I didn't know this format was a thing and am so very excited to discover it. I hope you folks enjoy reading horror stories.
I got a job as a Software Engineer in my current company 4.5 years ago; friend-of-a-friend sort of thing. The company had an apparently disastrous piece of software that was their main LOB. They had gone through pretty much every local consulting agency - at least once, on a few occasions they had gone back to one they had already used. It was about 10 years old and consisted of a mix of VB6(!), VB.NET, C#, F# and somehow now Node. At the time tackling a disaster like that sounded fun and I was miserable at a consulting gig. It was a 20k bump but no benefits (health or retirement), but as a single guy 6 months away from paying off his college debt I wasn't worried. I figured I'd dump a few years in then move on.
Three months in, I'm absolutely baffled at what the company does. I was told they handle insurance claims, basically acting as a TPA. (Important detail: I had no idea what a TPA was at the time. It's gonna matter later.) The software does handle claims, but they also have 10 other projects that cover a bunch of random business use cases. Apparently the CEO is a self-described "idea man" and would task the previous developer to 'prototype' his ideas from time to time. The problem was his idea of a prototype was a fully-functional application that he could sell to investors and clients - until he got bored with it and shelved it. This ended up with the company having around a half-dozen actively used products in a half-dozen markets. In addition to the TPA side of the company that was about 50% of revenue, the other half was split over 1) check cashing software, 2) HR/onboarding software, 3) some sort if discount medical visit scam, 4) some sort of MLM scam that the CEO's brother-in-law co-opted him into, 5) a random cannabis and self-help website run by some yoga guru type dude the CEO knew and finally 6) a piece of software that let helped churches organize events and donations that took about 50% of any transaction that was run through it as "fees" for our company. Now I could talk about any of those monstrosities at length, but this is already shaping up to be a wall so I'll skip that.
1.5 years later. I've wrangled the mix of VB6, VB.NET, C#, F#, PHP4, PHP5, PERL, ASP.NET WebForms and MVC, SQL Server, Postgres, MySQL still using MyISAM, god knows what other horrors I've forgotten. All of this without version control - just folders copy-pasted over and over on a 10 year old server in the closet that has no redundancy, two failing disks and one PSU out of order. The last guy had started some positive changes: moving everything over to Azure, porting everything related to the claims business into a more modern MVC app. I finished his work. I squashed about a dozen Wordpress instances into a single, multi-tenant host. Squashed out all the other languages and databases into just C#, ASP.NET, SQL Server. Ended up reducing the Azure spend by about $2000 a month. Felt good! CEO loved me. COO (my direct manager) loved me. CFO was pleased. All throughout this, I had convinced the COO to cut out all the shady, near-illegal, morally bankrupt garbage we did. No more check cashing (awful, awful industry), no more MLM of any sort, no more stealing money from churches (we kept that going, just changed our fees to a nominal amount). All the work I had done lead to a decrease in onboarding time from 2-3 days to 10 minutes and the TPA side of things was now about 85% of our revenue. Happy ending, right? Just you wait...
Somehow, I had not encountered a single brilliant "CEO Idea" for 1.5 years. He decided to fix that on one delightful summer day in the mid-west by announcing that we would be acquiring a healthcare startup that a buddy of his ran. Now this pissed most of the folks at the company off and is probably a good point to talk a little about the structure of said company. As mentioned, we had a CEO, COO, CFO, and "Chief of Sales" (never heard of a COS myself, but who knows). We didn't call ourselves a startup and had none of that Bay-style of startupness; we were just a small business with some investors. After the C's we had myself as the lone engineer, two sales guys, three admin-types and six or so customer service folks. None of which had healthcare or retirement benefits, mind you. So there was a bit of rancor when Mr. CEO started talking about dropping $5 mil to acquire this fancy new healthcare company. Somehow me, Mr. Software Engineer, ended up being the guy that needed to take this head-on (well, to be fair, the COO and I had great relationship). That's a tale in and of itself, but at the end of the day we ended up getting a 6% matching 401k and $500/$1000 single/family monthly reimbursement for health insurance, stopped 3-4 people from quitting, got me a whole lot of respect in the office and a fancy new title of "Chief Technical Officer" (not related to the benefits; CEO was just happy at how efficient I'd made everything) and 20k base salary increase. CTO at a company with 1 engineer. Neat. Happy ending, right? Just you wait...
We also got a brand new healthcare startup for about $2.5 mil in cash, $2.5 mil in stock. We got sheisted and it was our fault. While I'm no MBA, I know what due diligence is, and I intended to do it from the technical angle while our CFO handled it from the financial. Before we bought the company I made every effort to actually review what their software looked like, but was single-handled blocked by my own CEO. "We're never going to do that, Throwaway," he would say, "Other CEO is my friend! I've known him for twenty years and if he says his software is solid, it is! Just trust me." Diligence took about three months and despite dozens of arguments, I was denied any access to anything technical. All I ever got was: "Our software is in Node using MongoDB and is hosted in the cloud." Great. I was never even allowed to meet or speak to their development team (apparently 5 engineers, all of which were phenomenal). The only human being I ever spoke to at this company was the CEO. So I tried other angles, the big one being: what the hell does your software actually do? Their big claim to fame was 'modernizing concierge medicine using AI'. If you're like me and have no idea what concierge medicine is, it basically means your doctor comes to you because you're a rich yuppie and can't be bothered to leave your beach house to visit him. How do you enhance that using AI? I had no idea. Still don't. And so we bought the company with zero diligence done, though the CFO did say their books looked good, whatever that means. So the nightmare begins...
2 years in. We start onboarding people, I start onboarding the project itself. I am finally given direct developer contacts, which are a bunch of emails that don't end in the same domain as the company we just bought? Pardon? They're all @BobsRandomConsultingCompany. I reach out, explaining who I am, that we just acquired Project X and I need access to the code, environment, engineers - the whole nine. I get a very lovely, professional response from a Project Manager over at Bob's who lets me know that they will be sending over a contract so we can get started right away, along with their rate sheet! I'm baffled! I thought Project X had 5 internal engineers, Mr. Other CEO?! At this point I promptly aged 6 months in 6 minutes and I felt the first twinge of an ulcer growing.
Contract arrives, I sit down with COO and CFO and explain that we have been duped. COO is angry; CFO is not concerned until I show him the contract that Bob's sent over. The contract ye olde healthcare startup signed apparently agrees to pay for 5 fixed resources (at $200/hr!) for 40 hours of work each, per week, for a period of a year. Now I'm not unfamiliar with being outsourced as a resource, from a consulting company, for a fixed amount per week - but never have I seen a contract that binds you for a year, especially for 5 resources, with not one deliverable mentioned anywhere. Maybe my five years of consulting wasn't enough, but that blew my mind. Additionally, they sent us the server bills (AWS) and informed us we paid directly for utilization in addition to a "HIPAA Monitoring and Compliance Fee" of $3000/mo. As I had not a year ago lowered our own cloud costs to about $800/mo, this number struck me as staggering. $3000/mo base + around $2000 for the servers currently running. Also, "what the fuck is HIPAA" I said aloud, the only answer being the two confused shaking heads of my COO and CFO. Uh-oh...
Segway. The actual Project Manager of the acquired company (not the one from Bob's Hair Care IT Consulting Nail and Tire Salon) has moved in and I've finally got a victim to victimize with my many, many questions. She already looks harrowed before I begin my interrogation. Are people actually using this? How much do we make per visit? Visits per month? I forget the answers to these, but the end takeaway was: we bring in about $10k/mo net right now. I'm no accountant, but I'm fairly confident you can't pay the expenses of a company + a half dozen employees on $10k/mo. PM agrees - they've burnt through about $7 mil of investor cash over their 6 years of existence. No path to profitability is in sight.
Around the same time I've got the Project X repository (whew, at least they used source control) moved over into my world and have started reviewing the actual source. I'm no Node wizard, but I'm immediately confused as I see both Express and Hapi (two server frameworks, generally considered competition to one another) used in the same project. That's...odd. Investigation intensifies: it's a simple CRUD project that takes a form submission from a registered user, saves it in Mongo and slaps it into a queue for delivery to the given doctors email. That's really it. There's some back-end admin that allows the doctor to write some notes about their visit. Like a little baby EMR (though I had no idea what an EMR was at that time). Amusingly, it's got an Angular front-end (1.x, because why not spread salt on my wounds) that hits an Express endpoint that then proxies the call to a Hapi endpoint. For no reason. I can't find a single comment or piece of documentation explaining why. Icing on the cake? Their is in fact authentication used from Angular -> Express. The Hapi endpoints, however, are wide open - but surely not from the ELB, right? Certainly it's just an idiotic architectural decision that isn't actually exposed to the public? Nope. There's a rule in the ELB. Sweet Baby Ray's someone help me, there is a publicly accessible, completely open API that anyone could discover that gives away patient and doctor information. Huh, I wonder if the US has any sort of regulation on that kind of stuff? I should really take some time to investigate that HIPAA thing I found earlier, maybe that's got something to do with it...
Employment duration: unknown. My ulcer has had a baby. I think I may have had a psychotic break. I Googled HIPAA. I simultaneously shat and pissed myself, which I didn't think was possible during a panic attack, but the human body is an amazing thing. I took Thursday and Monday off from work to read through a PDF I found of this most enlightening "HIPAA" legislation. It says "SAMPLE" or "UNOFFICIAL" or some such on it, so I'm not sure how accurate it is, but whatever - I need to educate myself somehow. I spent a thrilling four days reading, re-reading, and summarizing what I understood of the several hundred page document - printed in three-column layout because why not make it more abysmal. It doesn't seem completely dire; it looks like there is some stuff we need to do if we are storing this mythical PHI, but it isn't terribly complex (at least technically!). I had already been planning encrypting everything we own, and all of our sites are already behind SSL, so this should be cake. Phew! Calm down, baby-ulcer, don't think about grand-kids quite yet. Also I found a few great summaries of the Act which I could share with my COO - but really, we need to sit down with Legal and have them explain why this was never brought up. And let's be honest, I'm not a lawyer - the professionals can handle this!
Legal has never heard of HIPAA. That's not good. I convince COO to ask Legal to reach out to a different Legal who specializes in healthcare. We sit down with them a few days later and our new Legal turns white after I lay out everything we do, our concerns, and the simple question: "Do we need to do any of this stuff I read about?" Turns out, having your CTO read a complex, many-hundred-pages legal document is not the best way to get accurate legal advice. We're fucked. We're a TPA filing insurance claims - we absolutely, 100% must comply with this Act. Oh and guess what? The Act has a delightful addition called an Omnibus, passed back in '13, that makes any possible defense we might have had to not comply...completely null and void. We're in what is called 'Breach'! We have fucked up. Royally and legally. Icing? We're all personally liable, at least to the letter of the law. But don't worry - we didn't know we fucked up, so the fees are an order of magnitude less. They'll only bankrupt the company 5 times over, instead of 10! Hurray!
Will echo other comments and say that I enjoyed this post.
IANAL, however, in all seriousness...
I think you should talk to a personal lawyer about your situation ASAP, especially now that you posted this publicly. HIPAA is not to be trifled with and now you've shared that you have knowledge of a breach. You've also provided enough detail in this post that (if found and traced back to you) could be used as proof that you were knowingly complicit in breaking the law.
You want to retire early? I would not be messing around in a company that skirts the law. All this work could be for naught. You are high enough up that you have a decent chance of getting caught in the inevitable downfall of this company.
Seconded, hard. You can't spend that $165K a year when you're staring down the barrel of willful HIPAA violations. Leave the company as soon as humanly possible. Leave and hope that the blowback from the inevitable disclosure--which won't be from your company--is happy enough eating the executive team that remains. And get a personal lawyer who understands HIPAA and explore avenues for whistleblowing; turning over on that company might be important for personal survival.
The story exceeds my suspension of disbelief. What particular jumps out at me is the backwards details - nobody off the street knows what "TPA" means, sure, but everybody who's ever gone to see a doctor knows what HIPAA is, even if they think it's called "HIPPA".
I think you are rather over-estimating the degree to which people read those standard forms: it’s akin to expecting everyone to read the full text on the “Are you sure?” dialog before clicking OK.
I don't know if I read the forms, but so what? Many if not most people don't do their own taxes, but they know generally what the IRS is and what it does.
I worked at a networking hardware startup outside Silicon Valley many years ago (during the first dotcom boom). It was run by two people, father and son, with no technical experience -- one previously ran a garbage collection company, as I recall, and the other was a sales guy -- and shortly after I started, I learned that the antics of them and their cronies had caused the entire engineering staff to have over 100% turnover in less than a year. Not only was no one left at the company who had originally had anything to do with the product's design, there was no one left at the company who had worked with anyone who originally had anything to do with the product's design. During the barely two years I worked there, the company had a system architect who talked about "making the code more flamboyant" and eventually fled the country for legal reasons, had a cold war between that architect and another executive in which the former was (badly) installing spyware on the latter's laptop, had the CEO earnestly tell us about how a former engineer had put, quote, "death code" into the system that the CEO had found and removed himself (this is, again, a man with no programming experience and the former engineer worked on the system-level C code; if he'd put "death code" in there, the CEO would not have been able to find it); on and on and on.
tl;dr: small tech companies run by completely non-technical people may not always be shit shows, but when they are shit shows, the shit can be pretty unbelievable.
Maybe it's bull. But it has the ring of truth to it, to me, and I've worked for a few healthcare startups. A lot of developers think of themselves as "just developers" and a lot of people are brutally incurious about the world until it hits them in the face.
Work at a hospital and in the orientation the first speech is given by the head of compliance who goes over what executives have gone to jail, why, and all the underlings that have been fired for seemingly innocuous HIPAA or PHI violations (looking at a friend's chart, posting on social media, etc).
The money sounds nice but OP could probably make the same at somewhere more reputable with less a chance of feds walking in and taking everything.
>You can't spend that $165K a year when you're staring down the barrel of willful HIPAA violations.
It's much harder for the government to take back your $165k after you've spent it all. Sure they'll garnish your wages but they'll do that either way so you may as well live a little in the meantime.
HIPAA is absolutely to be trifled with. Look up who is actually fined and face actual consequences from HIPAA violations. It is 99.99% big universities, hospitals, and insurance companies. Everyone else gets (at most) a slap on the wrist and has to promise not to do it again. Once in a while they’ll fine a small family practitioner $25k for not shredding papers properly but it’s a total joke.
HIPAA Compliance Services are something for consultants to sell so business owners can sleep at night. It’s like Lisa’s magic rock on the Simpsons that keeps tigers away. Does it work? I don’t see any tigers around here do you?
Seconded. I’m a physician that got so pissed off at how a practice was repeatedly and willfully violating HIPAA that I risked my standing in the local physician community and reported them.
I was basically told by the case manager, or whatever they call themselves, to fuck off.
Preach it. Reported my own psychiatrist for having a bunch of highly sensitive "followup" forms asking about medication, emotional state, etc. (and including patient name, address, other PII) on the practice website that transfered data over plaintext to a shared hosting server running PHP5 in debug mode that had been hacked by an automated script and was redirecting people on first visit from a fresh IP to a "Congrats! You're our 1000000th visitor" spam site. Haven't heard from OCR in over a year.
When I worked at an MSP, we supported a small dermatologist's office. Everyone had personal computer accounts but everyone had a password of '1234' so...yeah.
Agreed. The organization would likely get fined for a breach, not the engineer. I work a senior IT role in Healthcare and I've seen what breaches look like. I've never even heard of someone going to prison, let alone for what this story tells.
Yeah to go to prison you have to really screw up, in a way that is malicious and willful. Though the CEO driving over to his MLM buddy with a thumbdrive of PHI might do it.
Personally, I wouldn't stake my future on hoping the government doesn't notice what my hypothetical law-breaking company is doing. Or that my law-breaking unethical CEO won't lie and try to throw me under the bus if/when the company eventually gets caught.
I'll restate that I recommend OP talk to a knowledgeable lawyer to get an informed assessment of what kind of risks he/she is undertaking.
I understand the difference between odds and risk. The risk is high (assuming you use the harshest possible penalties) but the odds are infinitesimally long.
Google and find who has actually faced penalties from HIPAA violations and what those penalties were. How many serious fines/prison sentences have been handed down? Who was at fault? Were they random no-name startups?
That was hilarious, the 2nd half was better than the first! You’ve had an amazing lesson in running businesses, you’d now make an excellent CEO, much better than the one you work for, having done some of his job. All I can say is they didn’t pay you enough money for the amount of stress you went through!
That may be so. But when it comes to consuming information on a subject I prefer my sources to be those who know what the acronym stands for which makes mis-spelling it a near impossibility.
Knowing what something is in the abstract versus knowing it intimately is a huge difference and if you don't know how to spell the acronym you've pretty much outed yourself as someone who is not familiar with the details at a level that would allow for a constructive discussion.
It would be like talking to someone about cars who spells BMW as WBM and Porsche as Porche and then to have a discussion about the relative merits of each. Of course it is just form, not function but I would highly discount the opinion of someone who would not be able to spell the names over someone who can, chances are the former hasn't driven one and might not even be of legal driving age.
Ok, but I've never come close to working on healthcare software but I've run up against HIPAA numerous times because partners, customers, suppliers, customers of customers, are in that space. So the idea that your company can buy a full-on healthcare software business but you and your legal people have never heard of it is pretty hard to swallow.
I agree, but my point was that it wasn't the buffoonish CEO that the quote was attributed to, but the HN poster who's bragging about his talent, wealth, and illegal activities.
but he sat down with everyone involved right, and nobody knew what it was. That does sound a little fishy, under the circumstances it's a little like sitting down with a pair of nice old ladies who've been poisoning people and hearing "Arsenic? What's that?!?"
This has to be one of the most impressive war stories I've ever read. Thanks for writing this all out!
But as others have said, you need to get yourself out of that company ASAP and hire your own lawyer to figure out what your own potential liabilities are. I'm not in the US and am not familiar with the details of HIPAA, but just based on what you've written I really don't think it's a good idea to stick around a place like that particularly given you know exactly what's going on. Even if you don't end up with any liabilities/troubles from what has transpired to date, it seems inevitable that something will happen eventually that will end spectacularly badly for everyone involved.
I understand the money is good, but I would seriously recommend finding another employer with a bit more knowledge of and respect for the law.
That's an amazing story. My father has his own experiences with a CEO who has a habit of screwing up, but it's not nearly as entertaining as yours.
CTO at 29 with that salary is the midwest? That's rather amazing. You should be proud of what you accomplished. Do you still have that ucler, or was that just a joke?
Let me just add that people like you are BEST OF THE BEST to hire.
That's what I want to hear during an interview, not the "bubble sort on a whiteboard".
If a person has been through THIS - gosh, I want you to work for our company.
PS. no, not because my company is a mess too, don't go that way :)
PPS. I do see this is a thoraway profile, but if by any chance you're checking back to read the replies - let us know if you're available for hire (remote). Contact us (see profile). Long shot, I know...
I've worked for Fortune 500 and even Fortune 50 companies that acquired tech companies with no due diligence (usually in a panic) and I've had to clean up the mess. And the acquired folks usually leave in exactly a year and one day, after vesting.
And, even in 2019, I've gotten calls to clean up messes from people that have hired a software developer (for a company whose business isn't software) who doesn't use source control. Amazing!
One of my first jobs as a teenager was not software related, but basically just accounting support. A mid-size retail chain had acquired another retailer and needed help going over the books. This was in the 90s and I was basically typing stuff in an Excel sheet and getting a sum. Last day on the job I gave them the bottom-line number of something (revenue?) and my manager looked at it and said it seemed way off. Whatever, I'm done for the summer. Few weeks later there's a story that the company they acquired had lied about their value by a large margin and it was enough to put them out of business forever. Close all their stores and liquidated. I know it was not my fault at all, but I like to think it was my Excel sheet that destroyed them.
Fortune 500/50 companies should be able to absorb the cost, no? If you have a lot of money, you can afford to make mistakes as long as the expected value (of many acquisitions) is positive in the long run.
I’m not sure what the point of this comment was, so apologies if I’ve assumed incorrectly.
Maybe that's their logic, but a little due diligence can go a long way.
For example, one of the founders of one of the companies lied about his Stanford MBA Degree in his CV. He didn't have one. The company did not fire him. I lost a great deal of respect for the company after this.
Well that was a fun read. I have some background working on an EHR and yes, HIPAA is taken very seriously. Hope the "divine intervention" you mentioned doesn't come from having shared this story.
Why are you still there? You could easily leverage your accomplishments to get another job. With your experience you could probably be an overpriced consultant.
This post should make many people on HN feel confident that they can run a company that does millions in revenue. As long as you aren’t doing favors for family and buddy’s, you too can run a small tech business and make millions.
This is actually pretty sad. HIPAA is not something a company should take lightly. It would be like a private company having no audit logs or encryption while running a government contract, but 50x worse.
Working in healthcare myself, I urge anyone whose eved contemplated or has the opportunity to work in a healthcare related company to take a few days to really digest and understand not only HIPAA, but it's purpose and it's consequences. You can go to jail just for being part of a company that does not properly take care of patient data.
This, right here is the problem with our industry.
Someone has a brain wave and asks a [set of] hardworking engineer(s) to 'make it happen yesterday'. Engineers toil away and bring out something useful by making all possible hacks since yesterday has already passed.
Early engineers get frustrated and leave only to be replaced with some more hardworking engineers who now have to clean up the mess, keep the lights on _and_ implement the next brain wave that the idea man came up with.
The problem is, a lot of 'thinkers' are becoming entrepreneurs - most of them have no idea about the complexities or intricacies of software or those who wrote code so long ago that they largely worked on monoliths and have absolutely no idea how complex systems work together 'in the cloud'.
We need more 'builders' (engineers) as entrepreneurs. It'll invariably lead to people working on more sensible, real world problems that need real solutions - since, hopefully, builders would know what it takes to build out something and won't waste resources on frivolous and ill thought out ideas.
Thank you for sharing this. This is, by far, one of the best comments I have read in a while. I am wondering though. What made you stick around ? Money doesn't necessarily seem to be the motivation here to me.
What a story. The part that surprised me the most was "Legal has never heard of HIPAA." HIPAA is major legislation (almost as influential as a Constitutional amendment) and has tentacles in every field, so how is it possible that an attorney (even an incompetent one) has never heard of it? I would never trust legal advice from an attorney who hasn't heard of HIPAA.
I love how the story goes through everything that should not be done, from blind investment to breaches and personal information leak (in a thumb-drive!!).
Thanks for sharing. Between your salary, stock options, 8% matching 401k, and being in the Midwest you can probably accomplish FIRE even faster than by age 40.
HIPAA is lovely in that it is worded strongly enough to get your coworkers to stop writing their password on a Post-It stuck to their computer. Fabulous read!
I got a job as a Software Engineer in my current company 4.5 years ago; friend-of-a-friend sort of thing. The company had an apparently disastrous piece of software that was their main LOB. They had gone through pretty much every local consulting agency - at least once, on a few occasions they had gone back to one they had already used. It was about 10 years old and consisted of a mix of VB6(!), VB.NET, C#, F# and somehow now Node. At the time tackling a disaster like that sounded fun and I was miserable at a consulting gig. It was a 20k bump but no benefits (health or retirement), but as a single guy 6 months away from paying off his college debt I wasn't worried. I figured I'd dump a few years in then move on.
Three months in, I'm absolutely baffled at what the company does. I was told they handle insurance claims, basically acting as a TPA. (Important detail: I had no idea what a TPA was at the time. It's gonna matter later.) The software does handle claims, but they also have 10 other projects that cover a bunch of random business use cases. Apparently the CEO is a self-described "idea man" and would task the previous developer to 'prototype' his ideas from time to time. The problem was his idea of a prototype was a fully-functional application that he could sell to investors and clients - until he got bored with it and shelved it. This ended up with the company having around a half-dozen actively used products in a half-dozen markets. In addition to the TPA side of the company that was about 50% of revenue, the other half was split over 1) check cashing software, 2) HR/onboarding software, 3) some sort if discount medical visit scam, 4) some sort of MLM scam that the CEO's brother-in-law co-opted him into, 5) a random cannabis and self-help website run by some yoga guru type dude the CEO knew and finally 6) a piece of software that let helped churches organize events and donations that took about 50% of any transaction that was run through it as "fees" for our company. Now I could talk about any of those monstrosities at length, but this is already shaping up to be a wall so I'll skip that.
1.5 years later. I've wrangled the mix of VB6, VB.NET, C#, F#, PHP4, PHP5, PERL, ASP.NET WebForms and MVC, SQL Server, Postgres, MySQL still using MyISAM, god knows what other horrors I've forgotten. All of this without version control - just folders copy-pasted over and over on a 10 year old server in the closet that has no redundancy, two failing disks and one PSU out of order. The last guy had started some positive changes: moving everything over to Azure, porting everything related to the claims business into a more modern MVC app. I finished his work. I squashed about a dozen Wordpress instances into a single, multi-tenant host. Squashed out all the other languages and databases into just C#, ASP.NET, SQL Server. Ended up reducing the Azure spend by about $2000 a month. Felt good! CEO loved me. COO (my direct manager) loved me. CFO was pleased. All throughout this, I had convinced the COO to cut out all the shady, near-illegal, morally bankrupt garbage we did. No more check cashing (awful, awful industry), no more MLM of any sort, no more stealing money from churches (we kept that going, just changed our fees to a nominal amount). All the work I had done lead to a decrease in onboarding time from 2-3 days to 10 minutes and the TPA side of things was now about 85% of our revenue. Happy ending, right? Just you wait...
Somehow, I had not encountered a single brilliant "CEO Idea" for 1.5 years. He decided to fix that on one delightful summer day in the mid-west by announcing that we would be acquiring a healthcare startup that a buddy of his ran. Now this pissed most of the folks at the company off and is probably a good point to talk a little about the structure of said company. As mentioned, we had a CEO, COO, CFO, and "Chief of Sales" (never heard of a COS myself, but who knows). We didn't call ourselves a startup and had none of that Bay-style of startupness; we were just a small business with some investors. After the C's we had myself as the lone engineer, two sales guys, three admin-types and six or so customer service folks. None of which had healthcare or retirement benefits, mind you. So there was a bit of rancor when Mr. CEO started talking about dropping $5 mil to acquire this fancy new healthcare company. Somehow me, Mr. Software Engineer, ended up being the guy that needed to take this head-on (well, to be fair, the COO and I had great relationship). That's a tale in and of itself, but at the end of the day we ended up getting a 6% matching 401k and $500/$1000 single/family monthly reimbursement for health insurance, stopped 3-4 people from quitting, got me a whole lot of respect in the office and a fancy new title of "Chief Technical Officer" (not related to the benefits; CEO was just happy at how efficient I'd made everything) and 20k base salary increase. CTO at a company with 1 engineer. Neat. Happy ending, right? Just you wait...
We also got a brand new healthcare startup for about $2.5 mil in cash, $2.5 mil in stock. We got sheisted and it was our fault. While I'm no MBA, I know what due diligence is, and I intended to do it from the technical angle while our CFO handled it from the financial. Before we bought the company I made every effort to actually review what their software looked like, but was single-handled blocked by my own CEO. "We're never going to do that, Throwaway," he would say, "Other CEO is my friend! I've known him for twenty years and if he says his software is solid, it is! Just trust me." Diligence took about three months and despite dozens of arguments, I was denied any access to anything technical. All I ever got was: "Our software is in Node using MongoDB and is hosted in the cloud." Great. I was never even allowed to meet or speak to their development team (apparently 5 engineers, all of which were phenomenal). The only human being I ever spoke to at this company was the CEO. So I tried other angles, the big one being: what the hell does your software actually do? Their big claim to fame was 'modernizing concierge medicine using AI'. If you're like me and have no idea what concierge medicine is, it basically means your doctor comes to you because you're a rich yuppie and can't be bothered to leave your beach house to visit him. How do you enhance that using AI? I had no idea. Still don't. And so we bought the company with zero diligence done, though the CFO did say their books looked good, whatever that means. So the nightmare begins...
2 years in. We start onboarding people, I start onboarding the project itself. I am finally given direct developer contacts, which are a bunch of emails that don't end in the same domain as the company we just bought? Pardon? They're all @BobsRandomConsultingCompany. I reach out, explaining who I am, that we just acquired Project X and I need access to the code, environment, engineers - the whole nine. I get a very lovely, professional response from a Project Manager over at Bob's who lets me know that they will be sending over a contract so we can get started right away, along with their rate sheet! I'm baffled! I thought Project X had 5 internal engineers, Mr. Other CEO?! At this point I promptly aged 6 months in 6 minutes and I felt the first twinge of an ulcer growing.
Contract arrives, I sit down with COO and CFO and explain that we have been duped. COO is angry; CFO is not concerned until I show him the contract that Bob's sent over. The contract ye olde healthcare startup signed apparently agrees to pay for 5 fixed resources (at $200/hr!) for 40 hours of work each, per week, for a period of a year. Now I'm not unfamiliar with being outsourced as a resource, from a consulting company, for a fixed amount per week - but never have I seen a contract that binds you for a year, especially for 5 resources, with not one deliverable mentioned anywhere. Maybe my five years of consulting wasn't enough, but that blew my mind. Additionally, they sent us the server bills (AWS) and informed us we paid directly for utilization in addition to a "HIPAA Monitoring and Compliance Fee" of $3000/mo. As I had not a year ago lowered our own cloud costs to about $800/mo, this number struck me as staggering. $3000/mo base + around $2000 for the servers currently running. Also, "what the fuck is HIPAA" I said aloud, the only answer being the two confused shaking heads of my COO and CFO. Uh-oh...
Segway. The actual Project Manager of the acquired company (not the one from Bob's Hair Care IT Consulting Nail and Tire Salon) has moved in and I've finally got a victim to victimize with my many, many questions. She already looks harrowed before I begin my interrogation. Are people actually using this? How much do we make per visit? Visits per month? I forget the answers to these, but the end takeaway was: we bring in about $10k/mo net right now. I'm no accountant, but I'm fairly confident you can't pay the expenses of a company + a half dozen employees on $10k/mo. PM agrees - they've burnt through about $7 mil of investor cash over their 6 years of existence. No path to profitability is in sight.
Around the same time I've got the Project X repository (whew, at least they used source control) moved over into my world and have started reviewing the actual source. I'm no Node wizard, but I'm immediately confused as I see both Express and Hapi (two server frameworks, generally considered competition to one another) used in the same project. That's...odd. Investigation intensifies: it's a simple CRUD project that takes a form submission from a registered user, saves it in Mongo and slaps it into a queue for delivery to the given doctors email. That's really it. There's some back-end admin that allows the doctor to write some notes about their visit. Like a little baby EMR (though I had no idea what an EMR was at that time). Amusingly, it's got an Angular front-end (1.x, because why not spread salt on my wounds) that hits an Express endpoint that then proxies the call to a Hapi endpoint. For no reason. I can't find a single comment or piece of documentation explaining why. Icing on the cake? Their is in fact authentication used from Angular -> Express. The Hapi endpoints, however, are wide open - but surely not from the ELB, right? Certainly it's just an idiotic architectural decision that isn't actually exposed to the public? Nope. There's a rule in the ELB. Sweet Baby Ray's someone help me, there is a publicly accessible, completely open API that anyone could discover that gives away patient and doctor information. Huh, I wonder if the US has any sort of regulation on that kind of stuff? I should really take some time to investigate that HIPAA thing I found earlier, maybe that's got something to do with it...
Employment duration: unknown. My ulcer has had a baby. I think I may have had a psychotic break. I Googled HIPAA. I simultaneously shat and pissed myself, which I didn't think was possible during a panic attack, but the human body is an amazing thing. I took Thursday and Monday off from work to read through a PDF I found of this most enlightening "HIPAA" legislation. It says "SAMPLE" or "UNOFFICIAL" or some such on it, so I'm not sure how accurate it is, but whatever - I need to educate myself somehow. I spent a thrilling four days reading, re-reading, and summarizing what I understood of the several hundred page document - printed in three-column layout because why not make it more abysmal. It doesn't seem completely dire; it looks like there is some stuff we need to do if we are storing this mythical PHI, but it isn't terribly complex (at least technically!). I had already been planning encrypting everything we own, and all of our sites are already behind SSL, so this should be cake. Phew! Calm down, baby-ulcer, don't think about grand-kids quite yet. Also I found a few great summaries of the Act which I could share with my COO - but really, we need to sit down with Legal and have them explain why this was never brought up. And let's be honest, I'm not a lawyer - the professionals can handle this!
Legal has never heard of HIPAA. That's not good. I convince COO to ask Legal to reach out to a different Legal who specializes in healthcare. We sit down with them a few days later and our new Legal turns white after I lay out everything we do, our concerns, and the simple question: "Do we need to do any of this stuff I read about?" Turns out, having your CTO read a complex, many-hundred-pages legal document is not the best way to get accurate legal advice. We're fucked. We're a TPA filing insurance claims - we absolutely, 100% must comply with this Act. Oh and guess what? The Act has a delightful addition called an Omnibus, passed back in '13, that makes any possible defense we might have had to not comply...completely null and void. We're in what is called 'Breach'! We have fucked up. Royally and legally. Icing? We're all personally liable, at least to the letter of the law. But don't worry - we didn't know we fucked up, so the fees are an order of magnitude less. They'll only bankrupt the company 5 times over, instead of 10! Hurray!