Posts tagged: wake

Swedish battery startup Northvolt secured a $5 billion debt deal earlier this week, paving the way for the expansion of its first gigafactory as Europe seeks to solidify its home-grown battery manufacturing base.

Northvolt is hoping to become a rare success story in the industry: a battery manufacturing startup that survives. If the company manages to deliver on its plans, it’ll catapult itself and the continent into the top ranks of battery producers.

It’s not an easy path. Outside of China, none of the major battery producers are startups; they’re either spinoffs or subsidiaries of existing industrial juggernauts. Even China’s leading battery companies, CATL and BYD, are related to existing manufacturers, and all of them have benefited from generous state subsidies and industrial policies.

Northvolt’s $5 billion loan won’t be enough to guarantee success, but it should be enough to help ramp up its production to a targeted 60 gigawatt hours, enough for over 1 million Volkswagen ID.3s, Europe’s best-selling, non-Tesla EV. The company said it has offtake contracts totaling over $55 billion with automakers, including BMW, Volkswagen, Volvo and Scania.

Over 300 gigafactories will make tomorrow’s EVs. We mapped them all

The new loan includes the refinancing of an existing $1.6 billion debt facility from 2020. Northvolt said the debt package was provided by the European Investment Bank and the Nordic Investment Bank. JPMorgan Chase, Citigroup, and BNP Paribas also provided a portion of the financing, the Wall Street Journal reported.

Northvolt is also building factories in Germany and Montreal, the latter of which is meant to attract production tax credits in the U.S., offered by the Inflation Reduction Act (IRA).

The U.S. battery industry has surged in the wake of the IRA, and a new “battery belt” has sprung up, stretching from Michigan to Georgia, drawing nearly $100 billion in investments from automakers and battery manufacturers. But despite the wave of investment, the U.S. lacks a homegrown battery manufacturer like Europe has in Northvolt.

That might turn out to be no problem at all given the U.S.’s strong relations with Japan, home to Panasonic, and South Korea, home to LG Energy Solution, SK On and Samsung SDI. Still, the States’ lack of a domestic anchor is notable.

There are likely a few reasons why there is no equivalent of Northvolt in the U.S. For one, when the electric vehicle sector was emerging, the U.S. was under the Trump administration, which was too busy trying to get out of the non-binding Paris Agreement to recognize the tectonic shift that was occurring. The Trump administration talked a lot about bringing steel and coal back, but it didn’t have many conversations about sectors with growth potential. Semiconductor manufacturing is a notable exception, though most of the Trump administration’s policy revolved around blocking Chinese access to leading edge technology rather than boosting domestic capacity.

Another reason might be the long hangover resulting from the bankruptcy and eventual sale of one-time battery pioneer, A123 Systems, to China.

A123 was a darling of the clean tech era. Founded in 2001, the company was built on a new battery technology known as lithium-iron-phosphate, or LFP. Cells made with LFP were heavier, but could also store more power, and were safer than existing lithium-cobalt-oxide cells. Even today, LFP is safer and cheaper than the leading chemistries, nickel-manganese-cobalt and nickel-cobalt-manganese-aluminum.

The startup labored for years, building a customer base and partnering with manufacturers to get its cells to market. Then, in August 2009, on the back of a deal with GM to supply batteries for the forthcoming Volt plug-in hybrid, A123 received a $249 million grant from the federal government and $125 million from Michigan to build a plant near Detroit.

The money was transformative and gave the company a chance to compete with Korean manufacturers, which were already dominant in the industry. A123 raced to develop a supply chain while building a factory to make batteries on a scale never before attempted in the U.S.

The company got close, but stumbled. A series of mishaps, headlined by a Fisker Karma that lost power while Consumer Reports was testing it, set the startup on the path toward bankruptcy. Johnson Controls tried to buy the company out of receivership in 2012 but lost the bid by $5 million to Wanxiang, a Chinese auto parts giant.

Since then, battery startups founded in the U.S. have focused on pieces of the supply chain, mostly by developing innovative anode, cathode and electrolyte materials. Given the supply chain and scaling woes that A123 encountered, it has been a sensible approach.

But from an industrial policy perspective, it makes sense for the U.S. to champion a domestic company that produces entire cells and packs, similar to the approach Europe has taken with Northvolt. Japanese and Korean companies have been stable and committed partners that have pledged tens of billions of dollars in investment in U.S. manufacturing. But they’re also subject to the priorities of their home countries. Both Japan and Korea have been hedging their battery bets by promoting hydrogen in an attempt to break free from Chinese supply chain dominance.

The U.S. is already building the foundations of a stable battery supply chain supported by domestic or free trade-accessible partners, and it has a wealth of innovative and scalable battery materials companies. It’s just missing one piece of the puzzle: final manufacturing, a piece that’s all the more obvious in the wake of Northvolt’s most recent deal.

The ransomware attack that has engulfed U.S. health insurance giant UnitedHealth Group and its tech subsidiary Change Healthcare is a data privacy nightmare for millions of U.S. patients, with CEO Andrew Witty confirming this week that it may impact as much as one-third of the country.

But it should also serve as a wake-up call for countries everywhere, including the U.K. where UnitedHealth now plies its trade via the recent acquisition of a company that manages data belonging to millions of NHS (National Health Service) patients.

As one of the largest healthcare companies in the U.S., UnitedHealth is well known domestically, intersecting with every facet of the healthcare industry from insurance and billing and winding all the way through the physician and pharmacy networks — it’s a $500 billion juggernaut, and the 11th largest company globally by revenue. But in the U.K., UnitedHealth is practically unknown, mostly because it’s not had much business across the pond — until six months ago.

After a 16-month regulatory process ending in October, UnitedHealth subsidiary Optum UK, via an affiliate called Bordeaux UK Holdings II Limited, finally took ownership of EMIS Health in a $1.5 billion deal. EMIS Health provides software that connects doctors with patients, allowing them to book appointments, order repeat prescriptions and more. One of these services is Patient Access, which claims some 17 million registered users who collectively made 1.4 million family doctor appointments through the app last year and ordered north of 19 million repeat prescriptions.

There’s nothing to suggest that U.K. patient data is at risk here — these are different subsidiaries, with different setups, under different jurisdictions. But according to his senate testimony on Wednesday, Witty blamed the hack on the fact that since UnitedHealth acquired Change Healthcare in 2022, it hadn’t updated its systems — and within those systems was a server that didn’t have multi-factor authentication (MFA) enabled.

We know that hackers stole health data using “compromised credentials” to access a Change Healthcare Citrix portal which had been intended for employees to access internal networks remotely. Incredibly, Witty said the company was still working to understand why MFA wasn’t enabled, two months after the attack. This doesn’t inspire a great deal of confidence for U.K. healthcare professionals and patients using EMIS Health under the auspices of its new owners.

This isn’t an isolated case.

Separately this week, 25-year-old hacker Aleksanteri Kivimäki was jailed for more than six years for infiltrating a company called Vastaamo in 2020, stealing healthcare data belonging to thousands of Finnish patients and attempting to extort and blackmail both the company and affected patients.

Whether ransom attacks prove successful or not, they are ultimately lucrative — payments to perpetrators reportedly doubled to more than $1 billion in 2023, a record-breaking year by many accounts. During his testimony, Witty confirmed previous reports that UnitedHealth made a $22 million ransom payment to its hackers.

Why are ransomware gangs making so much money?

Health data as valuable commodity

But the biggest takeaway from all this is that personal data — particularly health data — is a huge global commodity, and it should be protected accordingly. However, we keep seeing incredibly poor cybersecurity hygiene, which should be a concern for everyone.

As TechCrunch wrote a couple of months back, it’s getting increasingly difficult to access even the most basic form of healthcare on the state-funded NHS without agreeing to give private companies access to your data — whether that’s a billion-dollar multinational, or a venture-backed startup.

There might be legitimate operational and practical reasons why working with the private sector makes sense, but the reality is such partnerships increase the attack surface that bad actors can target — regardless of whatever obligations, policies and promises a company might have in place.

Want to see an NHS doctor? Prepare to cough up your data first.

Many U.K. family doctor surgeries now require patients to use third-party triaging software to make appointments, and unless you peruse the fine print of the privacy policies with a fine-toothed comb, it’s often not clear who the patient is actually doing business with.

Digging into the privacy policy of one triaging service provider called Patchs Health, which says it supports over 10 million patients across the NHS, reveals that it is merely the data “sub-processor” responsible for developing and maintaining the software. The main data processor contracted to deliver the service is actually a private equity-backed company called Advanced, which was hit by a ransomware attack two years ago, forcing NHS services offline. Similar to the UnitedHealth attack, legitimate credentials were used to access a Citrix server.

You don’t have to squint to see the parallels between what has happened with UnitedHealth and what could happen in the U.K. with the myriad private companies striking partnerships with the NHS.

Finland also serves as a prescient reminder as the NHS creeps deeper into the private realm. Dubbed one of the country’s biggest ever crimes, the Vastaamo data breach came about after a now-defunct private psychotherapy company was sub-contracted by Finland’s public healthcare system. Aleksanteri Kivimäki infiltrated an insecure Vastaamo database, and after Vastaamo refused to pay a reported €450,000 Bitcoin ransom, Kivimäki attempted to blackmail thousands of patients, threatening to release intimate therapy notes.

In the investigation that followed, Vastaamo was found to have wholly inadequate security processes in place. Its patient database was exposed to the open internet, including unencrypted sensitive data such as contact information, social security numbers and therapist notes. The Finnish data protection ombudsman noted that the most likely cause for the breach was an “unprotected MySQL port in the database,” where the root user account wasn’t password protected. This account enabled unbridled database access from any IP address, and the server had no firewall in place.

In the U.K., there have been well-vocalized concerns around how the NHS is opening access to data. The most high-profile partnership came just last year, when Peter Thiel-backed big data analytics company Palantir was awarded massive contracts by NHS England to help it transition to a new Federated Data Platform (FDP) — much to the chagrin of doctors and data privacy advocates across the country.

It all seems somewhat inevitable though. Privacy advocates shout and scream, but big companies with lots of cash keep getting the keys to sensitive data belonging to millions of people. Promises are made, assurances given, processes implemented — then someone forgets to set up basic MFA, or they leave an encryption key under the doormat, and everything blows up.

Rinse and repeat.