Immediate Gains Immediate Vault Immediate Access

Johnson & Johnson to Pay $572 Million in Opioid Crisis Lawsuit

This week, a judge in Oklahoma ordered pharmaceutical company Johnson & Johnson to pay $572 million for its role in the opioid crisis that has ravaged the country and killed more than 6,000 people in Oklahoma alone. The ruling is the first to hold a drug manufacturer responsible for the crisis, which was fueled by companies flooding the market with addictive painkillers and pushing doctors to overprescribe the drugs. The amount is far less than the $17.5 billion that the state’s attorney general sought, and the company says it plans to appeal the ruling.

Cleveland County District Judge Thad Balkman ruled that the state met its burden in arguing that the company created a “temporary public nuisance” by using “misleading marketing and promotion of opioids,” and added in his ruling that “those actions annoyed, injured or endangered the comfort, repose, health or safety of Oklahomans.”

Judge Balkman cited Johnson & Johnson’s deceptive and aggressive marketing of painkillers to doctors, and the company’s practice of discouraging its sales representatives from discussing addiction or other negative consequences of using the drugs, while encouraging their prescription for both moderate and severe pain. The company also sought to convince doctors that they were under-prescribing pain medications and that having patients ask for higher doses was not a sign of addiction, just indicative of needing more to address their pain.

Johnson & Johnson markets the painkillers Duragesic (fentanyl) and Nucynta, both of which contain opioids. The company has also long manufactured the raw ingredients for other companies’ opioid-based painkillers, having bought a company in Tasmania in the 1980s that grows poppies and processed opium. According to the New York Times, by the height of the opioid epidemic, the company had become “the leading supplier for the ingredients in painkillers in the United States,” having developed a specific strain of poppy that provided the basis for Purdue’s Oxycontin, as well as manufacturing and supplying ingredients for “a range of other drugs, including hydrocodone, morphine, codeine and buprenorphine.”

Michael Ullmann, Johnson & Johnson’s general counsel, released a statement calling the judgement “a misapplication of public nuisance law that has already been rejected by judges in other states.” He also noted, “The unprecedented award for the state’s ‘abatement plan’ has sweeping ramifications for many industries and bears no relation to the company’s medicine or conduct.”

The amount decided for damages may actually seem low—$572 million will reportedly only fund a single year of Oklahoma’s opioid recovery plan, which the state estimates will cost $12.7 billion to $17.5 billion over 20 to 30 years. The company’s stock even rose this week, which some attribute to relief over the relatively low damages.

However, many are cheering the Oklahoma ruling as other lawsuits near their court dates. This includes a massive federal lawsuit scheduled for October in Cleveland, Ohio, that brings together more than 2,000 separate cases. Judge Balkman’s decision that the company’s activities constituted a public nuisance opens the door for similar rulings in other state cases, and an additional legal avenue for holding companies responsible for their part in the epidemic.

Also this week, Oxycontin manufacturer Purdue Pharma pledged to pay $10 billion to $12 billion to settle thousands opioid-related claims, according to NBC News. Purdue had been part of the Oklahoma suit, but to avoid the lawsuit, Purdue agreed in March to pay a $270 million settlement to establish an addiction treatment and research center at Oklahoma State University, and provide continued funding over five years. Purdue’s owners the Sackler family also agreed to pay $75 million to the center for five years. In May, Israel-based Teva Pharmaceuticals also settled with Oklahoma for $85 million, which will further fund the state’s effort to combat opioid addiction.

Insulin Pumps Recalled After Hacking Vulnerability Revealed

After the U.S. Food and Drug Administration (FDA) expressed concern this week that some of its internet-connected insulin pumps are vulnerable to hacking and could not be patched, medical device manufacturer Medtronic Plc has announced that they would offer an exchange for the 4,000 patients who are reportedly using the vulnerable devices. If patients are using vulnerable out-of-warranty models, Medtronic is offering a newer replacement at a discounted price, and in-warranty models will be replaced free of charge.

The Medtronic insulin pumps in question work by regularly providing insulin to the patient with the help of a continuous glucose monitor (CGM), which uses Bluetooth to connect to a computer via a CareLink USB device. This system allows patients to remotely send the device commands and share data with their health care providers. These devices are part of an industry-wide push to connect medical devices to the internet (as part of the wider internet of things, or IoT) to allow more efficient and cost-effective communication between patients and providers.

While the exact nature of the insulin pump vulnerability is unclear at this time—neither the FDA nor Medtronic has disclosed any technical details—the danger from someone exploiting the vulnerability is very serious and could be potentially fatal. According to the FDA, “an unauthorized person (someone other than a patient, patient caregiver, or health care provider) could potentially connect wirelessly to a nearby MiniMed insulin pump with cybersecurity vulnerabilities. This person could change the pump’s settings to either over-deliver insulin to a patient, leading to low blood sugar (hypoglycemia), or stop insulin delivery, leading to high blood sugar and diabetic ketoacidosis.” In a letter to patients using one of the vulnerable pumps, Medtronic confirmed the potential danger, saying that “An unauthorized person with special technical skills and equipment could potentially connect wirelessly to a nearby insulin pump to change settings and control insulin delivery.”

Fortunately, there have not been any reported cases of anyone exploiting the vulnerability, but it is not the case of such an issue affecting these devices. In 2011, a security researcher was able to hijack nearby Medtronic insulin pumps, giving him the ability to deliver potentially fatal doses of insulin to patients within 300 feet. After the vulnerability was revealed, Medtronic released a statement saying that it was working to improve their devices’ security.

This March, it was also revealed that Medtronic’s connected pacemakers, clinic programmers and home monitors were also vulnerable to hacking. In that case, Dutch security researchers discovered the security flaws, which the company reportedly initially denied before the FDA began an investigation. The agency later issued a warning about the pacemakers, and Medtronic released a patch for the software. As with the insulin pumps, there were no reported cases of anyone taking advantage of the security flaw before the fix was implemented.

Speaking to CBS News after the March incident, the FDA’s Dr. Suzanne Schwartz said, “Any device can be hacked and that’s often not understood,” adding that companies are not prepared for this reality and that “we still have a ways to go.” This week, the FDA released a set of recommendations regarding the latest insulin pump vulnerability, including a suggestion to patients: “Talk to your health care provider about a prescription to switch to a model with more cybersecurity protection.”

Such cases highlight the continuing potential risks of internet-connected medical devices. As discussed in the recent Risk Management article “Diagnosis: Risk—The Product Liability Challenges of Diagnostic Health Tech,” cyber vulnerability is only one of the many challenges for manufacturers and users of connected medical devices. These devices—especially ones that provide medical diagnostic data—have scores of built-in product liabilities that could land their manufacturers (as well as any number of other companies in the devices’ chain of distribution) in legal trouble if something goes awry.

Pregnancy-Tracking Apps Pose Challenges for Employees

As more companies embrace health-tracking apps to encourage healthier habits and drive down healthcare costs, some employees are becoming uncomfortable with the amount and types of data the apps are sharing with their employers, insurance companies and others.

This is especially true for apps that track fertility and pregnancy. As the Washington Post recently reported, these apps collect huge amounts of personal health information, and are not always transparent about who has access to it. The digital rights organization Electronic Frontier Foundation even published a paper in 2017 titled The Pregnancy Panopticon detailing the security and privacy issues with pregnancy-tracking apps. Employers can also pay extra for some pregnancy-tracking apps to provide them with employees’ health information directly, ostensibly to reduce health care spending and improve the company’s ability to plan for the future.

Given the documented workplace discrimination against women who are pregnant or planning to become pregnant, users may worry that the information they provide the apps could impact employment options or treatment by colleagues and managers. Pregnancy-tracking apps also collect infinitely more personal data than traditional health-tracking apps and devices like step-counters or heart rate monitors. This can include everything from what medications users are taking and when they are having sex or their periods, to the color of their cervical fluid and their doctors’ names and locations.

Citing discomfort with providing this level of information, the Washington Post reported some women have even taken steps to obscure their personal details when using the apps, for fear that their employers, insurance companies, health care providers or third parties may have access to their data and could use it against them in some way. They use fake names or fake email addresses and only give the apps select details or provide inaccurate information. Fearing the invasion of their newborn children’s privacy, some have even chosen not to report their children’s births on the apps, despite this impacting their ability to track their own health and that of their newborn on the app.

Like many other apps or online platforms, it may be difficult to parse out exactly what health-tracking apps are doing with users’ information and what you are agreeing to when you sign up. When employers get involved, these issues get even more difficult. By providing incentives—either in the form of tangible rewards like cash or gift cards, or intangible benefits such as looking like a team player—companies may actually discourage their employees from looking closely at the apps’ terms of use or other key details they need to fully inform the choice to participate or not.

While getting more information about employees’ health may offer ways to improve a workforce’s health and reduce treatment costs, companies encouraging their employees to use these apps are also opening themselves up to risks. As noted above, apps are not always transparent as to what information they are storing and how. Depending on the apps’ security practices, employees’ data may be susceptible to hacking or other misuse by third-party or malicious actors. For example, in January 2018, fitness-tracking app Strava released a map of users’ activity that inadvertently exposed sensitive information about military personnel’s locations, including in war zones. Given the kinds of personal details that some apps collect, health app data could also put users at risk of identity theft or other types of fraud.

Tracking, storing, and using workers’ personal health information also exposes employers and insurance companies to a number of risks and liabilities, including third-party data storage vulnerabilities and data breaches. This is especially important in places governed by stringent online data protection regulations like the European Union’s General Data Protection Regulation (GDPR). In addition to the risks of reputation damage, companies that are breached or otherwise expose employees’ personal information could face significant regulatory fines.

People using health-tracking apps, especially fertility-related apps, should weigh the costs and benefits of disclosing personal information against how apps and others are using this information. Companies who encourage their employees to use these apps and collect their personal health details should also be as transparent as possible about how they are using it, and implement measures to protect workers’ personal data to the fullest extent possible and ensure that managers are not using this data to discriminate against workers.

Booming or Busting: Samsung’s Trouble with Quality

samsung
Since its launch in August, Samsung’s rollout and subsequent recalls of the Note 7 have been severely affected by quality and safety issues as a result of the lithium-ion batteries overheating, and in some reported incidents, even catching fire. This ultimately led to an initial recall on Sept. 15, followed by many incidents of phones continuing to catch fire even with the battery “repair,” and mobile carriers halting sales of the phone.

On Oct. 11, Samsung permanently halted all production and sales of this device. Current estimates from the Wall Street Journal indicate that “investors have shaved off roughly $20 billion in Samsung’s market value, [and] the company has said the recall would cost it $5 billion or more, including lost sales.”

To make matters worse, the Department of Transportation (DOT) has now weighed in and banned passengers from traveling with the phones. The DOT has issued an emergency order to ban all Samsung Galaxy Note 7 smartphone devices from air transportation in the United States. Individuals who own or possess a Samsung Galaxy Note 7 device may not transport the device on their person, in carry-on baggage, or in checked baggage on flights to, from, or within the United States. The Samsung Galaxy Note 7 device is now considered a forbidden hazardous material under the Federal Hazardous Material Regulations.

The initial recall would be expected to directly affect sales levels of the specific phone, and it would be fair to anticipate the possibility of a financial impact from a recall. But the further problems go beyond that—they lead to broader reputational issues.

Although all recalls will likely result in some financial impact and market frustrations, an isolated event can be a well-managed, short-lived issue, with a reasonably prompt recovery. Many customers may look past a one-off instance as a bump in the road, which has been identified and corrected—an error. A second or third problem arising after addressing the initial issue(s), however, and the company’s overall quality assurance programs are put in the spotlight. Customers are now looking beyond the isolated incident and lose confidence in the brand as a whole.

The extent of the financial losses resulting from this can grow exponentially as the result of a second or third similar issue. The suggestion now develops that the company cannot determine what’s wrong or find a solution. It appears that happened with Samsung, leading to the announcement that they are ceasing production of the model completely. Consumer confidence takes a big hit.

This year, we have seen the impact multiple recalls have had on several companies. Samsung, along with others like Chipotle, Takata Airbags and Mattel, have suffered repeat issues stemming from an initial problem. Where a company repeatedly has quality assurance issues, direct and manageable losses can quickly grow to larger exponential ones fueled by the broader reputational harm. Appearing in the media for the first problem had a significant financial impact. Reappearing after the initial handling of the matter is a less than ideal way to restore confidence and set about moving on from the issue.

The losses Samsung will suffer now extend beyond the costs to investigate the problem, recall logistics, and rework costs. They now face the more complicated challenge of measuring the business income lost from the event. An initial recall, and the replacement of phones would have likely led to some business income loss. While this may not have been avoidable, it would likely have been manageable. Not being able to identify the problem and develop a solution, however, has led to larger reputational issues and a much larger business income impact.