Insight, analysis & opinion from Joe Paduda


Research Roundup

In which I attempt to describe the top takeaways from the latest research and what it may mean for you.

Work comp pharmacy 

WCRI’s latest report on Interstate variations on Dispensing of Opioids is available; free for members, nominal cost for non-members.

  • The volume of opioids dispensed to work comp patients decreased “substantially” in many of the 27 states studied.
  • 17 states saw average MED reductions greater than 30%.
  • BUT – problems persist as MEDs are highest in Delaware and Louisiana, where MEDs per patient are 3 times greater than the median.
  • There’s been a decrease in the percentage of patients prescribed an opioid, with strong evidence that non-opioid medications have been substituted.

Key takeaway

Using your data to highlight problematic states – and regions within states – is critical to understand what’s driving opioid usage among your patients.  The industry has done a great job reducing opioid usage but can make a LOT more progress by figuring out the commonalities among chronic opioid consumers.

NCCI’s just released a report on the impact of formularies on work comp pharmacy, comparing what happened in Arizona and Tennessee after implementation of a closed formulary to similar states that didn’t adopt a formulary. Note the research was based on data from mid-2017.

Findings included:

  • “N” drug utilization dropped more in the two states than in comparable control states
  • The volume of opioid scripts wasn’t affected by Tennessee’s formulary implementation however it appears that there was a decrease in longer acting and likely more potent varieties.
  • Compounds dropped dramatically in TN compared to similar states

Key takeaway  

Opioids have been the biggest driver of formularies; this report’s finding that in these states there was little change in the patients prescribed opioids is revealing.

I’m not a fan of binary formularies; they are the bluntest of instruments. While they may serve an initial good: they reduce the use of drugs that are usually inappropriately prescribed, they are not disease-state and/or patient-specific. Sure, Y/N formularies are easy to use; so’s a bone saw and ether.

We’ve moved beyond bone saws and ether, and need to do the same with formularies.


More thought-provoking work from NCCI focuses on the impact of enhanced vehicle safety systems and workers comp. Quotes of interest include:

  • NCCI data shows that driving-related classifications account for approximately 25% of all WC payroll and about 50% of WC premium.
  • a forward collision warning system coupled with autobrake can reduce front-to-rear crashes with injuries by 56%
  • a 25% to 75% reduction in the frequency of claims related to MVAs [motor vehicle accidents] could yield an annual WC system savings of between $1 billion and $4 billion.

Key takeaways

With all the talk about autonomous vehicles, we may have missed out on a bigger and nearer-term sea change. Mostly-autonomous vehicles won’t likely be common for some time, but many of today’s car models come with lane-following, collision warning, autobrake and other accident-avoidance technology. 

We need to understand the impact of these “interim” technologies on MVAs and associated claims.

Who costs what?

New research from the Kaiser Family Foundation shows who we should be focusing on helping. Just 1.3% of patients rack up almost 1/5th of all medical costs; 5 percent of patients account for half of all costs.


  • people with persistently high spending (over the three years) spend 40% more on outpatient services than folks who are high spenders for just one year.
  • persistent high spenders spent a lot on drugs – as in 8 times more than one-year high spenders
  • it appears the one-year high spenders were trauma or other one-time issue patients, as they spent a lot more than persistent high-spender on inpatient services.

Key takeaway – the chronic patients cost the most over the long term – and are also likely to have the most modifiable health conditions.


Crisis management 101

Timing is everything.

Taken together, two seemingly-unrelated things that hit my inbox this morning – CorVel’s quarterly results and the daily alert from Harvard Business Review – provide perspective on how to handle a crisis.

Readers of MCM will recall that I reported last week that CorVel suffered some sort of internet/connectivity problem that arose on Sunday, July 21. It apparently took down much of the company’s customer-facing connections. Subsequently I reported the issue may have been a ransomware attack involving the Ryuk worm. Others followed:

From’s Lonce Lamont’s piece on July 27 (last Friday):

[an anonymous informant stated that] “CorVel management said the Ryuk virus was caught before it was active.  It was found during system upgrades.   But this management story has not made sense, because in that case of the virus being caught before going active, the IT technicians should have just been able to remove it.   However, the CorVel professionals seem to be completely replacing servers, so that indicates they were locked out.”

While I have heard from several internal and external sources, despite several attempts to contact CorVel I have not heard directly from the company. Further, CorVel has not, with the exception of today’s earnings release, released a public statement. I have heard from several CorVel customers that Corvel’s CEO and other personnel contacted customers directly to discuss the issue. Kudos to Corvel for doing this promptly. As of Friday, these customers were told things should be back up today.

Here’s what CorVel said in today’s earnings release:

After the end of the quarter, the Company discovered a security incident which impacted online systems and forced the Company to take those affected systems offline for a period of time. The Company discovered the threat in the early stages of the security incident which allowed for immediate initiation of their incident response plan and aided in the containment and eradication of the threat. Systems were largely offline for the week of July 22nd and at the time of this release [Tue July 30, 2019 6:15 AM] the Company’s systems are incrementally coming back online.

[Side note – sources indicate as of last night scheduling and billing for some ancillary services were back on line; certain bill review functions were not. Suffice it to say that each customer will have been affected differently.]

Which brings me to the HBR piece authored by former Defense Secretary Ash Carter entitled “Managing High Stakes Situations; 5 Lessons from the Pentagon”.

The top Lesson from Secretary Carter was this:

Say something: Feed the beast with whatever you know for sure. The “beast” is the natural demand by news media and others for more facts when there is an appearance of danger or wrong. Leaders facing a crisis need to speak and act quickly even when they don’t know all the facts — it’s part of the job. If you stay silent, you leave a void that may be filled by statements from people who may be well-meaning but ill-informed, or, worse, from rivals or adversaries.

Carter went on to say:

While you must say something, stick to the facts you can verify, however scanty they may be. Don’t speculate or offer guesses that may turn out to be incorrect later… list the key questions you are investigating — What happened? Who was involved? What causes can be identified? What policies and practices apply to the situation? — and provide any specific, accurate answers that are available at the time.

Here’s where I believe CorVel could have done better.

It is highly likely CorVel leadership knew the cause of the problem very soon after it occurred. If the multiple reports about ransomware are correct, the company should have said so.

Be more clear and transparent about the problem and steps being taken to address it. Replacing servers can be a much bigger task than removing a virus from software/databases/applications; acknowledging this up front would have given CorVel some breathing room if it took a bit longer than expected to get everything back up and running.

Make a public statement. Without one, you lose control of the message and likely can’t get it back. Credibility is critical and once damaged is very difficult to regain. This is especially important in our industry: insurance people are genetically risk-averse and highly risk-conscious. “Skeptical” is too tame a word, “Cynical” is probably more accurate.

If and when I hear from Corvel I will update this post.

What does this mean for you?

From Carter:

The pitfalls are to stonewall, deflect, hedge, or use weasel words. But in war, hairsplitting won’t fly. Nor will it in cases when your brand or business is at stake. By speaking plainly and acting directly, you should be able to emerge with your reputation — and that of your organization — intact, and maybe even improved.



CorVel’s problem may be ransomware

Update on yesterday’s post.

Spoken with several CorVel customers today and late yesterday; all spoke well of CorVel’s response and communications about the systems issue.

Still haven’t’ seen a public statement.

I’ve been told by multiple sources that CorVel’s systems problems appear to be due to the Ryuk ransomware worm; workers in at least two CorVel offices were recently informed of the worm. This worm is linked to attacks on several cities as well, including Stuart FL.

According to CrowdStrike, the worm has been attributed to:

GRIM SPIDER, a sophisticated eCrime group that has been using the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology known as “big game hunting” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.

CorVel has been telling customers it hopes to be back up and running Monday (three days from today); on average other Ryuk victims have taken 9 days to recover fully. The company has told customers it discovered the issue early, and this may help reduce the time lag.

In addition to CrowdStrike, companies including Coveware and Malwarebytes advertise services that ostensibly protect systems from Ryuk and other ransomware attacks.

CrowdStrike indicates the worm has been associated with about $3.7 million in ransom payments in recent months; the graph below was developed by Coveware. Please note that there is no indication CorVel has paid or intends to pay the ransom.

Research indicates even those entities that paid the ransomware may have had difficulty restoring files and operations; from Coveware:

Ryuk Ransomware has a low data recovery-success rate after a ransom payment is made. Relative to other types of ransomware, the decryptor tool is very labor intensive and prone to failure.

The worm’s name comes from a character in a Japanese manga novel; he’s not exactly a picture of your kindly uncle…


Multiple independent sources tell me CorVel has suffered some sort of internet outage that has affected its bill review and other services. Sources indicate this is corporate and not limited to a specific office or offices, and evidently began on or about Sunday. Whether this is due to a ransomware attack or other issue is unclear.

Evidently the internal phone system, email, provider lookups, and other services are also down. (as of this posting)

Here’s hoping problems get fixed very soon. A knowledgeable source indicated his/her clients affected by the outage have been informed this will not be resolved “this week.” A receptionist at CorVel said internal phones should be working Monday.

I’ve sent multiple emails and even a tweet to CorVel asking about this, and to date have received no response other than that noted above. In addition, I’ve looked high and low for some sort of public acknowledgement by CorVel of the issue, and haven’t seen anything yet.

(Before you start hurling brickbats, while I’m not exactly a fan of Corvel, I’ve publicly defended the company in the past.

I’m puzzled by the lack of public acknowledgement. When multiple people at AASCIF are aware of the issue, when competitors know about it, and when at least two customers are informed, I don’t see the logic in keeping it quiet.  One could argue that CorVel management doesn’t want to go public about this as it may harm relations with current and prospective customers, or perhaps affect investor views of the company.

That, I would counter-argue, is nonsensical (forgive me for arguing against a self-constructed straw man, but absent any response from CorVel I have no alternative). This is a very small industry, word travels very quickly, and as any PR exec with any experience knows, when bad things happen by FAR the best option is to get out in front of the issue, tell your story, and thus manage the message.

Great ideas on this are here.

Then there’s the issue of Personal Health Information. If this was a hack that resulted in the capture of PHI – and we do NOT know it was or wasn’t – that’s problematic in and of itself.

I know it may be difficult for CorVel to get the message out, but there are cellphones, personal email addresses, and other means of communicating (twitter…).

If you don’t get in front of the problem, competitors will define the issue, its extent and potential impact. Sooner or later reporters will hear about it and it will become public.  And, you may lose credibility with customers and prospects who are/will be relying on you.

For everyone else, this is going to be a big pain in the neck.

Over the near term, patients, adjusters, and case managers involved in any claims affected by communications issues will have work to do. Every day things  go unresolved, issues – and the work to resolve them – compound.

Other work comp services suppliers are going to have to answer even more queries about data security, backup and storage protection, liability insurance and the like. Many may have to buy additional insurance coverage, agree to penalties for problems like this, beef up tech capabilities and expertise, and do whatever else hyper-risk-sensitive buyers can come up with.

As a result, it’s going to be even tougher for smaller service companies to acquire and manage the technology and expertise required by work comp payers. This isn’t good for anyone.

What does this mean for you?

Short-sighted competitors may see it as an advantage, when in reality it’s just going to make their own lives more complicated and the sales cycle even longer and more difficult.

Make damn sure your own web security is robust – and have one of those outside tech firms test your protections on an ongoing basis.

Here’s hoping this has minimal impact on CorVel and its customers, the company is back up and running quickly and completely, and we all learn a lesson from this.


received this from a current CorVel customer; it is from CorVel’s CEO

Dear Customers,

As previously reported, on Sunday July 21, 2019, we discovered a security incident that has impacted our systems and forced us to take some of those systems offline. Our team continues to work around the clock to safely repair and restore the systems impacted. As we learn more and execute recovery plans, a more accurate time frame is becoming clear. At this point, we estimate systems will begin to come back online on Monday July 29th. We are committed to mitigating disruption to the greatest degree possible and our staff is working to maintain business continuity. If you have questions, including how to contact someone at CorVel, please call 844-386-9556 or consult the contact information below.

To report a new claim e-mail, call 800-906-4461 or fax 877-284-2959 To request an indemnity payment or check status of a payment, call 503-795-3138 or e-mail To refill a prescription, call 800-563-8438 or fax 866-688-9048 To request a referral for utilization management fax 866-552-9390If you need to send medical bills, mail to PO Box 6966, Portland, OR 97208

When our systems are back online, we will work nonstop to clear backlogs. Our number one priority is to continue servicing our clients and maintaining the trust and confidence of our customers.  On behalf of the entire CorVel team, we thank you for your patience during this challenging time.

Michael Combs
President and CEO

CorVel Corporation
2010 Main Street
Suite 600
Irvine, CA 92614





What the heck is going on in the Golden State?

For the second year in a row, claim frequency for self-insured employers is up (frequency is the percentage of FTEs that file a work comp claim). Over the two years the total increase in frequency was 12.4% while actual claim counts rose 10.8%.

Meanwhile, over that same period, work comp premiums declined…(also from CWCI); driven mostly by a drop in premiums charged for covered payroll (so this wasn’t due to fewer employees covered by work comp).

What is going on here?

For self-insured employers, it’s not more workers; the number of FTEs marginally increased – and frequency accounts for employee count variation. But, those workers are suffering injuries/illnesses slightly more often.

Insurers’ premiums are driven by payroll, past and projected future claim counts and costs – but also by insurers’ business priorities. With work comp insurance profits remaining high, it is indeed possible that underwriters are ignoring warning signs in their pursuit of market share and more premium dollars.

This has happened before – and it always ends badly.

It’s also theoretically possible the “LA Basin Effect” (cumulative trauma claims inspired by unscrupulous doctors and lawyers in the Los Angeles area) is having a disproportionate effect on self-insured employers. I kind of doubt it, as large employers are more attuned to this type of mischief than smaller, insured employers.

There’s another possible factor affecting premiums that I’m pursuing; too early to dig into it but suffice it to say that it might well offset the premium impact of any frequency increase.

What does this mean for you?

“I am on the verge of mysteries, and…the veil which covers them is getting thinner and thinner.” Louis Pasteur



I apologize.

I screwed up and I apologize.

Here’s what happened.

I failed to explain or provide context in my initial response to an anonymous comment on my post entitled “One Call’s doing great!“.  Here’s the relevant comments:

My initial response to “bill smith”:

“Bill” then sent in a response. I sent an email to the address he provided in the post,; the email bounced back indicating it was a fake email address. I checked the website he listed as his in his initial response; the website is the personal one of an African-American woman; she is dealing with Alzheimer’s. btw Ms Smith is a remarkable woman, handling this awful diagnosis with grace, wit, and elegance.

As “bill” was being disingenuous about who he was, i ignored his response.

Next, he sent in another comment. “bill” was one of several anonymous commenters trolling me (and you), using fake emails and contact info. Getting tired of their antics and disgusted with their cowardice, I responded. The relevant conversation is below.

Here’s where I should have been more clear. I should have posted the actual website address “bill” used in his original post so you, the reader, could see for yourself that what this troll was up to.

In what used to me normal times, this wouldn’t be a big deal as I detailed “bill’s” dishonesty in a subsequent comment.

We aren’t living in “normal” times, and the casual reader may well have interpreted my response as a racist slur. I’m embarrassed by my mistake and apologize for it.

I’ll be more careful in the future. 

As a reminder, here’s my policy on commenters…

This post was triggered by reader D. Gregerson who sent in a comment yesterday about this. I thank D. Gregerson for his comment.

Hey Joe! Great insight as usual. Keep them coming. I do have a question though. As I reviewed the comment section (which has now been closed) I noticed that you replied to someone saying:”unless you are an African American with Alzheimer’s, your website is fake”. Now, one would argue that the statement could be deemed inappropriate and demeaning. Especially considering that the topic at hand was One Call’s financial debacle. Care to expound?


The latest data on opioids in work comp

We’ve just about completed the 16th (!!) Survey of Prescription Drug Management in Workers’ Comp, and there are two key findings you need to know.

First – total opioid spend in 2018 dropped 23.2% across all 27 respondents (ranging from very large TPAs to state funds to insurers to small state-specific payers). The average decrease among respondents was just over 22%.

That dramatic reduction comes on the heels of a 16% reduction from 2016 to 2017, and a 13% decrease in 2016.

From last year’s Survey; each numbered column denotes a respondent’s results (2019 Report will be out in August)

Over the last few years, payers and PBMs have cut the amount of opioids dispensed to work comp patients by more than half.

While cost reductions are good news for employers and taxpayers, when you talk with payers its mostly about patient safety and return to functionality. Patients taking opioids over long periods aren’t getting better, aren’t going back to work, and most (but not all) are not functioning very well. That means they aren’t the parents, friends, daughters or sons, grandmothers or grandfathers they can or want to be.

Second takeaway: payers are anything but satisfied or complacent. All the 27 people I’ve talked with to date remain focused, committed, and completely engaged in continuing to fight the good fight against overuse of opioids. They’ve asked me what other payers are doing, what they can do differently, what works and what doesn’t.

That’s a great relief. One would understand if payers’ focus was shifting to other issues, now that they’re seeing massive progress in the battle over opioid over-prescribing.

With some exceptions, the knottiest problem remains how to help chronic opioid patients find other ways to handle their pain, to help them function at a higher level even with chronic pain. Payers are very creative and dedicate lots of dollars and time to solving chronic opioid usage. This focus will continue to help patients get better, while reducing costs for employers and taxpayers.

I’d be remiss if I didn’t note – once again – that work comp is leading the rest of the world on solving the opioid issue. You knew about it sooner, took drastic action much faster, and are delivering much better results than Medicaid, group health, or Medicare. 

Yeah, the workers’ comp industry is often maligned for its many faults and challenges. But this is one area – and a damn important one – where you’ve got much to be proud of.

What does this mean for you?

Well done. Stay focused. 




“Toxic Stews” and workers’ comp

Flooding and wildfires are causing increased rates of cancer, asthma, and other respiratory ailments among the people exposed. These events are getting larger and more frequent, a reality that will affect the work comp industry.

Notably, we understand a lot more about the long-term health effects of disasters due to tracking the health status of individuals affected by the attack on the World Trade Center. Data indicates higher rates of thyroid and prostate cancer as well as pulmonary fibrosis among those studied.

A well-researched article in the NYTimes this morning shows this is a much bigger issue, citing:

  • raised levels of carcinogenic PCBs from flooding in Puerto Rico,
  • significantly higher rates of asthma from Californians exposed to smoke from wildfires, and
  • sinus problems, skin irritation and respiratory ailments reported by individuals after hurricane Harvey flooded industrial areas around Houston.

Harvey is particularly scary. Research showed benzene, lye, vinyl chloride, butadiene, and dioxin were just a few of the 200+ chemicals and contaminants spread across thousands of acres of residential neighborhoods, parks, playgrounds, schools, and business district by floodwaters.

While the long-term effects are far from certain, what we do know that clean-up crews and construction workers likely face significant exposure risks. I wrote about this a couple years ago; given the growing intensity and frequency of “weather events” driven by climate change, we can expect more in coming years.

What does this mean for you?

Occupational illness/disease claims may well increase significantly over the next few years, an eventuality that most employers, insurers, and actuaries have likely not considered.





Monday morning quick hits; OneCall, WCRI, and a correction/expansion

Too darn busy last week to get my usual 3-5 posts up…things are calming down this week so expect to see posts in your inbox.

Followup on One Call; after the Debtwire article about OCCM debtholders organizing to prepare for a “potential liquidity event and expected covenant violation…” I was inundated with nonsense from anonymous writers accusing me of bias…this continued last week. [reminder – I reserve the right to know who is commenting]

A couple people told me OCCM owner Apax had offered $50 million to OCCM management, who turned it down.

Sorry, that’s just not credible; let’s walk thru the logic here.

  • Private equity firms such as Apax don’t have a pot of money to write checks from. All Apax’ funds are from investors, and Apax has to get investors’ approval before using any of their funds.
  • To do this, A) Apax would have to restructure the entire transaction, giving stock to B) investors who think sending money to a company that will likely be owned by creditors is a great idea.
  • There’s no way OCCM management would “turn down” a cash infusion. As Debtwire reported, “cash flow has been limited by high capex needs as a result of its effort to migrate users under a single system” (Debtwire is referring to Polaris’ development cost).
  • OCCM has a line of credit-type load that, according to Debtwire,

    “had USD 50m drawn at 31 March” out of a total available amount of $56.6 million….so, One Call had only $6.6 million available AND was paying interest on the $50 million it had already borrowed.

    Ergo, if management HAD been offered $50 million in cash, they would’ve been delighted to accept it. For the reasons enumerated above, I very much doubt that offer was made.  If you know otherwise, I’m all ears.

To my critics, reporting facts isn’t “biased”, Debtwire isn’t biased, and neither are financial statements. For non-believers, One Call has to report its second quarter results within 45 days of the end of the quarter. That’s a month from today.

It is possible, if not probable, that the debt investors will see the numbers before mid-August. If the numbers are consistent with Debtwire’s reporting, there may well be a “covenant violation.”

Update – One Call CEO Rone Baldwin provided a financial update this morning; he states:

One Call is in full compliance with all debt covenants for the second quarter of 2019 and expects to be compliant for the remainder of 2019, based on the full-year guidance that it intends to provide to investors in its second quarter conference call.

Will keep you posted.

Want to know how medical prices affect worker outcomes? Then WCRI’s upcoming webinar featuring Bogdan Savych PhD is a must.

Worker mis-classification – the usually-intentional is coming under increasing scrutiny, with the latest moves coming from the Garden State. Gov. Phil Murphy released a report which, according to Business Insurance, indicated “employee misclassification, which has grown 40% over the past decade…in 2018 alone 12,315 workers in New Jersey were misclassified as independent contractors.”

Finally, I heard from several folks about my York-Sedgwick post suggesting that my statement “a highly profitable managed care unit built by former leader Doug Markham” was inaccurate.

Fair point.

In my haste I failed to give credit to the many other people who built that business. Markham led Wellcomp prior to – and after – York’s acquisition of MCMC. The businesses were run separately for a time, then “combined” in a move that resulted in Markham running the new entity entitled CareWorks.

Mike Lindberg and his colleagues at MCMC – acquired by York – built a thriving managed care business that served, and continues to serve, a big list of customers. MCMC was kinda/sorta “combined” with York’s internal managed care entity under Markham when Mike Lindberg departed; I won’t get into the drama that surrounded that move. MCMC was a big chunk, if not the larger piece, of York’s managed care entity.

BJ Dougherty, Lisa Oskoui, Larry Brinton, Steve Junker are some of the professionals whose contributions made MCMC a successful company. (apologies in advance to those folks I failed to name)





With 20+ interviews to date, we are starting to see some patterns in responses.

For those unfamiliar with our annual survey, click here to get access to public versions of the last dozen-plus Survey Reports.

Respondents are the folks in charge of the pharmacy programs at major work comp insurers, TPAs, state funds, and self-insured employers. Drug spend ranges from $200 million plus to $1 million.

Quick takeaways:

  • Spend continues to decrease; haven’t totaled up the numbers yet but my guess is it’s a high-single-digit drop from 2017 to 2018.
      • A big cut in opioid spend is a major contributing factor
  • Transparency is the biggest single issue in work comp pharmacy; respondents aren’t happy with the level of transparency, are frustrated with the lack of clarity around AWP, and want more detail on pricing.
  • That said, respondents generally acknowledge it’s fine for PBMs to make a margin, they just want to make sure that margin is reasonable.
  • Opioids remain perhaps the biggest issue, but many payers have made remarkable progress in reducing both initial and chronic opioid usage.
  • Compounding is seen as all but dead, crushed by aggressive moves by payers, regulators, and legislators.
  • Specialty medications while not yet much of an issue, may well be especially if assumption laws for pubic safety workers gain more acceptance.

There’s a lot more to come; we’ll be wrapping the data collection part of this year’s effort in a few days.  If your organization’s pharmacy program management person  wants to participate – and get a detailed, respondent version of the Survey report, let me know via the comment box below this post…

Joe Paduda is the principal of Health Strategy Associates




A national consulting firm specializing in managed care for workers’ compensation, group health and auto, and health care cost containment. We serve insurers, employers and health care providers.



© Joe Paduda 2019. We encourage links to any material on this page. Fair use excerpts of material written by Joe Paduda may be used with attribution to Joe Paduda, Managed Care Matters.

Note: Some material on this page may be excerpted from other sources. In such cases, copyright is retained by the respective authors of those sources.