators and models are affected, the alert said, including the CareLink programmer used in doctor’s offices and the MyCareLink monitor used in patient homes.

Peter Morgan, founder and principal at Clever Security, found and privately reported the bug to Medtronic in January. In an email, Morgan told TechCrunch that the bugs weren’t easy to discover, but warned of a potential risk to patients.

“It is possible with this attack to cause harm to a patient, either by erasing the firmware that is giving necessary therapy to the patient’s heart, or by directly invoking shock related commands on the defibrillator,” he said. “Since this protocol is unauthenticated, the ICD cannot discern if communications its receiving are coming from a trusted Medtronic device, or an attacker.”

A successful attacker could erase or reprogram the defibrillator’s firmware, and run any command on the device.

Medtronic said in its own advisory that it’s not aware of any patient whose devices have been attacked, but that the company was “developing updates” to fix the vulnerabilities, but did not say when fixes would be rolled out.

The Food and Drug Administration (FDA), which regulates medical devices, provided a list of the affected devices.

It’s the latest example of smart medical devices taking a turn for the worst, even as spending in healthcare cybersecurity is set to become a $65 billion industry by 2021.

The FDA rolled out non-binding recommendations in 2016 to advise medical device makers into practicing better cybersecurity to prevent these kinds of flaws from occurring in the first place, advising companies to “build in cybersecurity controls when they design and develop the device to assure proper device performance in the face of cyber threats.”

Yet, this latest government alert marks second time in two years Medtronic was forced to respond to security flaws in its medical devices. In October, the company finally shuttered an internet-based software update system that put its pacemaker monitoring devices at risk.

Gig workers need health & benefits — Catch is their safety net

One of the hottest Y Combinator startups just raised a big seed round to clean up the mess created by Uber, Postmates and the gig economy. Catch sells health insurance, retirement savings plans and tax withholding directly to freelancers, contractors, or anyone uncovered. By building and curating simplified benefits services, Catch can offer a safety net for the future of work.

“In order to stay competitive as a society, we need to address inequality and volatility. We think Catch is the first step to offering alternatives to the mandate that benefits can only come from an employer or the government,” writes Catch co-founder and COO Kristen Tyrrell. Her co-founder and CEO Andrew Ambrosino, a former Kleiner Perkins design fellow, stumbled onto the problem as he struggled to juggle all the paperwork and programs companies typically hire an HR manager to handle. “Setting up a benefits plan was a pain. You had to become an expert in the space, and even once you were, executing and getting the stuff you needed was pretty difficult.” Catch does all this annoying but essential work for you.

Now Catch is getting its first press after piloting its product with tens of thousands of users. TechCrunch caught wind of its highly competitive seed round closing, and Catch confirms it has raised $5.1 million at a $20.5 million post-money valuation co-led by Khosla Ventures, Kindred Ventures, and NYCA Partners. This follow-up to its $1 million pre-seed will fuel its expansion into full heath insurance enrollment, life insurance and more.

“Benefits, as a system built and provided by employers, created the mid-century middle class. In the post-war economic boom, companies offering benefits in the form of health insurance and pensions enabled familial stability that led to expansive growth and prosperity,” recalls Tyrrell, who was formerly the director of product at student debt repayment benefits startup FutureFuel.io. “Emboldened by private-sector growth (and apparent self-sufficiency), the 1970s and 80s saw a massive shift in financial risk management from the government to employers. The public safety net contracted in favor of privatized solutions. As technological advances progressed, employers and employees continued to redefine what work looked like. The bureaucratic and inflexible benefits system was unable to keep up. The private safety net crumbled.”

That problem has ballooned in recent years with the advent of the on-demand economy, where millions become Uber drivers, Instacart shoppers, DoorDash deliverers and TaskRabbits. Meanwhile, the destigmatization of remote work and digital nomadism has turned more people into permanent freelancers and contractors, or full-time employees without benefits. “A new class of worker emerged: one with volatile, complex income streams and limited access to second-order financial products like automated savings, individual retirement plans, and independent health insurance. We entered the new millennium with rot under the surface of new opportunity from the proliferation of the internet,” Tyrrell declares. “The last 15 years are borrowed time for the unconventional proletariat. It is time to come to terms and design a safety net that is personal, portable, modern and flexible. That’s why we built Catch.”

Catch co-founders Andrew Ambrosino and Kristen Tyrrell

Currently Catch offers the following services, each with their own way of earning the startup revenue:

  • Health Explorer lets users compare plans from insurers and calculate subsidies, while Catch serves as a broker collecting a fee from insurance providers
  • Retirement Savings gives users a Catch robo-advisor compatible with IRA and Roth IRA, while Catch earns the industry standard 1 basis point on saved assets
  • Tax Withholding provides an FDIC-insured Catch account that automatically saves what you’ll need to pay taxes later, while Catch earns interest on the funds
  • Time Off Savings similarly lets you automatically squirrel away money to finance “paid” time off, while Catch earns interest

These and the rest of Catch’s services are curated through its Guide. You answer a few questions about which benefits you have and need, connect your bank account, choose which programs you want and get push notifications whenever Catch needs your decisions or approvals. It’s designed to minimize busy work so if you have a child, you can add them to all your programs with a click instead of slogging through reconfiguring them all one at a time. That simplicity has ignited explosive growth for Catch, with the balances it holds for tax withholding, time off and retirement balances up 300 percent in each of the last three months.

In 2019 it plans to add Catch-branded student loan refinancing, vision and dental enrollment plus payments via existing providers, life insurance through a partner such as Ladder or Ethos and full health insurance enrollment plus subsidies and premium payments via existing insurance companies like Blue Shield and Oscar. And in 2020 it’s hoping to build out its own blended retirement savings solution and income-smoothing tools.

If any of this sounds boring, that’s kind of the point. Instead of sorting through this mind-numbing stuff unassisted, Catch holds your hand. Its benefits Guide is available on the web today and it’s beta testing iOS and Android apps that will launch soon. Catch is focused on direct-to-consumer sales because “We’ve seen too many startups waste time on channels/partnerships before they know people truly want their product and get lost along the way,” Tyrrell writes. Eventually it wants to set up integrations directly into where users get paid.

Catch’s biggest competition is people haphazardly managing benefits with Excel spreadsheets and a mishmash of healthcare.gov and solutions for specific programs. Twenty-one percent of Americans have saved $0 for retirement, which you could see as either a challenge to scaling Catch or a massive greenfield opportunity. Track.tax, one of its direct competitors, charges a subscription price that has driven users to Catch. And automated advisors like Betterment and Wealthfront accounts don’t work so well for gig workers with lots of income volatility.

So do the founders think the gig economy, with its suppression of benefits, helps or hinders our species? “We believe the story is complex, but overall, the existing state of the gig economy is hurting society. Without better systems to provide support for freelance/contract workers, we are making people more precarious and less likely to succeed financially.”

When I ask what keeps the founders up at night, Tyrrell admits “The safety net is not built for individuals. It’s built to be distributed through HR departments and employers. We are very worried that the products we offer aren’t on equal footing with group/company products.” For example, there’s a $6,000/year IRA limit for individuals while the corporate equivalent 401k limit is $19,000, and health insurance is much cheaper for groups than individuals.

To surmount those humps, Catch assembled a huge list of angel investors who’ve built a range of financial services, including NerdWallet founder Jake Gibson, Earnest founders Louis Beryl and Ben Hutchinson, ANDCO (acquired by Fiverr) founder Leif Abraham, Totem founder Neal Khosla, Commuter Club founder Petko Plachkov, Playable (acquired by Stripe) founder Tad Milbourn and Synapse founder Bruno Faviero. It also brought on a wide range of venture funds to open doors for it. Those include Urban Innovation Fund, Kleiner Perkins, Y Combinator, Tempo Ventures, Prehype, Loup Ventures, Indicator Ventures, Ground Up Ventures and Graduate Fund.

Hopefully the fact that there are three lead investors and so many more in the round won’t mean that none feel truly accountable to oversee the company. With 80 million Americans lacking employer-sponsored benefits and 27 million without health insurance and median job tenure down to 2.8 years for people ages 25 to 34 leading to more gaps between jobs, our workforce is vulnerable. Catch can’t operate like a traditional software startup with leniency for screw-ups. If it can move cautiously and fix things, it could earn labor’s trust and become a fundamental piece of the welfare stack.

Doctolib is now a unicorn with new $170 million round

French startup Doctolib has raised a new round of funding of $170 million (€150 million). The round is led by General Atlantic, with existing investors Accel, Eurazeo, Kernel and Bpifrance also participating. Some German healthcare entrepreneurs are also joining the round — the company isn’t detailing the names of those investors.

But Doctolib is detailing an important metric — its valuation. Based on this new round, Doctolib now has a post-money valuation of $1.13 billion (€1 billion). There’s a new unicorn in town.

Doctolib first started with a scheduling service for health practitioners. For €109 per month ($124), you can replace your calendar with Doctolib and let the startup take care of your week. Patients can book an appointment on Doctolib’s website and everything stays in sync between your own calendar and your public calendar.

More recently, Doctolib expanded to new countries and new types of practitioners. The company is now live in Germany and now also works with hospitals. Some hospitals have completely switched their scheduling system to Doctolib. Doctolib essentially became the leading cloud service for healthcare scheduling.

There are currently 75,000 practitioners and 1,400 healthcare facilities using Doctolib. The company works with 750 people and has offices in 40 different cities — it sounds like you need to have a local team in order to convince doctors in a specific area.

And now, the startup wants to expand to new services. In January, the company launched its telemedicine service. Existing Doctolib customers can now flip a switch and start accepting remote appointments.

This is a natural extension of Doctolib’s booking service. In addition to finding the right doctor and booking an appointment, you can now have a video consultation with a healthcare professional and get a digital prescription in your account.

Doctolib has focused on a limited feature set for years. But the company now has a shot at becoming a sort of Salesforce for the healthcare industry — a software-as-a-service company with a range of services to help practitioners switch from traditional software suites to browser-based applications.

For instance, Doctolib could expand beyond patient-to-doctor relationships and facilitate doctor-to-doctor collaboration as well.

With today’s funding round, the company will double the size of the team within the next three years across the board. In addition to sales people, the company will also double the size of the technology, product and design teams in order to launch new products. And finally, Doctolib will also expand to new countries.

EU gov’t and public health sites lousy with adtech, study finds

A study of tracking cookies running on government and public sector health websites in the European Union has found commercial adtech to be operating pervasively even in what should be core not-for-profit corners of the Internet.

The researchers used searches including queries related to HIV, mental health, pregnancy, alcoholism and cancer to examine how frequently European Internet users are tracked when accessing national health service webpages to look for publicly funded information about sensitive concerns.

The study also found that most EU government websites have commercial trackers embedded on them, with 89 per cent of official government websites found to contain third party ad tracking technology.

The research was carried out by Cookiebot using its own cookie scanning technology to examine trackers on public sector websites, scanning 184,683 pages on all 28 EU main government websites.

Only the Spanish, German and the Dutch websites were found not to contain any commercial trackers.

The highest number of tracking companies were present on the websites of the French (52), Latvian (27), Belgian (19) and Greek (18) governments.

The researchers also ran a sub-set of 15 health-related queries across six EU countries (UK, Ireland, Spain, France, Italy and Germany) to identify relevant landing pages hosted on the websites of the corresponding national health service — going on to count and identify tracking domains operating on the landing pages.

Overall, they found a majority (52 per cent) of landing pages on the national health services of the six EU countries contained third party trackers.

Broken down by market, the Irish health service ranked worst — with 73 per cent of landing pages containing trackers.

While the UK, Spain, France and Italy had trackers on 60 per cent, 53 per cent, 47 per cent and 47 per cent of landing pages, respectively.

Germany ranked lowest of the six, yet they still found a third of the health service landing pages contained trackers.

Searches on publicly funded health service sites being compromised by the presence of adtech suggests highly sensitive inferences could be being made about web users by the commercial companies behind the trackers.

Cookiebot found a very long list of companies involved — flagging for example how 63 companies were monitoring a single German webpage about maternity leave; and 21 different companies were monitoring a single French webpage about abortion.

Vulnerable citizens who seek official health advice are shown to be suffering sensitive personal data leakage,” it writes in the report. “Their behaviour on these sites can be used to infer sensitive facts about their health condition and life situation. This data will be processed and often resold by the ad tech industry, and is likely to be used to target ads, and potentially affect economic outcomes, such as insurance risk scores.”

“These citizens have no clear way to prevent this leakage, understand where their data is sent, or to correct or delete the data,” it warns. 

It’s worth noting that Cookiebot and its parent company Cybot’s core business is related to selling EU data protection compliance services. So it’s not without its own commercial interests here. Though there’s no doubting the underlying adtech sprawl the report flags.

Where there’s some fuzziness is around exactly what these trackers are doing, as some could be used for benign site functions like website analytics.

Albeit, if/when the owner of the freebie analytics services in question is also adtech giant Google that still may not feel reassuring, from a privacy point of view.

100+ firms tracking EU public sector site users

Across both government and health service websites, Cookiebot says it identified a total of 112 companies using trackers that send data to a total of 131 third party tracking domains.

It also found 10 companies which actively masked their identity — with no website hosted at their tracking domains, and domain ownership (WHOIS) records hidden by domain privacy services, meaning they could not be identified. That’s obviously of concern. 

Here’s the table of identified tracking companies — which, disclosure alert, includes AOL and Yahoo which are owned by TechCrunch’s parent company, Verizon.

Adtech giants Google and Facebook are also among adtech companies tracking users across government and health service websites, along with a few other well known tech names — such as Oracle, Microsoft and Twitter.

Cookiebot’s study names Google “the kingpin of tracking” — finding the company performed more than twice as much tracking as any other, seemingly as a result of Google owning several of the most dominant ad tracking domains.

Google-owned YouTube.com, DoubleClick.net and Google.com were the top three tracking domains IDed by the study. 

“Through the combination of these domains, Google tracks website visits to 82% of the EU’s main government websites,” Cookiebot writes. “On each of the 22 main government websites on which YouTube videos have been installed, YouTube has automatically loaded a tracker from DoubleClick .net (Google’s primary ad serving domain). Using DoubleClick.net and Google.com, Google tracks visits to 43% of the scanned health service landing pages.”

 

Given its control of many of the Internet’s top platforms (Google Analytics, Maps, YouTube, etc.), it is no surprise that Google has greater success at gaining tracking access to more webpages than anyone else,” it continues. “It is of special concern that Google is capable of cross-referencing its trackers with its 1st party account details from popular consumer-oriented services such as Google Mail, Search, and Android apps (to name a few) to easily associate web activity with the identities of real people.”

Under European data protection law “subjective” information that’s associated with an individual — such as opinions or assessments — is absolutely considered personal data.

So tracker-fuelled inferences being made about site visitors are subject to EU data protection law — which has even more strict rules around the processing of sensitive categories of information like health data.

That in turn suggests that any adtech companies doing third-party-tracking of Internet users and linking sensitive health queries to individual identities would need explicit user consent to do so.

The presence of adtech trackers on sensitive health data pages certainly raises plenty of questions.

We asked Google for a response to the Cookiebot report, and a spokesperson sent us the following statement regarding sensitive category data specifically — in which it claims: “We do not permit publishers to use our technology to collect or build targeting lists based on users’ sensitive information, including health conditions like pregnancy or HIV.”

Google also claims it does not itself infer sensitive user interest categories.

Furthermore it said its policies for personalized ads prohibit its advertisers from collecting or using sensitive interest categories to target users. (Though saying you’re telling someone not to do something is not the same as that thing not being done. That would depend on the enforcement.)

Google’s spokesperson was also keen to point to its EU user consent policy — where it says it requires site owners that use its services to ensure they have correct disclosures and consents for personalised ads and cookies from European end users.

The company warns it may suspend or terminate a site’s use of its services if they have not obtained the right disclosures and consents. It adds there’s no exception for government sites.

On tags and disclosure generally, the Google spokesperson provided the following comment: “Our policies are clear: If website publishers choose to use Google web or advertising products, they must obtain consent for cookies associated with those products.”

Where Google Analytics cookies are concerned, Google said traffic data is only collected and processed per instructions it receives from site owners and publishers — further emphasizing that such data would not be used for ads or Google purposes without authorization from the website owner or publisher.

Albeit sloppy implementations of freebie Google tools by resource-strapped public sector site administrators might make such authorizations all too easy to unintentionally enable.

So, tl;dr — as Google tells it — the onus for privacy compliance is on the public sector websites themselves.

Though given the complex and opaque mesh of technology that’s grown up sheltering under the modern ‘adtech’ umbrella, opting out of this network’s clutches entirely may be rather easier said than done.

Cookiebot’s founder, Daniel Johannsen, makes a similar point to Google’s in the report intro, writing: “Although the governments presumably do not control or benefit from the documented data collection, they still allow the safety and privacy of their citizens to be compromised within the confines of their digital domains — in violation of the laws that they have themselves put in place.”

More than nine months into the GDPR [General Data Protection Regulation], a trillion-dollar industry is continuing to systematically monitor the online activity of EU citizens, often with the unintentional assistance of the very governments that should be regulating it,” he adds, calling for public sector bodies to “lead by example – at a minimum by shutting down any digital rights infringements that they are facilitating on their own websites”.

“The fact that so many public sector websites have failed to protect themselves and their visitors against the inventive methods of the tracking industry clearly demonstrates the educational challenge that the wider web faces: How can any organisation live up to its GDPR and ePrivacy obligations if it does not control unauthorised tracking actors accessing their website?”

Trackers creeping in by the backdoor

On the “inventive methods” front, the report flags how third party javascript technologies — used by websites for functions like video players, social sharing widgets, web analytics, galleries and comments sections — can offer a particularly sneaky route for trackers to be smuggled into sites and apps by the ‘backdoor’.

Cookiebot gives the example of social sharing tool, ShareThis, which automatically adds buttons to each webpage to make it easy for visitors to share information across social media platforms.

The ShareThis social plugin is used by Ireland’s public health service, the Health Service Executive (HSE). And there Cookiebot found it releases trackers from more than 20 ad tech companies into every webpage it is installed on.

“By analysing web pages on HSE.ie, we found that ShareThis loads 25 other trackers, which track users without permission,” it writes. “This result was confirmed on pages linked from search queries for “mortality rates of cancer patients” and “symptoms of postpartum depression”.”

“Although website operators like the HSE do control which 3rd parties (like ShareThis) they add to their websites, they have no direct control over what additional “4th parties” those 3rd parties might smuggle in,” it warns.

We’ve reached out to ShareThis for a response.

Another example flagged by the report is what Cookiebot dubs “YouTube’s Tracking Cover-Up”.

Here it says it found that even when a website has enabled YouTube’s so-called “Privacy-enhanced Mode”, in a bid to limit its ability to track site users, the mode “currently stores an identifier named “yt-remote-device -id” in the web browser’s “Local Storage”” which Cookiebot found “allows tracking to continue regardless of whether users click, watch, or in any other way interact with a video – contrary to Google’s claims”.

“Rather than disabling tracking, “privacy-enhanced mode” seems to cover it up,” they claim. 

Google did not provide an on the record comment regarding that portion of the report.

Instead the company sent some background information about “privacy-enhanced mode” — though its points did not engage at all with Cookiebot’s claim that tracking continues regardless of whether a user watches or interacts with a video in any way.

Overall, Google’s main point of rebuttal vis-a-vis the report’s conclusion — i.e. that even on public sector sites surveillance capitalism is carrying on business as usual — is that not all cookies and pixels are ad trackers. So it’s claim is a cookie ‘signal’ might just be harmless background ‘noise’.

(In additional background comments Google suggested that if a website is running an advertising campaign using its services — which presumably might be possible in a public sector scenario if an embedded YouTube video contains an ad (for example) — then an advertising cookie could be a conversion pixel used (only) to measure the effectiveness of the ad, rather than to track a user for ad targeting.

For DoubleClick cookies on websites in general, Google told us this type of cookie would only appear if the website specifically signed up with its ad services or another vendor which uses its ad services.

It further claimed it does not embed tracking pixels on random pages or via Google Analytics with Doubleclick cookies.)

The problem here is the lack of opacity in the adtech industry which requires users to take ad targeters at their word — and trust that an adtech giant like Google, which makes pots of money off of tracking web users to target them with ads, has nonetheless built perfectly privacy-respecting, non-leaky infrastructure that operates 100% as separately and cleanly as claimed, even as the entire adtech industry’s business incentives are pushing in the opposite direction.

Also a problem: Certain adtech giants having a long and storied history of bundling purposes for user data and manipulating consent in privacy-hostile ways.

And with trust in adtech at such a historic low — plus regulation having been rebooted in Europe to put the focus on enforcement (which is encouraging a cottage industry of GDPR ‘compliance’ services to wade in) — the industry’s preferred cloak of complex opacity is under attack on multiple front (including from policymakers) and does look to be on borrowed time.

And as more light shines in and risk steps up, sensitive public sector websites could just decide to nix using any of these freebie plugins.

In another “inventive” case study highlighted by the report, Cookiebot writes that it documented instances of Facebook using a first party cookie workaround for Safari’s intelligent tracker blocking system to harvest user data on two Irish and UK health landing pages.

So even though Apple’s browser natively purges third party cookies to enhance user privacy by default Facebook’s engineers appear to have managed to create a workaround.

Cookiebot says this works by Facebook’s new first party cookie — “_fbp” — storing a unique user ID that’s then forwarded as a URL parameter in the pixel tracker “tr” to Facebook.com — “thus allowing Facebook to track users after all”, i.e. despite Safari’s best efforts to prevent pervasive third party tracking.

“In our study, this combined tracking practice was documented on 2 Irish and UK landing pages featuring health information about HIV and mental illness,” it writes. “These types of workarounds of browser tracking prevention are highly intrusive as they undermine users’ attempts to protect their personal data – even when using browsers and extensions with the most advanced protection settings.”

Reached for a response to the Cookiebot report Facebook also did not engage with the case study of its Safari third party cookie workaround.

Instead, a spokesman sent us the following line: “[Cookiebot’s] investigation highlights websites that have chosen to use Facebook’s Business Tools — for example, the Like and Share buttons, or the Facebook pixel. Our Business Tools help websites and apps grow their communities or better understand how people use their services. For example, we could tell them that their site is most popular among people aged 20-25.”

In further information provided to us on background the company confirmed that data it receives from websites can be used for enhancing ad targeting on Facebook. (It said Facebook users can switch off ad personalization based on such signals — via the “Ads Based on Data from Partners” setting in Ad Preferences.)

It also said organizations that make use of its tools are subject to its Business Tools terms — which Facebook said require them to provide users with notice and obtain any required legal consent, including being clear with users about any information they share with it. 

Facebook further claimed it prohibits apps and websites from sending it sensitive data — saying it takes steps to detect and remove data that should not be shared with it.

ePrivacy Regulation needed to raise the bar

Commenting on the report in a statement, Diego Naranjo, senior policy advisor at digital rights group EDRi, called for European regulators to step up to defend citizens’ privacy.

For the last 20 years, Europe has fought to regulate the sprawling chaos of data tracking. The GDPR is a historical attempt to bring the information economy in line with our core civil liberties, securing the same level of democratic control and trust online as we take for granted in our offline world. Yet, as this study has provided evidence of, nine months into the new regulation, online tracking remains as hidden, uncontrollable, and plentiful as ever,” he writes in the report. “We stress that it is the duty of regulators to ensure their citizens’ privacy.”

Naranjo also warned that another EU privacy regulation, the ePrivacy Regulation — which is intended to deal directly with tracking technologies — risks being watered down.

In the wake of GDPR it’s become the focus of major lobbying efforts, as we’ve reported before.

“One of the great added values of the ePrivacy Regulation is that it is meant to raise the bar for companies and other actors who want to track citizens’ behaviour on the Internet. Regrettably, now we are seeing signs of the ePrivacy Regulation becoming watered out, specifically in areas concerning “legitimate interest” and “consent”,” he warns.

“A watering down of the ePrivacy Regulation will open a Pandora’s box of more and more sharing, merging and reselling of personal data in huge online commercial surveillance networks, in which citizens are being unwittingly tracked and micro-targeted with commercial and political manipulation. Instead, the ePrivacy Regulation must set the bar high in line with the wishes of the European Parliament, securing that the privacy of our fellow citizens does not succumb to the dominion of the ad tech industry.”

A huge trove of medical records and prescriptions found exposed

A health tech company was leaking thousands of doctor’s notes, medical records, and prescriptions daily after a security lapse left a server without a password.

The little-known software company, California-based Meditab, bills itself as one of the leading electronic medical records software makers for hospitals, doctor’s offices, and pharmacies. The company, among other things, processes electronic faxes for healthcare providers, still a primary method for sharing patient files to other providers and pharmacies.

But that fax server wasn’t properly secured, according to the security company that discovered the data.

SpiderSilk, a Dubai-based cybersecurity firm, told TechCrunch of the exposed server. The exposed fax server was running a Elasticsearch database with over six million records since its creation in March 2018.

Because the server had no password, anyone could read the transmitted faxes in real-time — including their contents.

According to a brief review of the data, the faxes contained a host of personally identifiable information and health information, including medical records, doctor’s notes, prescription amounts and quantities, as well as illness information, such as blood test results. The faxes also included names, addresses, dates of birth, and in some cases Social Security numbers and health insurance information and payment data.

The faxes also included personal data and health information on children. None of the data was encrypted.

Two leaked documents found on the fax server, redacted. (Image: TechCrunch)

The server was hosted on an subdomain of MedPharm Services, a Puerto Rico-based affiliate of Meditab, both founded by Kalpesh Patel. MedPharm was spun out as a separate company in San Juan to take advantage of tax breaks for those who set up businesses on the island.

TechCrunch verified the records by contacting several patients who confirmed their details from the faxes.

When reached about the security lapse, Patel said the company was “looking into the issue to identify the problem and solution,” but deferred comment to the company’s general counsel, Angel Marrero.

“We are still reviewing our logs and records to access the scope of any potential exposure,” said Marrero in an email.

We asked if the company planned to inform regulators and customers. Marrero said the company “will comply with any and all required notifications under current federal and state laws and regulations, as applicable.”

It’s not immediately known if anyone else discovered the exposed server, or how long the data was exposed.

Both Meditab and MedPharm claim to be compliant with HIPAA, the Health Insurance Portability and Accountability Act, which governs how healthcare providers properly manage patient data security.

Companies that expose data or violate the law can face hefty fines.

Last year was a year of “record” fines — some $25 million for several exposures and breaches, including $4.3 million in fines to the University of Texas for an inadvertent disclosure of encrypted personal health data, and a settlement by Fresenius was for $3.5 million following five separate breaches.

A spokesperson for the U.S. Department of Health and Human Services did not comment.

YourChoice Therapeutics is developing unisex, non-hormonal birth control

The options available to women who want to avoid getting pregnant today are bad. Most, like the widely used birth control pill, feed man-made estrogen and progestin hormones to women, which are capable of causing a number of awful side effects.

YourChoice Therapeutics — a startup launched by a team of Berkeley researchers, including two experts in sperm physiology and sperm-egg interactions — dreams of producing a unisex, non-hormonal alternative to existing contraceptives. The company has raised $400,000 in funding to date, plus a $150,000 check from Y Combinator. YourChoice will make its big pitch at Y Combinator Demo Days next week.

It’s seeking $2 million in venture capital funding to continue research on its sperm cell-targeting novel method of contraception, as well as to build out its team of chemists. Founders Akash Bakshi and Nadja Mannowetz tell TechCrunch they plan to have a contraceptive ready to market by 2025. Together, with co-founder and advisor Dr. Polina V. Lishko of Berkeley’s department of cell and molecular biology, they hope to reach women and men all over the world, in the process tapping a market expected to be worth $37 billion by 2023.

“There are perhaps ways that we could cut that time in half or just get something to market,” said Bakshi, YourChoice’s chief executive officer, whose background is in technology commercialization, research and development within the life sciences industry. “But we need to do this right so that we can benefit as many women as possible.”

Their first product will be a vaginal contraceptive to be applied before intercourse, then, the startup plans to release oral contraceptives for both genders. The team has discovered that the natural compound lupeol is capable of blocking a protein on sperm that is required for fertilization. YourChoice‘s non-hormonal approach doesn’t impact a cells’ ability to function or gene expression, so women and men are not at an increased risk of blood clots, cancer or other side effects associated with mainstream birth control methods’ use of added hormones.

“The bottom line is men don’t have good options and women apparently have so many choices, yet they are all really bad,” Mannowetz, a Ph.D. in sperm physiology, told TechCrunch. “They’re all based on that over 60-year-old idea of hormone-based drugs.”

YourChoice’s planned debut product will be applied directly in the vagina during the period of the month in which the woman is fertile. Whether that be a tablet, a gel or some other form factor is still up in the air. YourChoice’s second product will be an oral contraceptive because they believe that is the most convenient, universally accepted method.

“For women who have an implant … I understand that this might be a step backward, but women who have been on the pill for decades, for them, it wouldn’t be a big change,” Mannowetz said. “We totally understand we will not serve every woman out there but we need to get started with a product and then take it from there.”

“If the last 60 years have taught us anything, it’s that delivery is something that can continue to be developed,” she continued. “We need to develop a new mode of action.”

There are a number of startups innovating in the contraception space, as TechCrunch has written, though most of those businesses are focused on the access problem. Birth control can be very difficult for many to access and startups like The Pill Club or Nurx solve that problem by delivering the pill directly to women’s doorsteps. Other early-stage companies in the space lack experts in the field of reproductive biology necessary to improve contraceptive options. YourChoice’s team says seeking change to the actual medication with an advanced team sets them apart from other upstarts.

For YourChoice, it helps that venture capital investment in the reproductive tech space is increasing, making this a great time for YC to support these businesses (YourChoice isn’t the only reproductive tech startup in the latest YC cohort) and for YourChoice to successfully nab private investment.

“I personally think the industry is satisfied; they are making really good money, right? So why should they change anything,” Mannowetz said. “Millennials are the starting point of change happening. I think now, women stand up and say, ‘we are sick of it.’ ”

The FDA proposes further restrictions to sales of flavored e-cig products

The FDA has drafted new guidance for the regulation of e-cigarettes, particularly with regards to flavored nicotine products.

The first big change is that the FDA has bumped up the application due date by one year for FDA approval of flavored products. Manufacturers of all flavored ENDS (electronic nicotine delivery system) products will now have to submit premarket applications by August 8, 2021.

The second change is introducing a new compliance policy with regards to flavored ENDS products.

At the time that the current compliance policy was enforced, in 2017, e-cigarette use among youth was leveling off. But drastic growth in the popularity of e-cigs among minors over the past two years have led to various changes in the policy, including the restriction of sales of flavored ENDS products via certain retail channels from November 2018.

“The most recent data show more than 3.6 million middle and high school students across the country were current (past 30 day) e-cigarette users in 2018,” wrote Gottlieb in the announcement. “This is a dramatic increase of 1.5 million children since the previous year. The data also showed that youth who used e-cigarettes also were using them more frequently and they were using flavored e-cigarette products more often than in 2017.”

Identifying flavored pods as a culprit was the first step, but the FDA is now introducing a policy that looks at how accessible any flavored ENDS product is to minors to determine whether or not it can stay on the market.

For online sales, retailers must have an age-verification process that connects to third-party data sources in order to sell flavored nicotine products. For physical retailers, the policy says that flavored nicotine products must be behind some sort of age-gate, whether that’s at the front door of the shop or within a different age-gated section of the store itself. In other words, there must be some barrier to entry before POS between minors and flavored ENDS products.

From the announcement:

Our proposed policy provides examples of circumstances that we’ll consider – for example, if flavored ENDS products are sold in locations where minors can enter at any time (e.g., the entire establishment or an area within the establishment); or, for online sales, if the products are sold without an appropriate limit on the quantity that a customer may purchase within a given period of time, and without independent, third-party, age- and identity-verification services that compare customer information against third-party data sources, such as public records. We’re also specifically seeking comment on, among other things, whether there are new technologies that can help prevent youth access at retail locations and intend to consider the use of those tools when we finalize the guidance.

The main point to remember is that the FDA plans to prioritize enforcement of these products based on whether they’re sold in ways that pose a greater risk for minors to access them and become addicted to them.

While this proposal includes further regulation of the budding e-cigarette industry, it could be an important step forward for the space in the long term. The e-cigarette industry won’t reach its potential as an alternative to cigarettes until the issue of underage use is solved for good.

The FDA sees flavored ENDS products as a gateway for young people, and closing off access to those products as soon as possible gives the industry, from manufacturers to retailers to regulators, the opportunity to plan for how these products can be sold and distributed in the future, or if flavored products should exist at all.

The new plan does not propose enforcement of all ENDS products — tobacco, menthol and mint-flavored ENDS products can remain on the market and keep their original 2022 deadline for premarket FDA approval applications.

Juul Labs had this to say in response to the draft guidance:

We are committed to reducing youth usage while preserving our opportunity to eliminate combustible cigarettes, the number one cause of preventable death in the world. As part of our action plan deployed in November 2018 to keep JUUL products out of the hands of youth, we stopped the sale of flavored JUULpods to retail stores, strengthened our retail compliance and secret shopper program, enhanced our online age-verification, exited our Facebook and Instagram accounts and are continuously working to remove inappropriate third-party social media content. We support category-wide action including the responsible, restricted sale of flavored products and will review today’s draft guidance as we continue to work with FDA, state Attorneys General, local municipalities, and community organizations as a transparent and responsible partner in combating underage use.

Commissioner Gottlieb announced his resignation a week ago. National Cancer Institute Director Dr. Ned Sharpless will take over as acting FDA Commissioner in April.

Gottlieb taken measured steps to keep ENDS products away from minors while still allowing adult smokers to have an alternative on the market. Whether Sharpless will thread the needle quite as well remains to be seen, but Altria stocks fell on word of his appointment.

Today’s proposal is open for public comments for 30 days.

Jack Dorsey records podcast with fitness writer who claimed “vaccines do indeed cause autism”

Jack Dorsey, known for making tone-deaf statements on the platform he co-founded, is in the middle of another controversy. This time it is for plugging a podcast he recorded with fitness writer Ben Greenfield. Greenfield has espoused anti-vaccination views on Twitter and other platforms, continuing to do so despite measles outbreaks in the United States.

Dorsey retweeted Greenfield’s tweet about their podcast interview, commenting “Great conversation, and appreciate all you do to simplify the mountain of research focused on increasing one’s healthspan.”

Greenfield recently doubled down on the disproven claim that vaccines cause autism and has repeatedly included anti-vaccine propaganda on his podcast and social media pages.

TechCrunch has contacted Twitter for comment. A company spokesperson told Recode that neither Dorsey, who has done a string of podcast appearances recently, or the company was aware of Greenfield’s stance on vaccines and that the topic was not discussed during the interview.

Dorsey’s endorsement of Greenfield is especially striking considering that other tech companies, including YouTube and Facebook, are currently clamping down on anti-vaccination content. For example, YouTube recently announced it will demonetize anti-vaccination videos, while Facebook is down-ranking vaccine misinformation on its News Feed and hiding it on Instagram. Pinterest, which has prohibited anti-vaccination content in its terms for years, also recently said it will stop returning any search result related to vaccines.

Dorsey recently generated backlash for a tweet thread about his meditation retreat in Myanmar that neglected to mention the Rohingya genocide and declaring that Elon Musk is his favorite Twitter user, despite the fact that Musk’s tweets have landed him in legal trouble, including with the Securities and Exchange Commission.

National Cancer Institute chief tapped as acting FDA Commissioner

In the wake of FDA Commissioner Scott Gottlieb’s abrupt resignation, Secretary of Health and Human Services Alex M. Azar III announced that Dr. Ned Sharpless will serve as interim commissioner of the Food and Drug Administration.

Since October 2017, Dr. Sharpless served as director of the National Cancer Institute and, before that, worked as a researcher and hematologist-oncologist at the University of North Carolina. He is also a co-founder of G1 Therapeutics, a biotech firm focused on cancer treatment therapies that went public in May of 2017.

Dr. Sharpless is a temporary appointment, with Secretary Azar saying that the search is on for a permanent candidate for the position, according to the NYT.

The change comes at a tumultuous time for the e-cigarette industry in particular, which has been a focal point for Commissioner Gottlieb. As vaping continues to grow in popularity among teens, Gottlieb has enforced new rules for the industry and promised to keep a close watch on youth use of these products and the companies that sell them.

Gottlieb praised the appointment:

Whether or not an acting commissioner will be able to push forward initiatives related to the tobacco industry, such as limiting the nicotine in combustible cigarettes and enforcing stricter regulation on e-cigs, is unclear. However, Altria shares fell on the news.

Truepill, the ‘AWS for pharmacies,’ gets $10M from Initialized Capital

Venture capitalists’ latest on-demand delivery bet is in the pharmaceutical space.

Truepill, an online pharmacy powering delivery for the likes of Hims, Nurx, LemonAID and other direct-to-consumer healthcare brands, has nabbed a $10 million Series A from early-stage VC fund Initialized Capital. The investment brings the Y Combinator graduate’s total raised to $13.4 million. Y Combinator, Sound Ventures, Tuesday Capital and others participated in the round.

Founded in 2016, the San Mateo-based startup employs 150 workers and plans to expand its team and fulfillment facilities into the U.K. with the fresh funding. Truepill is currently active in all 50 states and has delivered 1 million subscriptions for birth control, erectile dysfunction medication, hair loss treatment and more.

It is, as co-founders Sid Viswanathan and Umar Afridi explained, Amazon Web Services for pharmacies.

“We are really only scratching the surface of where this telemedicine landscape is going to go,” Viswanathan, who became a product manager at LinkedIn after the social network acquired his transcription service CardMunch, told TechCrunch. “We are catering to this first wave of those companies and we want to be that pharmacy fulfillment service powering that entire shift … We want to build the next generation of pharmacy infrastructure.”

Afridi, for his part, previously spent more than a decade as a pharmacist at retail chains like CVS and Fred Meyer.

In addition to operating a prescription delivery service, Truepill provides a set of APIs that give its customers programmatic access to its pharmacy and allows brands to fully customize packaging.

Foundation Capital, Index Ventures, Social Capital, Box Group and Joe Montana are also Truepill stakeholders.