Photo from Unsplash

Originally Posted On:


A trip to the hospital. Your health, maybe even your life in the hands of caregivers you have little choice but to trust. Assurances come from strict standards and practices that apply to health care facilities and medical laboratories across the US. Much of it involves the recordkeeping that helps doctors, surgeons, pathologists, nurses and therapists quickly access vital information, from procedures to patient test results.

It’s really about trusting that system. Can you?

Or will you be one of an estimated 250,000 people who die in US hospitals from medical errors; more than in any other developed country.

A recent study by Johns Hopkins University suggests preventable mistakes by health care providers are the third leading cause of death in America, right behind heart disease and cancer.1

It also concludes that it’s not about “bad doctors,” but systemic problems; issues that little is being done about.

Now, whistleblowers have come forward with an even more disturbing revelation; software aimed at supporting the system, and used by more than 4,200 hospitals and independent laboratories across the country, may literally have fatal flaws.

MediaLab is an Atlanta-based company founded in 1995 by Dr. Paul Fekete, a pathologist who was then a laboratory director at an Atlanta medical center. He teamed up with Tim Westover, a software architect and programmer. They created a platform to manage the critical data produced in a clinical lab, mainly results of patient blood, urine and other samples doctors used to diagnose and treat.

Their software is now widely used to track compliance with industry standards, provide continuing education and safety training, and maintain a library of policy and procedural information. The website, boasts that more than two million policies and procedures are managed by its compliance software and more than 410,000 lab and healthcare workers rely on it.

Dangerous loopholes

What exactly do these videos show?

All are clearly MediaLab software processes, with an authorized user logging on as they would to perform various tasks, verified as occurring in January 2021.

In one, the user demonstrates the ability, with just a few clicks, to access a complete list of employees and their passwords. They simply need to log out as themselves and log in with the stolen username and password to interact in reports and processes as, say, the hospital administrator.

Watch video

In a similar procedure, user profiles can be merged, permanently, so that the actions of one user appears to be done by another. The other user disappears. That includes file review, competency review, test-taking and signing off on non-conforming events. A nonconforming event is anything that violates established policy or procedure, with the potential to affect patient or employee safety, or quality of lab results. The fine print says “Merging users does not delete any records.” But the names on those records will be false.

Watch video

Hospitals are required to keep up-to-date policies on operating procedures. MediaLab software provides a section for files that can be accessed by employees as needed. But another glitch allows anyone viewing the files to alter them, backdate the ‘effective date’ to anywhere within the previous 30 days. When that user logs in as someone else, such as the medical director who is authorized to make changes, it appears completely legit. The altered document will be immediately accessible to anyone seeking procedural instructions, and they will have no idea the document has been altered.

Altering periodic review records is easy by selecting a backdate, inserting a document, typing in a medical director’s name and saving the changes. The report is sorted into a chronological list according to the backdate, which is incorrect. But it looks legitimate because the software does not use a real timestamp.

Watch video

Continuing education and competency testing are also necessary aspects of compliance, and this software assures everyone reaches perfection. Before signing off that they’ve completed a review of a medical procedure, a user has to take a quiz. When an incorrect answer is submitted, a new window opens with the correct answer highlighted. Select “Retake quiz,” select the provided answer, ace the quiz and you are taken to the sign-off document.

Watch video

The key takeaway here is that the workarounds – backdating, identity theft and quiz cheats -leave no trace. Even if compliance regulators became suspicious, they wouldn’t be able to prove a thing.

A flawed standard

MediaLab describes its software as the “industry standard.” Among its users are Boston Medical Center, Moffitt Cancer Center in Tampa, Florida, Cleveland HeartLab and the National Institutes of Health in Bethesda, Maryland.

At Capterra, a website that offers a free ratings forum for digital business tools, MediaLab earns a 4.7/5 stars from 289 reviewers; better than most of the nine compliance software programs listed. Most find it user-friendly and the cons minor, a little pricey, but overall, worth it. Odds are, good feedback is going to drive more and more facilities to buy the software, compounding the risk.

According to, pricing for compliance and continuing education software starts at $385 annually per user.

Critical to maintaining the integrity of “the system” is oversight, in this case, the College of American Pathologists (CAP), based in Northfield, Illinois.

Checklists that help laboratories stay current with best practices and advances in medicine, technology and regulatory compliance were developed by the CAP, with input from hundreds of pathologists and lab experts.

MediaLab serves as a vendor for the CAP, with software that allows lab personnel access to the accreditation checklists. There is financial partnership between the two, “partnership” differentiating from a vendor-customer relationship. No mention of MediaLab is made in the CAP’s annual or financial reports.

Weeks after a request was made for an interview with a knowledgeable CAP representative, Media Relations Senior Manager Catherine Dolf advised she was still looking for information from several departments, as well as someone to interview.

Dolf wrote in an email that the partnership between the CAP and MediaLab is “very limited,” and that they had not received word from any of their accredited laboratories about problems or concerns with the software “as it pertains to accessing CAP checklists.”

She added that the CAP does not have its own compliance or document control system. Also, colleagues in the Washington D.C. office told her that while there are requirements for regulating medical software, the licensing software for their checklists does not come under those regulations.

Not answered was the main question of whether or not the CAP intends to investigate the allegations. That should be of great concern to the CAP, because every time a compliance inspection is conducted, there is the potential for undetectable, false information skewing the results and placing our entire population at risk.

Bad, and not so bad intentions

The suggestion that lab and health care workers would deliberately undermine the integrity of their facility is probably as far-fetched as it sounds. At least, one would hope.

But consider the temptation of being able to cheat the system, especially when healthcare staff are pushed beyond the limit during a pandemic. Workers say that at the end of extremely long shifts, sitting down to study for compliance testing is simply not an option.

What about those arduous compliance checklists that need to be completed before an inspection? Is there room to slack off a bit when it comes to compliance rules?

Busy lab administrators may be tempted to use workarounds to catch up, especially when funding and jobs are on the line. The rationale of serving a higher purpose, of getting the real work done, may be sound and worth the risk.

Of course, there are always those with malicious intent, and it seems easy enough for someone outside of healthcare to access the software and do serious damage.

Developing oversight

Regulating the quality of medical records software may effectively happen through legislation, but it will likely be enacted piecemeal, at the state level, which means it could be a long road to assuring software used nationwide doesn’t have the potential to kill people.

“Ideally, regulation would come at the federal level,” said David Carlucci, a former New York State Senator who introduced proposed legislation in late-2020.

This would put enforcement of violations, and possibly oversight of critical certifications, into a more objective realm and ensure regulatory consistency, because. “Quality management software products have no state boundaries.”

The amendment to Senate Bill 9060 provides restrictions for software designed for medical records management. Carlucci said he was made aware of the potential for malpractice and fraud by the whistleblowers, who were alarmed by the software’s flaws.

The bill is pending, and has been in the Rules Committee for months. If approved, it would add a new section that reads, in summary:

“No medical records software or quality software management systems shall permit the altering or backdating of information without established permissions as set forth in this legislation.”

Carlucci is hopeful that, barring federal regulations, the bill will become a template for other states to easily enact protections.

“This isn’t rocket science. There are dubious practices in quality management occurring that simply should not be allowed, Carlucci said. “Quality management control software is supposed to save lives, not allow untraceable coverups, which is what this software appears to do. What’s most shocking is that these practices appear to be legal, and one of my final bills in the New York senate would have rectified that. This entire industry needs tighter regulation and oversight to protect the unknowing public, and it needs those reforms urgently.”