The health care community has learned a lot about itself over the past few years, including on the topic of telehealth. In an era of “on-demand” everything, it’s no surprise that health care has followed suit. There are several benefits to telehealth – access to needed health care practitioners and potential cost containment, among others – but some companies have taken advantage of the system beyond its intended function.  

Telehealth-first platforms have built business models around ultra-convenience – allowing patients to get antibiotics or obtain medications for hair or weight loss without ever stepping foot into a doctor’s office and rarely speaking to one on the phone. Most of these companies are causing more problems than they solve, and raise serious concerns about patient safety, medical ethics, and the commodification of health care. 

The crux of the issue lies in how care delivery is structured at these companies. Medical consultations with these telehealth providers are often reduced to a few checkbox questions or brief asynchronous messaging exchanges with clinicians the patient never meets. This setup is not conducive to thorough, personalized care, especially when dealing with medications that affect hormonal balance and mental health. 

Even more troubling is the advertising strategy. These companies aggressively market themselves, promising effortless solutions to hair or weight loss, deeply emotional issues for many people. The message is clear: “Use us and your confidence will be restored.” But behind the scenes, the regulatory oversight is thin, and the clinical rigor is questionable. 

Take for example the recent resurgence in news coverage of finasteride. Finasteride is a medication originally developed to treat enlarged prostates. It was later repurposed for male pattern baldness. Known side effects include hormonal imbalances, depression, and even long-term neurological issues in some patients. These risks are well-documented in medical literature, yet telehealth companies often minimize them in their marketing and patient education materials. The result? Young men – some still in their teens – are signing up for what they believe is a low-risk treatment, only to suffer life-altering side effects they weren’t adequately warned about. 

To be clear, telehealth can be a valuable tool when used appropriately. It can increase access to care, reduce waiting times, and allow patients in underserved communities to see specialists they may not have seen otherwise. And it’s important to maintain access to legitimate medications that are prescribed to treat various health issues. But when companies use telehealth as a shortcut to distribute compounded, unapproved medications with minimal oversight, the results can be dangerous. 

It’s time to recalibrate the balance between access and accountability. Health care should not be treated like just an e-commerce transaction, but rather an important care encounter. Patients deserve more than a quick fix – they deserve informed consent, personalized care, and a system that puts their long-term well-being above convenience.

Chart Review: Cyberattacks in the Health Care Sector Are Setting Off Alarms

Nicolas Montenegro, Health Policy Intern

In February 2024, Change Healthcare – a technology subsidiary of UnitedHealth Group – suffered a ransomware attack of policyholder electronic records. Almost a year later, it was reported to the Department of Health and Human Service’s Office of Civil Rights (OCR) that approximately 190 million individuals had their information compromised as a result of the cyberattack. This breach ranks as the second-largest cyberattack on the health care sector in U.S. history by the number of people affected, surpassing Anthem Blue Cross Blue Shield’s 2015 breach, which impacted roughly 80 million policyholders.   

Cyberattacks on health care entities have surged over the past decade, both in terms of frequency and scale. On average, cyberattacks targeting health insurers, providers, and their business associates (organizations that handle and maintain protected health information) have increased by 32 percent annually, while the number of individuals affected has increased by 102 percent each year over the same timeframe.  

Source: U.S. Department of Health and Human Services Office for Civil Rights – Breach Report 

Not all data breaches result from cyberattacks, however. Other types of data breaches often stem from institutional oversight, including the loss or theft of paper records or hardware, unauthorized access to records, and improper disposal of files. While these types of data breaches remain an issue, cyberattacks have become the most prevalent threat, as much of the industry’s protected health information is shared and stored virtually – e.g., in electronic health records, or care administered through telehealth. In 2014, cyberattacks accounted for just 14 percent of all health care data breaches. Over the past decade, they have far outpaced other sources, now accounting for more than four-in-five breaches across the health care sector.  

Source: U.S. Department of Health and Human Services Office for Civil Rights – Breach Report 

These trends have heightened concerns about cybersecurity in the health care sector and the level of exposure faced by stakeholders. Some experts and lawmakers argue that existing cybersecurity guidelines are either outdated or insufficient. Earlier this year, OCR issued a notice on a proposed rule to update the HIPAA Security Rule that aims to modernize cybersecurity measures and clarify implementation requirements. While these proposed changes to the HIPAA Security Rule have yet to be enacted, they indicate a credible sentiment to address the underlying problem. As cyberattacks grow more frequent and sophisticated, minimum security standards may require overhaul to better mitigate data breaches. Strengthening cybersecurity in health care is not only essential for protecting patient privacy but also for preventing disruptions and delays in critical medical services.