Tag Archives: milliman

What’s Next for Ransomware

Finally, a bit of good news on ransomware: Federal investigators said Monday that they had recovered millions of dollars of the ransom that Colonial Pipeline paid to Russian hackers following their recent attack, which disrupted gasoline supplies up and down the East Coast.

The news may discourage ransomware hackers by showing them that they aren’t as invincible as they think — while they operate from countries that aren’t likely to cooperate with international enforcement and take payment in cryptocurrency, U.S. investigators tracked the Colonial Pipeline ransom to a digital wallet and recovered much of it. The news also underscores FBI Director Christopher Wray’s statement last week that ransomware attacks should be seen as terrorist activity that warrants a heavy response from law enforcement, suggesting that potential corporate targets and their insurers may receive much-needed help.

To understand where ransomware attacks and cyber insurance go from here, I sat down recently with Brian Brown, principal and consulting actuary at Milliman, and Paul Miskovich, consultant who has been working with Milliman on cyber issues. As you’ll see, they offered a modicum of optimism but raised some tricky issues that both insurers and corporate clients will face — and laid out some cyber threats that lie ahead even if ransomware starts to come under control.

Here is the conversation:


When we started planning this conversation, there had just been a high-profile ransomware attack, the one that shut down Colonial Pipeline and greatly restricted the availability of gasoline on the East Coast for days. We’ve since had an attack on JBS, which is the world’s largest meat seller and which provides a quarter of the beef and a fifth of the pork consumed in the U.S. Now that awareness is finally rising for this long-festering problem, what happens next?

Paul Miskovich:

For companies and clients, the attacks will drive investment in cyber resiliency.

The guidance from U.S. regulators and law enforcement, which has been very consistent, is that paying ransoms encourages bad actors to accelerate crimes involving ransomware. The Office of Foreign Assets Control and the Financial Crimes Enforcement Network released advisories in October that warned of sanctions for victims who make ransomware payments. So, you’re in a Catch-22 if you’re attacked. If you choose to pay, you may have to pay penalties. If you choose not to pay, you could suffer reputational harm and other financial losses from being shut down. So, the only correct thing to do is to invest more in cyber resiliency.


My thesis has been that the insurance companies should play a major advisory role because they are experts or at least more expert than the individual clients, based on all the cases they are seeing. Is that a reasonable thought?

Paul Miskovich:

It is, but there are issues.

Insurance companies are also affected by the OFAC advisory, and they have issues in making payments. They will need to start investing in technology partners to be able to make ransomware payments, which typically are done in cryptocurrencies. Insurers will also have to work more closely with law enforcement, to avoid sanctions and penalties. With respect to clients, insurers are going to have to work much more closely on prevention and resiliency.

And then you end up with other issues. Hackers will use AI and algorithms that accelerate the pace of the attack and could release confidential information, meaning that victims need to pay the ransom fast. So, insurance companies are going to have to figure out assessment and payment methodologies that work a lot faster than they work now.


Can intelligence and law-enforcement agencies like the FBI do more to spot attacks potentially coming from overseas and maybe even shut them down?

Paul Miskovich:

Agencies are going to have to increase their scale, because they don’t have the necessary resources to address the growing cyber threat. There’s a whole criminal network behind ransomware that’s exchanging money in the form of cryptocurrencies, so law enforcement has to get to a level of sophistication that it can use blockchain and other technologies to track the flow and disrupt the perpetrators.


What are all these threats doing to insurers and to rates?

Brian Brown:

From 2015 to 2020, premium growth for cyber insurance has been in excess of 25% a year, and the current cyber premium is about $2.3 billion a year. It’s possible that’s understated, because carriers may not be reporting all of the cyber premium. Also, this is just premium written by U.S. domestic companies.

We started to see a big tick up in claims in 2019. The 2019-2020 claim activity has been more than double 2017.

Loss ratios were pretty favorable for stand-alone cyber policies from 2015 to 2018, below or close to 50%. But in 2020 the loss ratio was 73%. That’s assuming that the carriers are perfectly reserving the exposure. We’ve looked at some other data for policies just written in 2020, and the indicated loss ratios, early on, may be much higher than 73%.

A lot of big companies have pretty tight security plans; the medium-sized companies not as much. So, there may be much heavier rate activity for the medium-sized companies. But the fundamental issue is, which insurers can determine new more robust variables that predict the likelihood of a cyber loss.

And, if you’re insuring somebody, you want to provide risk management services to reduce their probability of a cyber event, whether that’s providing courses to employees or software to IT departments to measure cyber resilience. You also really need a qualified staff to handle claims.

The predictions are that premiums will continue to grow well in excess of 25% annually for years to come. So, I think we’re on the cutting edge of a great opportunity for a lot of insurance companies, if they’re able to do it right.


Do you want to speculate a bit on what the next threat will be, beyond ransomware?

Paul Miskovich:

I see three. The first one, undeniably, is the exploitation of cloud computing vulnerabilities. Next are the cyber security breaches originating from vulnerabilities in ecosystems, where the victim is provided services, especially web applications, through a third-party offsite server. That area of exposure is going to continue to increase. The other one is that the sophistication of exploits is increasing with artificial intelligence and self-learning algorithms. Denial of service attacks are becoming especially dynamic. The algorithms are quicker and more effective. The algorithm chooses one or more methods of attack using behavioral analysis of the network to try to figure out how to get through the defenses.


On the theory that we should fight the next war, not the last one (as generals famously are said to do), are there particular things you would recommend that anyone in this ecosystem — the clients, the insurers, the regulators or the investigative agencies — should do to prepare us better for those next threats?

Paul Miskovich:

I feel that Congress should establish federal minimum cyber security standards for private businesses. And law enforcement and regulators should put forth information campaigns educating the public. Together, they will set a common basis of knowledge and preparation and will drive investment in cyber resiliency, while improving private companies’ responsiveness to quickly evolving threats.

As for critical infrastructure — energy, transportation and healthcare — I think they require much, much deeper resiliency planning.

We don’t really know what the next attack will be, but if we all have the same baseline through training and standards, and we’re all sharing information, then our responses can be more effective.

Brian Brown:

We’re seeing a hard market now, but if we were to get one or several large events, in the $100 million to $1 billion range, we’d see an extremely hard market, and quite possibly capacity issues. So, some are looking at alternative capital sources to provide cyber coverage. We’re also seeing some MGAs and insurtechs actually doing the underwriting, which is likely to be a growing trend.

Paul Miskovich:

Many of the later entrants in the cyber market think it’s more efficient to use specifically targeted, talented teams coming out of MGAs.

Brian Brown:

There are some additional benefits from the MGA relationship, because, if you’re not happy with the performance of the portfolio, it’s easier to exit. So, it’s a quicker ramp up and an easier exit.


Thanks to you both. This has been a great discussion.



P.S. Here are the articles I’d like to highlight from the past week:

Behavioral Science and Life Insurance

Carriers must fully grasp human biases and behaviors and harness technologies to improve health.

Ready for the Fully Connected Future?

The key for insurers is to think beyond a single transaction and be “partnership-ready,” which also means becoming “ecosystem-ready.”

The Promise of Predictive Models

Big data and AI will uncover insights that allow smart carriers to acquire the most profitable clients and avoid the worst.

Key to Transformation for Auto Claims

AI is critical to processing and assessing all inputs and removing friction. Yet AI alone cannot deliver transformation.

Auto Insurers Prep for Summer Driving

By taking steps now to update, optimize and digitize processes, insurers will be prepared to help customers through this likely difficult time.

Different Flavors of Transformation

Transformation and improvement are not the same, and insurers should use different approaches to the two types of innovation.

Getting Hitched Without the Hitch

When things go wrong with a wedding, they can go really wrong:

Valentine’s Day is the traditional end to what is known in the wedding blogosphere as “engagement season.” These engagements tend to last just over a year, averaging 14.5 months, according to theknot.com. Those 14.5 months are a whirlwind of activity during which couples are setting their date, working on guest lists and putting down deposits to ensure that everything goes smoothly on the big day.

But what if there is trouble in paradise—and someone calls off the wedding? Or weather prevents the parents of the groom from making it to the ceremony? Or the venue closes? Or the photographer gets lost? Or the caterer doesn’t show up? Or a drunk uncle damages property at the reception hall? What happens then?

See also: A Closer Look at the Future of Insurance  

The average wedding in the U.S. costs $35,329 (ranging from $12,769 in Mississippi to $88,176 in Manhattan). Pulling off a typical wedding involves a lot of variables–which all introduce the possibility of financial loss. There are multitudes of vendors: venue, caterer, baker, musician, florist, officiant, bridal salon, hair stylist, make-up artist and photographers to name a few, all of which will likely require a deposit. On the day itself, inclement weather could keep important guests from arriving or could even postpone the wedding. Finally, as with most social events that typically serve alcohol, guest behavior can cause unpredictable property damage.

For such an important life event, at such a high price point, it’s worth protecting your investment. Many insurance companies have wedding liability products to help. Wedding insurance can combine a number of different coverages and can range from only $95 to $500 depending on the types and level of coverage provided. Wedding insurance is easy to purchase online (or over the phone). For example, Travelers offers a Wedding Protector Plan and has a quiz to help gauge the riskiness of your wedding. Other insurers, such as WedSafe and Wedsure, also make it easy to find a quote and buy wedding insurance online.

The most commonly selected wedding coverage is liability coverage. This is typically purchased in situations where the selected venue requires the couple to cover property damage and bodily injury. In addition, certain venues may require the purchase of liquor liability coverage to protect against any alcohol-related incidents.

In the event of a necessary cancellation or postponement, financial losses can be mitigated by cancellation/postponement coverages. Massive amounts of rain and snow can cancel flights, close roads and even damage or close venues. A severe illness or injury could befall the couple or a parent, grandparent, child or officiant. Sudden military deployments can also cause wedding cancellations. All of these are “necessary” cancellations/postponements, and insurance exists to protect against any financial losses they may cause.

Some wedding insurance products will also protect against problems with the venue or other vendors going out of business, or vendors arriving late-or not arriving at all. Typically, the policy would reimburse the deposits, and, if alternate vendors can be arranged, the unexpected expenses incurred by the couple to avoid a full cancellation or postponement may also be covered.

Wedding insurance purchasers should be sure to check if a prospective policy will cover a subsequently canceled or postponed honeymoon, as well.

Additional wedding insurance provisions may include coverages for wedding attire, gifts and photography/videography. Attire coverage will pay to replace (or repair) any loss or damage occurring before the wedding or to reimburse a reasonable market value for any damage occurring after the wedding. This would cover, for example, airlines losing luggage with the wedding attire or the bridal salon going out of business before the wedding dress was delivered.

Gift coverage will reimburse the couple for loss or damage to wedding gifts before, during and after the wedding while at home, at the wedding or in transit. This would cover any physical damage to gifts while on display at the wedding or a theft of non-monetary gifts.

With respect to photography coverage, loss events can range from the contracted photographer not showing up, cameras being stolen (along with the film/digital memory card) or defective film/memory card use. This coverage excludes photographs not meeting expectations but does cover the costs of reconvening your wedding party for “do over” photographs or even a retaking of the official video at a restaging with the principal participants–including new flowers and a new wedding cake.

Not only can the cancellation or postponement of such an important event be monetarily taxing, but it can also be emotionally taxing. Some wedding insurance will even cover professional counseling (if recommended by a physician) for as long as a year.

All insurance policies have exclusions, and wedding insurance is no different. Engagement rings aren’t covered, but wedding bands are. Other common exclusions include anything asbestos- or lead-related, any abuse/molestation/harassment/sexual conduct (alcohol-fueled or not), fireworks, war, nuclear, neglect or any intentional loss.

And, no, for the most part, wedding insurance will not cover cancellations due to a “change of heart” on the part of the bride or groom; cold feet do not count as a trigger for this insurance.

See also: A Wedding’s Lessons on Customer Insight  

One insurer, Wedsure, will reimburse any “innocent party financiers, other than the bride or groom, if the wedding is canceled due to a Change of Heart by the bride or groom, 365 days or more from the date of the first covered event” [emphasis added]. However, because the average engagement length is only 2.5 months longer than this, it’s unlikely that there are many qualifying losses under this coverage.

Planning the perfect wedding can be stressful and expensive. The typical wedding costs more than the average mid-size car, and just as many things can go wrong with it. Purchasing wedding insurance can help relieve the additional stress of worrying about what happens when something goes wrong. It won’t do anything, though, about those cold feet.

Novel Solution for Driverless Risk

The route to a fully autonomous vehicle market seems long and fitful in the eyes of many. But it is likely to become a reality faster than many are prepared to accept. Like IBM, Kodak and many other companies once confronted with a rapidly changing market, we, too, now face disruptions in the auto market, perhaps unlike any since the invention of the auto. As liability increasingly shifts from the human driver to systems and software – a trend highlighted by recent reports of the first autonomous fatality – original equipment manufacturers (OEM) will come to the forefront as primary holders of automobile-related insurance risk. How they manage this risk will help determine the success and acceptance of the autonomous vehicle market in the years to come.

A new age

Skeptics of an early adoption of fully autonomous vehicles have a point. In their short history, autonomous vehicles have faced a wide array of challenges including skittish maneuvering ability in wet weather, gaps in infrastructure, regulatory and legal shortcomings, market acceptance, risk of hacking, consumers’ privacy and ethical choices. The list goes on, but so do advances in technology.

There are dozens of advances such as braking assistance, blind spot detection, pre-collision warning systems, electronic stability control and vehicle-to-vehicle communication that have been adopted over the years or are now making their way into the latest models. These technologies have been largely accepted and often embraced by consumers who have come to view them as something more than just a convenience.

See also: Connected Vehicles Can Improve Claims  

In fact, few dispute the potential safety advantages of fully self-driving cars. Active safety systems that eliminate the human element from the driving equation have already been shown to prevent accidents. According to the Insurance Institute for Highway Safety (IIHS), automatic braking can reduce rear-end crashes by 40%, and front collision warning systems can lower rear-end accidents by 23%.1 But this is just the tip of the iceberg: 94% of auto accidents are caused by human errors such as speeding, driving under the influence and driver inattention, according to a 2015 survey by the National Highway Transportation Safety Administration.2

The U.S. market is expected to see several thousand autonomous vehicles sold in 2020, which will grow to nearly 4.5 million vehicles sold in 2035, according to IHS Automotive forecasts, an industry research firm.3 The slow methodical 11-year turnover in U.S. car ownership is likely to fall by the wayside as convenience or safety features entice consumers to purchase a self-driving car sooner than they would otherwise do. These early purchasers could be setting up a cycle of more rapid adoption as car buyers decide to forgo the thrill or pleasure of driving for the safety of their families and the ability to be more productive (or just catch up on sleep and social media). Further, there may be no need for car ownership at all in a new shared economy including on-demand autonomous shuttles.

Shifting responsibilities

Assessing liability in the near future will admittedly be a tricky matter as a mix of driving modes, ranging from no autonomy to full autonomy, populate the roadways. Accidents that involve human driver to human driver will morph into dozens of combinations of human drivers with various levels of semi-autonomous drivers and eventually fully autonomous cars. Questions of liability will need to sort out not only the comparative negligence of a human operator’s actions but also the capability of software and sensors. As the ever-diminishing role of human drivers gives way to the rise of autonomous vehicles, the importance of personal auto insurance will likewise be replaced by product liability.

Google, Mercedes and Volvo have already said they will accept responsibility for accidents that are caused by malfunctions in the technology in their cars, a move welcomed by federal regulators that see the commitment as a way to smooth the introduction of vehicles with these new technologies. While these carmakers’ pledges may, in fact, be redundant, they are a harbinger of the shift in demand for product liability.

But carmakers’ step up in accountability is only one link in the manufacture of autonomous vehicles, which can involve dozens of suppliers for software, systems and devices which enable the positioning data and predictive response algorithms to be accurate and effective. Enhanced sensing and response time capabilities will drive new demands on hardware and software performance. How will liability be spread among potentially dozens of interlocking but legally separate entities?

See also: Plunging Costs for Autonomous Vehicles  

Currently, as part of the general purchasing conditions, the supplier will indemnify and hold the manufacturer harmless from and against any and all loss, liability, cost and expense arising out of a claim that a defect in the design or manufacture of the product caused personal injury or damage to property. However, suppliers are not always completely responsible for the design or validation of the components they provide, but rather can be directed by the carmaker to either model or test the component according to the carmaker’s predetermined specifications. Thus, the parties may have a shared financial burden of failure and need to negotiate the consequences at project inception. The process of assigning responsibility and managing indemnification often involves a team of resources that do not contribute to the carmakers’ underlying business function of making people mobile.

This relationship is likely to evolve as the importance of the car’s electronic control unit (ECU) grows ever more critical as the brain center for programming features that ultimately determine how the car responds. Even now, validating software code – a function paramount in detecting errors – is less defined as compared with hardware. How the validation process will evolve under all possible control scenarios is extremely difficult to imagine. But one change in the process is becoming clear: As the software algorithms become more integral to the success and failure of autonomous vehicles, carmakers have started to keep a tight rein on the integration of software and hardware. As willing as carmakers may be to absolve consumers of the responsibility for accidents that stem from the fault of their technology, they are unlikely to extend a similar courtesy to their suppliers. And why should they if the cause of the accident can be traced to a supplier’s defective sensor or software?

Nevertheless, untangling the web of responsibility can be a distraction from the business focus and could become an impediment to progress. What is a relatively well-established practice in other fields for passing the liability down the supply chain to the source of the failure is likely to become much more complicated and nuanced in the realm of autonomous vehicles as cars become increasingly dependent on an integration of sophisticated technologies.

Likewise, the ways in which risk is shared under product liability are likely to be increasingly difficult to manage. In an autonomous world, the insurance program would ideally be structured such that suppliers not only have skin in the game but also have a more transparent line of sight to the cost they are contributing to the potential liability. The question the industry needs to ask is: Is there a better way to share the cost of risk among the carmaker and its suppliers reflecting the shifted responsibility?

Enter a SPLASh pool

One option is to create an insurance pool for each autonomous carmaker. Under a Supplier Product Liability Autonomous Share (SPLASh) pool, the carmaker would assume all the product liability risk for accidents stemming from the autonomous technology and cede the risk to the SPLASh pool. To be viable, all suppliers – or “swimmers” – along with the carmaker would need to participate in the pool, which would operate as a funding vehicle for the risk. Each year, the pool would be funded commensurate with the expected losses, and losses would be paid directly from the fund, eliminating the manufacturer’s role of managing indemnification from the suppliers.

Like more traditional risk pools used by a range of organizations from public entities that share their law enforcement exposure to a group of hospital systems that manage their professional liability risk, a SPLASh pool would also have a management function, presumably overseen by the manufacturer, as well as various insurance-type functions from actuaries, to calculate the premium and reserves; claims handlers (internal or outsourced) to pay and manage claims; and lawyers to interpret coverage, among others. In this way, autonomous technology may be paving a new road but with the experience and insight of well-traveled insurance professionals who understand the different approaches to managing risk.

Funding would reflect the supplier’s risk profile with low risk suppliers like those that provide cameras for parallel parking – the minnows of the pool – paying less than high risk “whale” suppliers such as a software developer. The pool can be structured according to frequency and severity of risk. Such an arrangement could consist of all pool members participating in a structure where more frequent, low-severity claims are grouped (Fund A) separately from less frequent, high-severity claims (Fund B), both meeting risk transfer.

Each fund would have per occurrence loss limits and require member contributions based on actuarial projections, perhaps at first based on fault rates from engineering systems output, until credible loss data develop. Various features such as aggregate limits, loss ratio caps, overflow between funds and member assessments can be used to tailor the insurance coverage with a clear desired outcome – to motivate innovators to develop quality products.

See also: Here Comes Robotic Process Automation  

The arrangement builds in a high level of transparency as suppliers with bad loss performance would be required to contribute more to Fund B than others. Moreover, consistently poor swimmers could be replaced by suppliers with better performance.

This concept blends well with the current warranty programs offered by car manufacturers. Like those programs offered today, dealers provide details of new and used warranty programs available to the consumer, covering defects in material or workmanship for 48 months or 50,000 miles, whichever comes first, for example. The carmaker would budget a certain amount of costs toward warranty replacement and then track the records and claims to more accurately predict future replacement costs as well as pinpoint components that are failing, assuming that the problem can be isolated. If costs are higher than expected (outside of the normal failure rate), the manufacturer can push further costs to the supplier at the source or remove them from the assembly line altogether.

Buckle up

A SPLASh pool can pave the way to managing carmakers’ risk in the future. The product liability exposure from autonomous vehicles shouldn’t be a roadblock to the increased safety and mobility that self-driving cars can bring to millions of people. The insurance industry will need to demonstrate its creativity and foresight in managing risk to keep innovation on the right track.

11 Questions for Ron Goetzel on Wellness

We thank Ron Goetzel, representing Truven Health and Johns Hopkins, for posting on Insurance Thought Leadership a rebuttal to our viral November posting, “Workplace Wellness Shows No Savings.” Paradoxically, while he conceived and produced the posting, we are happy to publicize it for him. If you’ve heard that song before, think Mike Dukakis’s tank ride during his disastrous 1988 presidential campaign.

Goetzel’s rebuttal, “The Value of Workplace Wellness Programs,” raises at least 11 questions that he has been declining to answer. We hope he will respond here on ITL. And, of course, we are happy to answer any specific questions he would ask us, as we think we are already doing in the case of the point he raises about wellness-sensitive medical events. (We offer, for the third time, to have a straight-up debate and hope that he reconsiders his previous refusals.)


(1)    How can you say you are not familiar with measuring wellness-sensitive medical events (WSMEs), like heart attacks? Your exact words are: “What are these events? Where have they been published? Who has peer-reviewed them?” Didn’t you yourself just review an article on that very topic, a study that we ourselves had hyperlinked as an example of peer-reviewed WSMEs in the exact article of ours that you are rebutting now? WSMEs are the events that should decline because of a wellness program. Example: If you institute a wellness program aimed at avoiding heart attacks, you’d measure the change in the number of heart attacks across your population as a “plausibility test” to see if the program worked, just like you’d measure the impact of a campaign to avoid teenage pregnancies by observing the change in the rate of teenage pregnancies. We’re not sure why you think that simple concept of testing plausibility using WSMEs needs peer review. Indeed, we don’t know how else one would measure impact of either program, which is why the esteemed Validation Institute recognizes only that methodology. (In any event, you did already review WMSEs in your own article.) We certainly concur with your related view that randomized controlled trials are impractical in workplace settings (and can’t blame you for avoiding them, given that your colleague Michael O’Donnell’s journal published a meta-analysis showing RCTs have negative ROIs).

(2)    How do you reconcile your role as Highmark’s consultant for the notoriously humiliating, unpopular and counterproductive Penn State wellness program with your current position that employees need to be treated with “respect and dignity”? Exactly what about Penn State’s required monthly testicle check and $1,200 fine on female employees for not disclosing their pregnancy plans respected the dignity of employees?

(3)    Which of your programs adhere to U.S. Preventive Services Task Force (USPSTF) screening guidelines and intervals that you now claim to embrace? Once again, we cite the Penn State example, because it is in the public domain — almost nothing about that program was USPSTF-compliant, starting with the aforementioned testicle checks.

(4)    Your posting mentions “peer review” nine times. If peer review is so important to wellness true believers,  how come none of your colleagues editing the three wellness promotional journals (JOEM, AJPM and AJHP) has ever asked either of us to peer-review a single article, despite the fact that we’ve amply demonstrated our prowess at peer review by exposing two dozen fraudulent claims on They Said What?, including exposés of four companies represented on your Koop Award committee (Staywell, Mercer, Milliman and Wellsteps) along with three fraudulent claims in Koop Award-winning programs?

(5)    Perhaps the most popular slide used in support of wellness-industry ROI actually shows the reverse — that motivation, rather than the wellness programs themselves, drives the health spending differential between participants and non-participants. How do we know that? Because on that Eastman Chemical-Health Fitness Corp. slide (reproduced below), significant savings accrued and were counted for 2005 – the year before the wellness program was implemented. Now you say 2005 was “unfortunately mislabeled” on that slide. Unless this mislabeling was an act of God, please use the active voice: Who mislabeled this slide for five years; where is the person’s apology; and why didn’t any of the analytical luminaries on your committee disclose this mislabeling even after they knew it was mislabeled? The problem was noted in both Surviving Workplace Wellness and the trade-bestselling, award-winning Why Nobody Believes the Numbers, which we know you’ve read because you copied pages from it before Wiley & Sons demanded you stop? Was it because HFC sponsors your committee, or was it because Koop Committee members lack the basic error identification skills taught in courses on outcomes analysis that no committee member has ever passed?


(6)    Why doesn’t anyone on the Koop Committee notice any of these “unfortunate mislabelings” until several years after we point out that they are in plain view?

(7)    Why is it that every time HFC admits lying, the penalty that you assess — as president of the Koop Award Committee — is to anoint their programs as “best practices” in health promotion? (See Eastman Chemical and Nebraska in the list below.) Doesn’t that send a signal that Dr. Koop might have objected to?

(8)    Whenever HFC publishes lengthy press releases announcing that its customers received the “prestigious” Koop Award, it always forgets to mention that it sponsors the awards. With your post’s emphasis on “the spirit of full disclosure” and “transparency,” why haven’t you insisted HFC disclose that it finances the award (sort of like when Nero used to win the Olympics because he ran them)?

(9)    Speaking of “best practices” and Koop Award winners, HFC’s admitted lies about saving the lives of 514 cancer victims in its award-winning Nebraska program are technically a violation of the state’s anti-fraud statute, because HFC accepted state money and then misrepresented outcomes. Which is it: Is HFC a best practice, or should it be prosecuted for fraud?

(10)    RAND Corp.’s wellness guru Soeren Mattke, who also disputes wellness ROIs, has observed that every time one of the wellness industry’s unsupportable claims gets disproven, wellness defenders say they didn’t really mean it, and they really meant something else altogether. Isn’t this exactly what you are doing here, with the “mislabeled” slide, with your sudden epiphany about following USPSTF guidelines and respecting employee dignity and with your new position that ROI doesn’t matter any more, now that most ROI claims have been invalidated?

(11)    Why are you still quoting Katherine Baicker’s five-year-old meta-analysis claiming 3.27-to-1 savings from wellness in (roughly) 16-year-old studies, even though you must be fully aware that she herself has repeatedly disowned it and now says: “There are very few studies that have reliable data on the costs and benefits”? We have offered to compliment wellness defenders for telling the truth in every instance in which they acknowledge all her backpedaling whenever they cite her study. We look forward to being able to compliment you on truthfulness when you admit this. This offer, if you accept it, is an improvement over our current Groundhog Day-type cycle where you cite her study, we point out that she’s walked it back four times, and you somehow never notice her recantations and then continue to cite the meta-analysis as though it’s beyond reproach.

To end on a positive note, while we see many differences between your words and your deeds, let us give you the benefit of the doubt and assume you mean what you say and not what you do. In that case, we invite you to join us in writing an open letter to Penn State, the Business Roundtable, Honeywell, Highmark and every other organization (including Vik Khanna’s wife’s employer) that forces employees to choose between forfeiting large sums of money and maintaining their dignity and privacy. We could collectively advise them to do exactly what you now say: Instead of playing doctor with “pry, poke, prod and punish” programs, we would encourage employers to adhere to USPSTF screening guidelines and frequencies and otherwise stay out of employees’ personal medical affairs unless they ask for help, because overdoctoring produces neither positive ROIs nor even healthier employers. And we need to emphasize that it’s OK if there is no ROI because ROI doesn’t matter.

As a gesture to mend fences, we will offer a 50% discount to all Koop Committee members for the Critical Outcomes Report Analysis course and certification, which is also recognized by the Validation Institute. This course will help your committee members learn how to avoid the embarrassing mistakes they consistently otherwise make and (assuming you institute conflict-of-interest rules as well to require disclosure of sponsorships) ensure that worthy candidates win your awards.

The Wellness Industry Pleads the Fifth

The wellness industry’s latest string of stumbles and misdeeds are on the verge of overwhelming the cloud’s capacity to keep track of them.

First, as readers of my column may recall, is the C. Everett Koop Award Committee’s refusal to rescind Health Fitness Corp.’s (HFC’s) award even after HFC admitted having lied about saving the lives of 514 cancer victims. (As luck would have it, the “victims” never had cancer in the first place.) Curiously, HFC’s customers have won an amazing number of these Koop awards, which are given for “population health promotion and improvement programs.” Why so many, you might ask? Is HFC that good? Well, HFC is not just a winner of the Koop Award. HFC is also a major sponsor. Perhaps it was an oversight that HFC omitted this detail from its announcement that both Koop Awards were won by its customers for 2012.

Second, the American Heart Association (AHA) recently announced its guidelines for workplace screenings. They call for much more screening than the U.S. Preventive Services Task Force does. As it happens, the AHA guidelines were co-written by a senior executive from Staywell, a screening vendor. Not just any vendor, but one that had already been caught making up outcomes.

Third, although the American Journal of Health Promotion published a meta-analysis that showed a degree of integrity rare for the wellness industry, it then hedged the conclusion. The analysis showed that high-quality studies on wellness outcomes demonstrated “a negative ROI in randomly controlled trials.” But the journal then added that invalid studies (generally comparing active, motivated participants to non-motivated non-participants) showed a positive return. The journal said that if you averaged the results of the invalid and the valid studies you got an ROI greater than break-even. However, the averaging logic leading to that conclusion is a bit like “averaging” Ptolemy and Copernicus to conclude that the earth revolves halfway around the sun.

How does the wellness industry respond to criticisms like these three? It doesn’t. The industry basically pleads the Fifth.

The industry knows better than to draw attention to itself when it doesn’t control the agenda. The players know a response creates a news cycle, which they will lose — and that absent a news cycle no one other than people like you are going to read my columns and notice these misdeeds.

One co-author of the AHA guidelines wrote to my Surviving Workplace Wellness co-author, Vik Khanna, and said the AHA would respond to our “accusation” but apparently thought better of it when the lay media didn’t pick up the original story.  (As a sidebar, I replied that saying a screening vendor was writing the screening policy was an “observation,” not an “accusation,” and recommended the editors check www.dictionary.com to see the difference.)

Similarly, in the past, I have made accusations and observations about the wellness industry both in this column and on the Health Care Blog…and gotten no response. So to make things extra easy for these folks, I dispensed with statements that needed to be rebutted. Instead, I asked some simple questions. I said I would publish companies’ responses, which would create a great marketing opportunity for them…if, indeed, their responses appealed to readers.

I posted the questions on a new website called www.theysaidwhat.net.  I got only one response, from the Vitality Group. The other wellness companies allowed the questions to stand on their own, on that site.

To ferret out responses, I then did something that has probably never been done before: I offered wellness companies a bribe…to tell the truth. I said I’d pay them $1,000 to simply answer the questions I posted about their public materials, which would take about 15 minutes.( If someone makes me that offer, I ask, “Where do I sign?” but I’m not a wellness vendor.)

Here’s how easy the questions are: Recall from a previous ITL posting that Wellsteps has an ROI model on its website that says it saves $1,358.85 per employee, adjusted for inflation, by 2019 no matter what you input into the model as assumptions for obesity, smoking and spending on healthcare. The company claims this $1,358.85 savings is based on “every ROI study ever published.” Compiling all those citations would require time, so I merely asked the company to name one little ROI study that supports this $1,358.85 figure. Silence.

I asked similar questions (which you can view on the click-throughs) to Aetna, Castlight, Cigna, Healthstat, Keas (which wins style points for the most creative way to misreport survey data), Pharos, Propeller Health, ShapeUp, US Corporate Wellness and Wellnet, as well as their enablers and validators, Mercer and Milliman. Propeller and Healthstat responded — but didn’t actually answer the questions. Healthstat seems to say that rules of real math don’t apply to it because it prefers its own rules of math. Propeller – having released the completely mystifying interim results of a study long before it was completed – said it looks forward to the study’s completion and didn’t even acknowledge that questions were asked.

In all fairness, one medical home vendor sent a response expressing a seemingly genuine desire to understand or clarify issues with its outcomes figures and to possibly improve their validity (if, indeed, they are invalid). As a result, I am not adding the vendor to this site; the idea is not to highlight honest and well-intentioned vendors. (The company would like its name undisclosed for now, but if anyone wants to contact it, just send me an email, and I will pass it along to the company for response.)

Likewise, there are good guys – Towers Watson and Redbrick, despite their high profiles, managed to stay off the list by keeping their hands clean (or at least washing them right before inspection). Allone, owned by Blue Cross of Northeastern Pennsylvania, even had its outcomes validated and indemnified. I will announce more validated and indemnified vendors in a followup posting.

As for the others, well, I am not saying that their historic and continuing strategy of pleading the Fifth when asked to explain themselves means that they know their statements are wrong. Nor am I saying that they are liars, idiots or anything of the sort. Something like that would be an “accusation.” Instead, I am merely making an “observation.”

It isn’t even my observation. It is credited to Confucius:  “A man who makes a mistake and does not correct it, is committing another mistake.”