Consortium News

  • 11 May 2015 11:21 AM | Deleted user

    US-CERT Alert published May 7, 2015

    Systems Affected

    Systems running unpatched software from Adobe, Microsoft, Oracle, or OpenSSL. 


    Cyber threat actors continue to exploit unpatched software to conduct attacks against critical infrastructure organizations. As many as 85 percent of targeted attacks are preventable [1] (link is external).

    This Alert provides information on the 30 most commonly exploited vulnerabilities used in these attacks, along with prevention and mitigation recommendations.

    It is based on analysis completed by the Canadian Cyber Incident Response Centre (CCIRC) and was developed in collaboration with our partners from Canada, New Zealand, the United Kingdom, and the Australian Cyber Security Centre.


    Unpatched vulnerabilities allow malicious actors entry points into a network. A set of vulnerabilities are consistently targeted in observed attacks.


    A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:

    • Temporary or permanent loss of sensitive or proprietary information,
    • Disruption to regular operations,
    • Financial losses relating to restoring systems and files, and
    • Potential harm to an organization’s reputation.


    Maintain up-to-date software

    The attack vectors frequently used by malicious actors such as email attachments, compromised “watering hole” websites, and other tools often rely on taking advantage of unpatched vulnerabilities found in widely used software applications. Patching is the process of repairing vulnerabilities found in these software components.

    It is necessary for all organizations to establish a strong ongoing patch management process to ensure the proper preventive measures are taken against potential threats. The longer a system remains unpatched, the longer it is vulnerable to being compromised. Once a patch has been publicly released, the underlying vulnerability can be reverse engineered by malicious actors in order to create an exploit. This process has been documented to take anywhere from 24-hours to four days. Timely patching is one of the lowest cost yet most effective steps an organization can take to minimize its exposure to the threats facing its network.

    Patch commonly exploited vulnerabilities

    Executives should ensure their organization’s information security professionals have patched the following software vulnerabilities. Please see patching information for version specifics.

    Visit here to see the details on and patches for the 30 targeted software threats.

  • 11 May 2015 9:54 AM | Deleted user

    by Pete Herzog
    retrieved 4-28-2015

    An attack takes down the web server. An office worker notices there’s no response and calls IT support. So a member of IT support goes to the server room.

    He sees the power is on and all the network cables look okay. He goes to the keyboard to login and sees there’s no shell. Nothing. Where’s the Operating System?

    He thinks they got hacked. So he freaks out and calls the CISO, “The web server is dead. What do I do?”

    The CISO answers, “Don’t panic, I can help you. First, let’s make sure it’s dead.”

    There is a silence. Then a loud smash is heard. Back on the phone, the IT support person says “OK, now what?”

    * * *

    Tell me your cybersecurity strategy. If you have a head for business you probably just said a few words to yourself. It was short. It was concise. It was more information than sentence. You know your cybersecurity strategy by heart.

    But if you’re a cybersecurity consultant then you’re probably still mumbling your pitch. The thing is that unless you’re in the business of selling cybersecurity products and services, you really only have one cybersecurity strategy: don’t lose money. And it’s an integral part of any modern business plan.

    So what exactly is a cybersecurity strategy? A strategy is a plan with the set of goals and objectives to get a specific result. A cybersecurity strategy is a cybersecurity plan with a set of cybersecurity goals and cybersecurity objectives to get cybersecurity as a result.

    People who are into selling cybersecurity strategies like to say it also includes specifics on tools and metrics. But that’s really just a trick of adding tactics to the strategy so it doesn’t sound so useless.

    Yes, useless. Fun fact for you. A cybersecurity strategy is useless. There you go. A free tidbit for you. Enjoy. If you’re on Jeopardy someday, the category is business and the answer is “useless” then you’ll be a big winner. You’ll thank me.

    Yes, useless…

    A CEO gets lost deep in the mountains after dark. He whips out his trusty sat phone and calls the office to look up his location on a map. A cybersecurity consultant happens to pick up.

    The CEO explains his situation and tells him that he needs the fastest way out of the woods.

    The consultant is heard tapping furiously at the keyboard, mumbling to himself as he thinks out loud, and after some time gets back on the phone, “You need to just fly out.”

    The CEO shouts, “How the hell do you expect me to grow wings and fly out?!”

    The consultants answer, “How should I know? I’m a strategist.”

    * * *

    The truth is that if you don’t have a cybersecurity strategy for your business it’s because you’ve inherently got one. You’ve never bothered to formally make one because it’s so obvious. Like how you don’t have a formal not dying strategy.

    Your cybersecurity strategy would likely say you don’t want threats of any sort affecting your assets of any sort now or in the future. Obvious.

    It’s such a no-brainer that if time-travel were invented next week and criminals could go back in time to rip you off then your cybersecurity strategy would still be obvious enough to also include that you don’t want to lose assets yesterday too.

    And you didn’t have to even write it down. Or pay a cybersecurity consultancy a Monopoly-style wheelbarrow full of money to do so. So if it’s useless, why is there such a focus on a cybersecurity strategy? Because tactics are hard.

    Too harsh? No, appropriately harsh. It’s easier (and safer) to make a cybersecurity strategy sound like something important despite meaning nothing than it is to make tactics that work.

    You look better longer too because a cybersecurity strategy can go on meaning nothing a really long time but tactics that mean nothing get noticed right away. And I mean that in a bad way not a Hollywood starlet way.

    I know it’s no surprise to you but cybersecurity is hard. Not only do we not know all of the possible threats but even if we did we still couldn’t know all of the shapes those threats could change into.

    Like if getting wet is a threat then what form will it take? Will it be snow, encroaching glacier, broken pipe, condensation, mis-forecasted hurricane, or the tears of a CISSP trying to create cybersecurity tactics?

    But knowing about threats and what to do about them is not needed or important in a cybersecurity strategy.

    No, a cybersecurity strategy, for real, looks like this. And this one is really truly for real, and swear-to-holy-stuff looks like this. I copied it just like this from an official cybersecurity strategy and then lightly anonymized and generalized it:


    1. Securing Company systems – Our clients trust our company with their personal and business information, and also trust us to deliver services to them. They also trust that we will act to protect and advance our business interests. We will put in place the necessary structures, tools and personnel to meet its obligations for cybersecurity.
    2. Partnering to secure vital cyber systems outside the company – Our economic prosperity and our cybersecurity depends on the smooth functioning of systems outside the company. In cooperation with partners and clients we will support initiatives and take steps to strengthen our cyber resiliency, including that of our critical infrastructure.
    3. Helping our users to be secure online – We will assist our employees and clients in getting the information they need to protect themselves and their families online, and strengthen the ability of law enforcement agencies to combat cybercrime.

    The Strategy:

    • Reflects our values such as the rule of law, accountability and privacy
    • Allows continual improvements to be made to meet emerging threats
    • Integrates activity across the whole company
    • Emphasizes partnerships with government, business and academe
    • Builds upon our close working relationships with our allies

    Now was there is a single thing in there that REALLY needed to be written down? How many meetings did it take to write that? How much consultant blood money?

    What’s in there?

    • You will use cybersecurity to not lose assets
    • You will use partners with cybersecurity to not lose assets
    • You will help others use cybersecurity with your stuff to not lose assets

    Check. Check. And Check! Got it! The message is don’t lose assets here just in case you missed it or wanna pay someone to tell you that. And do YOU have that? And I’m saying it’s OKAY that you don’t. Because there’s nothing in there that should be a surprise to you. It’s all obvious.

    Super like wearing a cape obvious. And not just obvious but actually illegal to not consider doing things like following “rule of law”.

    Not to mention the bit about values. Seriously, when’s the last time you thought, “Hey, I’m gonna undertake this task here and I’m not going to do it according to my values. Nope.” Assuming you know what your values are.

    Truthfully, I don’t think I can articulate my own values but I’m pretty sure it would take serious, conscious effort to do something that was not my in my values. Then again to express in writing that I will follow my values has no value to the people who don’t know what my values are or can even articulate their own.

    But it’s a plan. Right? We need plans. And a cybersecurity strategy is a plan. Without which we can’t be a cohesive team making solid cybersecurity, right? Right?

    Wrong. You don’t need fluff telling you that your partners and clients and their families need you to have your act together and not lose their assets or them as an asset or their money which is clearly an asset. You know that. And you probably already have that in your business strategy under the heading Don’t Lose Assets.

    But to have a cohesive team making solid cybersecurity you do actually need to outline what you do. Yes, you do.

    And luckily for you, in cybersecurity, that do is to prevent losing assets. And everyone who wants to be in cybersecurity of any kind already knows this and cares about it and is in no way not thinking that their job is the opposite of not losing assets.

    Those cybersecurity professionals aren’t freaking out about the cybersecurity strategy. And telling them is just so not helpful it’s offensive. You see, a cybersecurity strategy is about as effective as someone telling you to calm down and relax when you’re having an argument.

    No, you don’t need strategy. What you need are tactics. And you need to hire the people who know cybersecurity tactics.

    Cybersecurity tactics are the rubber meets the road. They are the match striking the slate. They are literally the packets smacking the server. They are the way you do the thing you do to the things you have to to have cybersecurity. And that’s hard.

    But you don’t need a cybersecurity strategy because you’ve already got one.

    * * *

    All uses of “cyber” in this column are for keyword use only and by no means does the author imply that using such language is appropriate or cool. Furthermore this author does not condone nor deny the use of the word cyber in any way because the author is okay with the word in general, despite its original definition, because language is a living thing and meanings change.

  • 06 May 2015 4:37 PM | Deleted user

    Retrieved from Boston Business Journal  |  May 6, 2015

    Brigham and Women’s Hospital has formed a partnership with a San Francisco-based seed-stage investment fund in an effort to test and potentially integrate digital health startup innovations into the Boston hospital.

    The hospital formed an affiliated medical partnership with Rock Health, and the two organizations are currently in the midst of finalizing plans.

    The partnership is expected to begin this summer and last three years.

    Lesley Solomon, executive director of the Brigham Innovation Hub at Brigham and Women’s Hospital, said the idea is to validate the innovations being funded by Rock Health.

    “We will have the opportunity to collaborate with thought leaders in the digital space developing tech that (has) the potential to dramatically transform health care delivery,” Solomon said. “(We’re trying to figure out) how can we get access to good digital technology that can help us impact patient care.”

    The Innovation Hub helps support internal startups and hosts innovation competitions. Solomon said executives were hopeful that Rock Health, a seed-stage venture fund focused on digital health startups, would also look at investing in Brigham technology, though that wasn't the intended purpose of the relationship.

    “I’m excited,” Solomon said. “For me, Rock Health is a thought leader in the digital space. They have demonstrated that they are committed to helping Brigham entrepreneurs tackle the biggest problems in health care.”

    The startups will be focused around digital health, including devices that connect to the cloud, apps and software platforms, and telemedicine.

    The Rock Health partnership also offers Brigham new access to California startups.

    "It doesn’t limit us from partnering with others, but for us we’ll have the opportunity to talk to the best, work with the best," Solomon said. "And they are based in San Francisco, where we don’t have a presence, so it helps us get access to startups we might not know about here."

    Venture capital firm Bessemer Venture Partners, which has an office in Boston, was a lead investor in Rock Health.

  • 30 Apr 2015 11:37 AM | Deleted user

    Retrieved from  |  Beth WalshApr 29, 2015

    Former National Coordinator for Health IT David Blumenthal, MD, penned a blog in the Wall Street Journal's  "The Experts " addressing the potential for health IT as well as challenges related to interoperability and outdated privacy and security regulations. 

    Now president of The Commonwealth Fund, Blumenthal wrote about various scenarios in which health IT tools and mobile applications could help people track and monitor their healthcare by providing interactive, real-time information. But, those advancements can't happen unless electronic devices can communicate with each other. 

    Many EHRs, mobile devices and personal sensors can't exchange information at this point for a variety of reasons but most importantly because "healthcare organizations are fearful of sharing patients' data since it will liberate their customers to go elsewhere for their care." And,  EHR vendors are "charging prohibitive fees and creating other barriers to information sharing" to make it more difficult for customers to "switch out one [EHR] for another," he wrote.

    Blumenthal also wrote that the current privacy and securitiy regulations were conceived and implemented before the internet existed and therefore, "don't offer adequate protections for the 21st century. "If people can't trust the privacy and security of cloud-based health records, they won't feel comfortable using them."

    The obstacles, "mostly human in the making, can be solved by humans if the will exists. If we find a way, the healthcare future will be far brighter for all of us." 

  • 30 Apr 2015 11:32 AM | Deleted user

    Retrieved from  |  Apr 30, 2015   

    UnitedHealthcare has announced that it will now cover video visits from Doctor On Demand, American Well’s AmWell, and its own Optum’s NowClinic, which is a white-labeled American Well offering. The insurance company pointed out that the average price of a video visit is less than $50, and as part of its coverage for the service its members will still be responsible for a portion of that fee depending on the deductibles, copays and out-of-pocket expenses associated with their specific benefit plan.

    The payor pointed to the growing lack of providers in the US, according to the American Association of Medical Colleges, there’s a shortage of 45,000 primary care physicians. United said it’s especially a problem for those in rural areas, which is where 25 percent of the country’s population resides. This group of people have limited access to healthcare, especially subspecialty care.

    "UnitedHealthcare is developing innovative telemedicine solutions that enable consumers, especially people who live in rural areas of the country, to access quality, cost-effective health care, whether at home or on the go," UnitedHealthcare CEO of the Commercial Group business Jeff Alter said in a statement. "Consumers can save time and money choosing among quality physician groups from the convenience of their smartphone, tablet or home computer at any time of the day." 

    All three offerings allow patients to schedule a video visit via mobile device or desktop with physicians who can discuss and send prescriptions for a wide range of conditions including bronchitis, cough, sinus infection, sore throat, UTIs, vomiting, diarrhea, fever, pinkeye, and flu. Coverage for video visits is currently just available for self-funded employer customers, but UnitedHealthcare said it would cover employer-sponsored and individual plan participants in 2016.

    A United spokesperson told MobiHealthNews in an email that they chose cover video visits from a couple of remote visit service providers to give their members more choice when they seek virtual care.

    Together the three services reach 47 states and Washington, D.C. UnitedHealthcare members can find a list of participating video visits care providers through UnitedHealthcare’s Health4Me smartphone app — it is available on the "Find and Price Care" page. App users will not only be able to browse the provider groups, they will also be able to view the cost of a virtual visit with each contracted provider group.

    Earlier this week, Doctor On Demand announced that MultiCare Health System would offer the company’s video visits service to Washington-based patients. The new service is co-branded as MultiCare Doctor On Demand, and allows anyone in the state of Washington to communicate with a physician about different medical issues.

  • 28 Apr 2015 3:27 PM | Deleted user

    retrieved April 27, 2015  from

    It’s become all too common to read about theft or mishandling of private health data. Whether due to a targeted attack or unintentional breach, entities and individuals within the healthcare system need greater peace of mind that sensitive data is safe and secure. A new international privacy standard for cloud providers — ISO 27018 — brings an effective means to better protect health data. The privacy standard mirrors some of HIPAA’s tenets while providing an all-important third-party audit mechanism.

    While enacted almost 20 years ago and updated recently in 2013, HIPAA still falls short of truly protecting personal data in today’s data-rich healthcare system. The two main provisions of the law change were meant to protect health insurance coverage for an employee following job loss and set standards for electronic transactions involving healthcare data. The latter provision, put into place in 2003, contains the Privacy Rule that governs the use and disclosure of Personal Health Information (PHI). 

    The matter of business associates

    As originally written, the HIPAA Privacy Rule applied to covered entities or, generally speaking, health insurance companies, employer provided health plans, and some healthcare providers. The rule forbids any covered entity from using PHI for marketing purposes without patient authorization. 

    Some aspects of the original Privacy Rule also applied to business associates or the third-party organizations that covered entities’ use when performing their healthcare activities. As the Department of Health and Human Services states, examples of business associates include a consultant who produces utilization reports for a hospital and a healthcare clearinghouse that translates claim data from one format to another.

    In 2013, the law was updated to ensure all aspects of the Privacy Rule now apply to business associates and covered entities. But this expansion is not enough to adequately protect personal healthcare data. The rub lies in who qualifies as a business associate, which may not include all of the technology service providers that manage data behind the scenes. A business associate is required to enter into to a Business Associate Agreement (BAA).

    A BAA creates the legal relationship between the covered entity and business associate. It governs the permitted use of PHI and requires business associates to put into place safeguards to “prevent unauthorized use or disclosure of the information.” The business associate is prohibited from using or disclosing healthcare data in any way that violates HIPAA.   

    In the decade between the issuance of the original and updated HIPAA regulations, the number and types of business associates exploded. In addition, electronic healthcare transactions have increased exponentially. In 2015, the U.S. market for electronic records alone is expected to reach $9 billion. Companies that provide the underlying infrastructure for healthcare data transactions including cloud providers, email systems, and intranet services are also part of the landscape that should protect PHI. 

    While the new HIPAA privacy rule includes language to bring an increasing number of technology service providers under the business associate umbrella, it is not clear whether industry practice has kept pace with the new rule. 

    Call to action: Embrace ISO 27018

    To address this gap and better protect the privacy of PHI, the government must adopt the tenets of ISO 27018.

    Although the standard, as currently written, focuses on Personally Identifiable Information (PII), it can apply a rough benchmark as to how a technology service provider will handle PHI as well. And while the substantive requirements of ISO 27018 may not match the requirements of HIPAA exactly, they overlap significantly. This overlap is valuable, as it can offer third-party validation of these requirements through an audit process. 

    ISO 27018 provides a strong litmus test for entities that handle sensitive information such as PHI — and will help entities pick and choose among technology service providers.

    Technology service providers that have undergone a successful audit for the controls under ISO 27018 can demonstrate a commitment to using the types of security and privacy controls required for handling such sensitive information. 

    Complying with ISO 27018 means public and private sector entities, as well as the individuals who entrust them with their data, can rest easier knowing that their data will not be reused by technology companies without their consent.

  • 23 Apr 2015 9:21 AM | Deleted user

    retrieved April 22, 2015   |   from

    Atrius Health, a Newton, Mass.-based nonprofit multispecialty medical group, is the latest organization to open its own innovation center.

    The nonprofit will invest $10 million in a place that will aim to develop and improve patient-centered care delivery models. Atrius, which is part of a Pioneer Accountable Care Organization (ACO), joins other health systems and hospitals, including New York Presbyterian, Hospital for Special Surgery, and Cleveland Clinic that have created specialized innovation arms of their organization. While those have focused specifically on technology innovations, this one will be more about risk-based sharing models.

    "As the industry continues to move towards increased risk sharing, accountability and transparency around performance, increased patient engagement, and demands for big gains in efficiency, it is requiring us to rethink how we deliver care," stated Daniel Burnes, M.D. Transition CEO of Atrius Health. 

    Atrius says not only will the Innovation Center be an independent business unit within Atrius Health, but will be overseen by an advisory board consisting of membership from the Atrius health board and the organization’s senior leadership.

  • 22 Apr 2015 2:09 PM | Deleted user

    The UpTake: Care at Hand's app taps into the observations of untrained home caregivers to gather better medical information.

    retrieved from Boston Business Journal   |   Apr 22, 2015

    What if the answer to reducing health costs of the most expensive patients stems from listening to the hunches of home care workers with little — if any — medical training?

    That’s the premise tech startup Care at Hand Inc. used to predict and prevent an estimated $6.5 million in Medicare spending by reducing hospitalizations among aging patients in Massachusetts.

    Now, company officials are taking aim at Maryland, the only state to have a Medicare payment waiver to set its own rates. Officials at Care at Hand say its online survey system, which captures and analyzes observations from home care workers, will "disrupt" the way Maryland hospitals tackle readmission rates.

    "These are incredibly valuable and underutilized workers. Why don’t we use what’s in place, but use them more intelligently," co-founder and CEO Dr. Andrew Ostrovsky said. He is relocating from Boston to Maryland in May after launching the service with The Coordinating Center of Maryland.

    Care at Hand developed a survey app to give to home care workers, instructing them to answer up to 15 questions about their client each day. The idea is that home care workers have more opportunities to notice subtle health changes among their clients who are trying to "age in place" in their own homes.

    For instance, a worker might notice if it becomes harder to slip on a client’s shoe due to foot swelling. That could indicate a patient is suffering from symptoms of heart failure.

    The system will prompt medical staff at a local hospital if a client seems to be demonstrating risk factors for hospitalization based on the survey.

    "[Home care workers] don’t need to understand why those indicate problems," Ostrovsky said. "We just need to make sure that they are being brought to the attention of a patient’s medical team."

    While the company's ambitions are big, it's still a small startup. Last year, it made about $250,000 in revenue and hopes to increase that to about $500,000 this year. The company's raised approximately $2 million, with a recent funding round of about $500,000. And as CEO, Ostrovsky admits his background as a pediatrician may make him sound like an odd fit for a company focused around the aging population.

    But the company has some heavy hitters behind it. Eric Reis, author of the popular business book "The Lean Startup," is one of the company's investors. Other backers include Mark Leavitt, the former chairman of the nonprofit Certification Commission for Health Information Technology and former chief medical officer of HIMSS, and Dr. Barry Zuckerberg, the former chief of pediatrics at Boston Medical Center. New York-based tech venture firm Great Oaks Venture Capital is also an investor.

    The federal Agency for Healthcare Research and Quality looked at hospital-generated admissions data for one elder care group in Massachusetts using Care At Hand's software. It found the program reduced 30-day readmissions by 39.6 percent among at-risk patients, for a net savings of $2.57 for every dollar spent.

    Ostrovsky is betting that results like that will be crucial in Maryland, where hospitals have a five-year deadline to demonstrate improved quality through improved care coordination with outpatient providers to keep the state Medicare wavier. But first, the company has to convince the home care providers to get on board.

    "We come in and say, 'You don't have to change a thing,’ " Ostrovsky said. "But we'll digitalize the hunches of your health care workers and we'll quantify the [return on investment] for your hospitals."

  • 17 Apr 2015 3:19 PM | Deleted user

    BOSTON, April 8, 2015 /PRNewswire/ -- Beacon Health Options (Beacon), the nation's premier behavioral health management company, announced today that Bill Fandrich has joined the organization as Executive Vice President and Chief Operating Officer, effective immediately. In this role, he will direct Beacon's core operations and introduce operational best practices enterprise-wide. Additionally, he will implement an operational strategy that supports Beacon's long-term growth and ensures service excellence for clients, provider partners, and most importantly, the individuals Beacon serves.

     A 30-year veteran of the health care industry, Mr. Fandrich comes to Beacon from Blue Cross Blue Shield of Massachusetts(BCBSMA), where he served as Senior Vice President, Chief Information Officer and Head of Operations since 2008. He managed more than 2,000 employees and contractors responsible for operational and technology functions. Mr. Fandrich also led the Corporate Project Management Office at BCBSMA. While there, he served on several community and company boards, and in 2010, was named "CIO of the Year" by Mass Technology Leadership Council for the state of Massachusetts. In 2015, he was the recipient of the Massachusetts Health Data Consortium's Delores Mitchell Award for Investing in Information.

    Previously, Mr. Fandrich served as the first Chief Informatics Officer for Cigna where he was responsible for launching the company's market-facing informatics strategy. During his five years at Cigna, he also held senior executive positions in product development and information technology operations. Earlier in his career, Mr. Fandrich served as Chief Application Officer and Senior Vice President at Liberty Mutual. He also has held positions at Deloitte and EDS, where he focused on health insurance and medical provider technology solutions.  Mr. Fandrich also co-founded a company, Cogentric, Inc., a security and risk management firm, which was sold in 2003.

    "Bill will play a key role in positioning Beacon Health Options to deliver superior service to our clients, providers and members. He brings a dynamic combination of leadership skills, extensive operations expertise and a successful track record that will benefit our company in the coming years," said Beacon Chief Executive Officer Tim Murphy. "Moving forward, we will look to Bill to set a clear operational vision for us as we transform Beacon to meet our important mission of helping those we serve live their lives to the fullest potential."

    About Beacon Health Options

    Beacon Health Options is a health improvement company that serves 45 million individual across all 50 states and the United Kingdom. On behalf of employers, health plans and government agencies, we manage innovative programs and solutions that directly address the challenges our behavioral health care system faces today. A national leader in the fields of mental and emotional well-being, addiction, recovery and resilience, employee assistance, and wellness, Beacon Health Options helps people make the difficult life changes needed to be healthier and more productive. Partnering with a network of providers nationwide, we help individuals live their lives to the fullest potential. Visit for more information.

  • 17 Apr 2015 9:55 AM | Deleted user

    Retrieved from Boston Business Journal  |  Apr 15, 2015  |  Jessica Bartlett

    Hospitals are crunching unprecedented amounts of data to understand better ways to save money, and Arcadia Healthcare Solutions is ready to take advantage of the market opportunity.

    The Burlington-based company, which collects care-related data to help hospitals better manage some of their more expensive patients, has raised $13 million to help hire 50-to-100 employees as it bolsters its technology and expands its marketing team.

    The company has approximately 200 employees but does not publicly disclose revenue.

    "We’re a company on the rise in terms of our recognition in the marketplace," said Arcadia CEO Sean Carroll. "We want to continue to make sure the market is aware of us, what we’re doing, how we’re trying to help our clients and how we have helped."

    The funding came from Peloton Equity LLC and Zaffre Investments LLC as well as a roster of the company's previous investors. The company works by aggregating insurance information with patient data collected from a hospital’s electronic medical record.

    Founded in 2002, Arcadia has approximately 65 clients, including Beth Israel Deaconess Medical Center. Arcadia estimates that it will add another 30-to-40 clients in the next year. That should help propel a 30 percent revenue increase, Carroll said.

    Though the hospital analytics space is becoming increasingly crowded, Carroll said Arcadia’s focus on providing analysis and solutions – rather than just data aggregation and reports – is the company’s competing edge.

    "Our interests are engaging tech to help them implement transformative plans and strategies in their ambulatory network that change the way they deliver care," Carroll said.

Massachusetts Health Data Consortium
460 Totten Pond Road | Suite 690
Waltham, Massachusetts 02451

For more information,
please contact Arleen Coletti
by email or at 781.419.7818

join our mailing list

© Massachusetts Health Data Consortium