Protecting patient data and financial information is paramount in healthcare. Unfortunately, and because healthcare organizations represent attractive targets for cyberattackers, the healthcare industry ranked #2 in data breaches in 2024 (this was actually a positive, since healthcare was #1 across all industries for the five years prior). This issue we look at the healthcare payment security through the lens of the latest ITRC annual report.
The past two weeks also saw the release of the annual KLAS awards - we summarize some of those relevant for healthcare payments - and announcement of several healthcare payments funding rounds.
We'll be at Fintech Meetup in Las Vegas in a couple of weeks - please contact us if you'd like to say hello in person. We'd love to see how we can help your organization address some of your most pressing needs in healthcare payments and accelerate growth in 2025!
Lynx is a payments infrastructure company focused on improving healthcare payment and administration. The company supports Medicare Advantage supplemental benefits, Medicaid value-added benefits, ICHRAs, and Consumer-Directed Health (CDH) plans.
RCM automation company Candid Health raises new capital
San Francisco-based Candid Health announced a $52.5 million Series C funding round, led by Oak HC/FT with participation from existing investors. Earlier round investors include 8VC, First Round Capital, Y Combinator, and Boxgroup. Candid Health has raised nearly $100 million since its inception.
According to the company's press release, Candid "is on a mission to simplify medical billing, allowing providers to focus on delivering quality care. Trusted by more than 200 leading healthcare organizations, Candid's revenue cycle platform leverages advanced automation to decrease the cost to collect and increase net collection rates."
As an RCM/ billing system, Candid Health is integrated with EMRs used by clients. According to its website, these include Medplum, OnCall by Qualifacts, Elation, Canvas and Healthie. It is agnostic regarding payments, and has integrations with Stripe, Square, Cedar, and Chargebee. (At ViVE, we ran into at least one digital health company, Atlanta-based Workit Health, that uses Candid Health.)
Healthcare has second most data compromises in 2024
Approximately 10 times a week on average in 2024, a U.S. healthcare company experienced a data compromise/ event. (A “data compromise” is the term used to refer to events where personal information is accessible by unauthorized individuals and/ or for unintended purposes. This includes data breaches, data exposures and data leaks.)
This alarming statistic is amongst many insights in the recently published 2024 Data Breach Report. This report is released annually by the Identity Theft Resource Center (ITRC), a nationally recognized nonprofit organization established to support victims of identity crime. After years of holding the dubious distinction of being the most frequently breached industry as quantified by unique data compromises, healthcare ceded the top spot in 2024 to financial services (also fairly concerning!)
It's worth pointing out that while it only counted as only one data compromise in 2024, the Change Healthcare breach was responsible for 94% of the 203 million victim notices generated by Supply Chain attacks across all industries in 2024. Based on the 190 million victim notices it sent, Change Healthcare was the third biggest breach in 2024, behind Ticketmaster (560 million), and Advanced Auto Parts (380 million). The next largest healthcare company was Kaiser Health Plan, with 13.4 million notices, making it #10 overall.
Source: ITRC 2024 Data Breach Report
Healthcare will remain a top target for data compromises
Healthcare and financial services firms are attractive targets for cyberattacks and data breaches because of the valuable data that they store, transmit and use to provide their services. Why healthcare and financial services? To paraphrase Willie Sutton, “Because that’s where the juiciest data is.”
For senior executives at hospitals, health systems, and health plans, cybersecurity threats are a persistent concern. Last year’s mega-breach at Change Healthcare disrupted cash flow and reimbursements for millions of U.S. healthcare providers and pharmacies, nearly crippling hospitals nationwide. Healthcare enterprises are investing millions of dollars in strengthening their defenses against cyberattacks, payment system breaches, and other external data infiltrations.
For Chief Information Security Officers (CISOs) and Chief Technology Officers (CTOs), the ITRC report provides useful data and insights into emerging cybersecurity threats, compliance updates, and technology risk management strategies critical to healthcare organizations.
One of the most significant vulnerabilities cited in the report is the lack of rigorous vetting of third-party vendors, leaving hospitals and larger enterprises susceptible to indirect breaches. This occurs, for example, when healthcare providers assume that payment gateway and merchant services vendors are fully protecting patient payment data as it travels across multiple channels within the health system. Protecting payment data is no longer just about the co-pay at the front desk, however. Protected Health Information (PHI) now travels on mobile applications and through patient portals. Securing financial transactions across the full range of applications and transit points is essential.
The Role of P2PE Solutions
As healthcare organizations look to make their information security systems more robust, they are increasingly looking to implement solutions with PCI-validated Point-to-Point Encryption (P2PE). A PCI P2PE solution is a combination of secure devices, applications, and processes that encrypt payment card data from the point it is used at a point of interaction (POI) device until it reaches a secure point of decryption. The adoption of P2PE solutions dramatically reduces the risk of data breaches and simplifies compliance with PCI DSS (Payment Card Industry Data Security Standard). This, in turn, cuts down on security costs and regulatory burdens that healthcare providers face.
PCI P2PE solutions are validated by a standards body to ensure they meet the rigorous security requirements of the PCI P2PE Standard, and are listed on the PCI Security Standards Council (PCI SSC) website. There are over 124 listed solutions worldwide, with many specializing in healthcare including Bluefin and Instamed.
The Future of Healthcare Payment Security
Healthcare, like all industries, must remain vigilant and continue investing in appropriate measures to defeat bad actors attempting to penetrate information systems. Healthcare organizations should not assume that a reduced number of data compromises in 2024 equates to reduced risk!
Healthcare organizations must double down on proactive cybersecurity strategies, particularly with regard to financial transactions. By encrypting sensitive payment data at the point of entry and ensuring it never exists in a readable format within a provider’s network, healthcare organizations can significantly reduce their exposure to cyber threats.
In today’s digital landscape, adopting innovative payment security measures is not just an “upgrade”—it is a necessity and matter of survival. Healthcare leaders must take decisive action to protect patient data and financial transactions, ensuring the industry remains resilient in the face of evolving cyber threats.
PRODUCT NEWS
Oracle touts "next generation" EHR
Image: Seema Verma LinkedIn article, February 5, 2025
Seema Verma, former CMS administrator and currently EVP & GM of Oracle Health & Life Sciences, talked about Oracle's vision and approach to its "completely reinvented and redesigned EHR" in a recent LinkedIn article. She says that "EHRs have turned physicians into highly paid data clerks who on average now spend two hours each day on administrative tasks for every hour providing patient care". Oracle, she says, is working on a solution for this by building a new EHR, "One that is built on a new technology platform that takes advantage of rapid advances in cloud technology, AI, and data sciences to create an intelligent clinical assistant which responds flexibly to the needs of providers rather than forcing them into standardized and unsatisfactory workflows".
According to Verma, "Our new EHR is no longer just a sophisticated record keeper, but an immersive, AI-driven system that reduces manual work and delivers the intelligence physicians want and need to provide patients with the best possible care. Oracle’s EHR will serve as a key element in our vision for the creation of real-time health systems, which leverage the collection and almost instant analysis of data from multiple sources to improve patient care and experience as well as operational and financial performance."
As for the way the patients will interact with the new system, she says that "the new EHR will enable and support an entirely different and enhanced patient experience through a re-imagined portal that will serve as a single, comprehensive source of information for health, wellness, insurance, and access to care in a simple-to-use, elegant, interactive platform. A platform that is highly secure and includes all of the patient’s health information in one place".
Read "Reclaiming the Joy of Medicine with Next-Generation Intelligent Systems" here
KLAS AWARDS
KLAS Research recently released its annual KLAS awards, showcasing the leading providers of IT and services in U.S. healthcare. The full list of winners can be accessed here. A few highlights:
Inpatient Clinical Care
Epic was the dominant vendor, with MEDITECH appearing as well.
Thanks to the HISTalk blog for surfacing some interesting AI items recently. (You can sign up to receive notifications for weekly HISTalk Healthcare AI posts.)
Three Observations. OpenAI CEO Sam Altman predicts that AI will soon reach human-level problem-solving ability (AGI), a transformation that will be comparable to the invention of the transistor. (Sam Altman blog)
AMA Augmented Intelligence Research. Physician sentiments around the use of AI in heath care: motivations, opportunities, risks, and use cases. (AMA) Quick take: AI will impact payments via better documentation of billing codes (which took the top spot at 21% of physicians incorporating into their practice in 2024) and patient facing chatbot for customer service functions (the lowest use case in 2024, at 10%)
CEO CHAT
Matt Renfro, CEO, Lynx
Lynx Co-Founders Matt Renfro and Ken Abel
Click here to read our latest CEO Chat with Matt Renfro, CEO of Boston, MA-based Lynx.
WHAT WE'RE READING
‘Taking stock’: BofA and JPMorgan execs weigh in on Trump 2.0. While Bank of America CEO Brian Moynihan called the recent regulatory shift “classic re-engineering,” one peer exec said the changes “are taking all the oxygen in the room.” (Banking Dive)
FMP Deal Tracker. Regularly updated list of healthcare payments related transactions since November 2023.
Conference List. Rolling twelve month look ahead at conferences and other events covering healthcare payments, revenue cycle, fintech and related areas. Updated through September 2025.
FMP Blog. Thoughts from healthcare payments CEOs and investors on their right to win and plans for the next 12 months, as well as data and perspectives on healthcare payments.
Newsletter Archive. News, trends, and insights from the healthcare payments industry compiled in our bi-weekly newsletter. Last six months of newsletters.
Epic MyChart. Excel sheet with full listing of all Epic MyChart instances as of May 2024, categorized by state, provider type and specialty.
All of these resources can also be accessed at the FinMed Partners Insights page.
We'll be at Fintech Meetup in Las Vegas in March - reach out to us here to arrange time to meet!
Thank you for reading! If you enjoyed this newsletter, please forward to a friend or colleague.
FinMed Partners is a management consulting and advisory business focusing at the intersection of payments/ fintech and healthcare. Our founders have developed deep expertise from decades of experience with health IT companies, healthcare providers and many players within the payments ecosystem. Investors, boards and executive teams work with us to maximize business value through strategic input and tactical execution.
FinMed Partners LLC, 34 Long Avenue, Belmont, MA 02478, United States
