In December, VA was just days away from giving access to veteran MVP genomic data without completing a due diligence review of a Russian affiliated company.

Then Under Secretary David J. Shulkin, MD, immediately terminated the deal after it was exposed on DisabledVeterans.org. VA says no veteran data was shared prior to the termination.

Since then, December 20, 2016, I have been fighting with VA over a FOIA request to confirm VA’s side of the story. Today, I received a copy of the original termination letter signed by Shulkin after initially receiving a “no records” block and tackle response in March.

I wanted to share this story immediately with the hope that it will create interest on Capitol Hill to reform VA’s research partner protocol because it shows just how close VA was to giving away our genomic data from the MVP genomic program to a Russian affiliated company.

Think your data is safe? Do you even know who has access to your data other than VA?

If you think you know, you better keep reading. If you have no idea, you better keep reading.

A Little Background And The Russian Connection

This story counts as a “two points for the little guy” for doing the 10 minutes of Google background research multiple high-level officials within VA were unable or unwilling to do to protect access to the Million Veteran Program (MVP) and its genomic data.

Not only was the CEO of Flow Health Inc a serial problem child with his startups, but his company had a Russian sister company (interpreted by Google Translator as “Hals Flow” or “Flow Hales” depending on the listing) working behind the scenes that I exposed in January.

According to a job listing on Google’s Indeed, the Flow Health partner “Flow Hales” promised, “All employees are offered a stake in Flow Health, Inc., our American partner.” This jobs posting and numerous others like it listed the job location as Moscow, Russia.

Online, the names of numerous Flow Health stakeholders appear Russian, since 2014, which may be an indication that the Russian hiring initiative through the Russian partner was a success.

This past January, CEO Alex Meshkin later admitted his intent, which was to sell access to the data after Flow Health synthesized it within his company servers.

Yes, you are reading that correctly. Russian software programmers, possibly some of the same programs linked to the election scandal, were being recruited to work for Flow Health. And, those same programmers hired at the time (starting in 2014) would have ownership of the same company that was supposed to have access to your MVP genomic data.

It is worth noting the deal was originally inked October 28, 2016, but it was set to go into effect in late January after Trump was inaugurated.

According to Politico, in February, Flow Health hired Avenue Strategies, a lobbying firm owned by Corey Lewandowksi, to help lobby VA on this issue. Avenue Strategies just hired Mike Rubino, a former Trump advisor and campaign leader. Rubino was not offered a job in the administration.

RELATED: Flow Health Lobbying Filing By Avenue Strategies

According to a disclosure filing, Rubino and Barry Bennett, another Trump advisor, were hired by Flow Health to lobby VA on “Health care data policy; Department of Veterans Affairs Cooperative Research and Development Agreement”.

Have you called your Congressman or Senator yet? Do you think your data is safe from these profiteers?

RELATED: Flow Health Lays Out Sketch Profit Plan For Veteran Genomic Data

Had the deal gone through in December, very valuable and potentially dangerous genomic data would have been sold to the highest bidder by Flow Health, at least access to it, wherever in the world that bidder might be.

Let’s not forget that genomic data of soldiers or veterans can be used to create targeted biological or chemical weapons.

Of course, after flaws with the deal were exposed by me, VA canceled the deal and was quick to assert no veteran data was handed over prior to the cancellation. But in so doing, VA also admitted the agency failed to conduct proper due diligence review.

According to a VA spokesperson:

Entering into such an agreement with any company requires additional research, consultation with medical and privacy experts and appropriate, senior-level signoffs to make sure the use of the data comports with the letter and spirit of applicable regulations and policies while also protecting Veterans’ sensitive data. That was not fully done in this instance. (emphasis added)

Scared yet? Wondering who else may have our data? Me too.

RELATED: VA Admits Due Diligence Failure In Flow Health Deal

Flow Health Inc – MVP Genomic Data #FAIL

Today, VA finally verified problems with the shady deal it had with Flow Health Inc, which the agency canceled in writing after I exposed the nature of the problems, here.

In a letter signed by then Under Secretary for Health David Shulkin, MD, the now VA Secretary canceled an agreement that would have allowed an apparent US shell company (the San Francisco address appears to be a front… or a UPS box) with a Russian sister company access to veteran genomic data in the Million Veteran Program (MVP).

I wrote about Flow Health and the agreement it had with VA on December 20, 2016.

RELATED: AI Firm Flow Health Run By ‘Hall Of Shame’ Former NASCAR Owner

After publication, VA immediately canceled the agreement via the letter below. For the past three months, I have sought this letter (linked at bottom), and VA repeatedly said the communication did not exist.

For some context, here is the sequence of events leading up to this point.

Alex Meshkin, CEO of Flow Health Inc, received an agreement with VA to access MVP data at no cost. Meshkin intended to sell access to the data after it was synthesized by his company. This was October 28, 2016.

I caught wind of the deal and investigated Meshkin. That investigation revealed numerous flopped business deals, a curious lawsuit against two of his former companies, referred to as “Nutzz and Bang” by the judge (Nutzz.com and Bang Racing), direct familial connections with Iran, and a sister company in Russia.

Below is the short list of Meshkin’s serial flops I found in a few minutes of searching on Google (Remember, VA admitted it failed to conduct a due diligence review of the company prior to entering into the agreement.).

Flow Health CEO Serial Flops

A review of his serial failures includes a chronic inability to anticipate market realities while spending investors’ money. The company list includes:

SurfBuzz.com – a now defunct website idea focused on paying website surfers fake money they can use to bid on real products like Porsches. The company reportedly closed after Meshkin and his brother ran out of the $3.5 million in seed money. That experience earned SurfBuzz.com a place in a “dot coms to dot bombs” list published in 2000. “The online auction site informed its customers that it ‘will no longer be operational nor continue to exist’, after burning through its cash .”(emphasis added)

.”(emphasis added) Bang Racing – a now defunct Toyota NASCAR truck racing team where the self-proclaimed “whiz kid” raised $15 million to run a race team that later flopped after Meshkin reportedly stopped paying his employees and vendors . His performance as owner earned him a spot on the “Hall Of Shame” list of NASCAR owners.

. His performance as owner earned him a spot on the “Hall Of Shame” list of NASCAR owners. Nutzz.com – a now defunct website development company that was paid over $1 million to build a NASCAR membership website. Investors recalled their contribution after becoming concerned Meshkin would not deliver . The matter was resolved in arbitration.

. The matter was resolved in arbitration. Bopaboo – a now defunct software company focused on selling used MP3’s. The recording industry did not respond well and forced the company to change its business model. Meshkin later acknowledged the flaw in the firm’s economic model .

. GroupMD – a company dubbed the Facebook of health care communications. It focused on turning your health care communications and related records between you and a doctor into a supposed secure version of Facebook .

. Flow Health Inc – basically GroupMD with a new name. On LinkedIn, Meshkin described the company as, “Flow Health is building the world’s largest knowledge graph of medicine and genomics from over 30 petabytes of longitudinal clinical data drawn from 22 million people.” And by people, he means veterans. The entire business model is dependent on access and reselling processed genomic data that belongs to veterans.

Now, remember, as of last week, VA asserted no records existed related to the agreement or the cancellation of the agreement.

My immediate response to the “no records” answer from VA was:

Flow Health boasted it was about to access 22 million health records. VA Public Affairs acknowledged the agreement and that is was canceled. Are you telling me VHA has no record of the confirmed agreement or its cancellation?

Initially, of course, the FOIA officer’s reply was basically, paraphrased, ‘Yes, we have no record of this.’

What you will note in the agreement cancellation I received this morning is that it was signed by Secretary David Shulkin when he was at VHA.

So, there should be no question VHA had a copy of this somewhere, meaning the FOIA officer in question was either being lazy or trying to obfuscate public scrutiny. My guess is a combination of both.

When you read VA Public Affairs’ response as to the cancellation on December 29, 2016, it becomes clear this Flow Health deal is an embarrassment to VA, and the agency likely did not want anyone to know more about what happened.

According to a VA spokesperson:

On December 20, the Department of Veterans Affairs terminated a Cooperative Research and Development Agreement with Flow Health Inc., a San Francisco-based company. We took this action after it was determined that the agreement, which involves genomic data from the Million Veteran Program (MVP), may violate regulations, VA policy, and VA’s longstanding commitment to our Veterans to protect their data. (emphasis added)

It is important to note that no Veteran data were shared nor compromised.

Entering into such an agreement with any company requires additional research, consultation with medical and privacy experts and appropriate, senior-level signoffs to make sure the use of the data comports with the letter and spirit of applicable regulations and policies while also protecting Veterans’ sensitive data. That was not fully done in this instance. (emphasis added)

Launched in 2011, MVP – with more than 500,000 volunteer participants – is the largest genomic database of its kind in the world. Participants donate blood from which DNA is extracted. MVP will accelerate our understanding of disease detection, progression, prevention and treatment by combining this genomic data with rich clinical and environmental data. MVP will allow the nation’s top researchers to perform the most cutting-edge science to treat some of the nation’s most troubling diseases – not just among Veterans, but those that impact individuals worldwide.

VA Termination Letter From Then Under Secretary David Shulkin, MD

And here is the answer we were waiting for from VA on the Flow Health – Alex Meshkin deal since December 2016:

Dear Mr. Meshkin:

Pursuant to Article 10.3 of the Cooperative Research and Development Agreement (CRADA) executed on October 28, 2016, between the Department of Veterans Affairs (VA) and Flow Health for the project titled, “Build a Medical Knowledge Graph with Deep Learning to Inform Medical Decision-Making and Identify Evidence to Prevent Disease Onset, Make Previously Unrecognized Diagnoses, and Personalize Treatment,” VA hereby terminates the agreement effective immediately.

VA is terminating the CRADA for the reasons outlined below:

– The scope of the technical tasks, milestones, and deliverables as described in the Statement of Work lack the necessary detail for the Veterans Health Administration (VHA) to determine whether they are technically feasible or whether they can be accomplished while complying with existing VA policy covering privacy and data security.

– The scope of work proposed in the CRADA to provide personalized clinical recommendations using health and genomic data, analyzed with proprietary machine learning techniques, is sufficiently novel and untested as to constitute research rather than clinical development. The CRADA omits mention of any of the necessary policies governing conduct of research in VA including, but not limited to, the Common Rule, the Privacy Act of 1974, and the Health Insurance Portability and Accountability Act, (HIPAA). It is not possible to tell whether the work, involving the receipt of identifiable data, could be conducted in compliance with these policies.

– The CRADA directs VA to provide access to Flow Health through Web services and other interfaces to extract data from a wide variety of data sources, including research data collected under consent such as the Million Veteran Program (MVP). MVP data can only be accessed in accordance with VHA Office of Research and Development policies and procedures and as permitted by the subjects’ informed consent document and HIPAA authorization through specific policies and processes for access to the MVP data as published in its Privacy Impact Statement and in accordance with the MVP Certificate of Confidentiality. MVP participants are not consented for the return of clinical information as outlined in the CRADA.

Sincerely,

David J. Shulkin LaVerne H. Council

So, that about wraps it up for Flow Health, but more concerning is what VA intends to do in order to prevent unlawful access to our data by other companies.

I can only assume Flow Health is not the only firm to realize VA is weak on how it conducts evaluations of agreements like this one.

What kind of investigation or reforms should VA be performing that it is likely not doing despite being exposed in this embarrassing manner by a journalist using Google for 10 minutes?

Flow Health Termination Confirmation Document

[documentcloud url=”https://www.documentcloud.org/documents/3540113-170407-Flow-Health-Termination-Letter.html” responsive=true]