By Brent T. Wilson
Barring a plea deal, which seems unlikely, Elizabeth Holmes, the founder and CEO of failed blood testing company Theranos, and president/COO Ramesh Balwani are scheduled for trial on multiple counts of criminal fraud in August 2020. If convicted, each faces up to 20 years in prison. This is in addition to actions already taken by the SEC against Theranos and Holmes, as well as class action lawsuits by investors and patients.
The media has reported extensively about Holmes and the downfall of Theranos, which was at one point valued at $9 billion. John Carreyrou’s best seller Bad Blood: Secrets and Lies in a Silicon Valley Startup covers the whole sordid tale. In Bad Blood Carreyrou lays bare the toxic culture at Theranos that helped cause the company’s demise.
This article is not about the gripping tale of deception, manipulation, and intimidation fostered by Holmes and Balwani (and other bizarre facts, such as Holmes communicating in a fake deep voice for years after starting Theranos) – Carreyrou, ABC’s Rebecca Jarvis in the podcast The Dropout, and many other talented journalists have thoroughly covered those topics. The focus here is on Theranos’s board of directors and their failure to govern the compliance function, which ultimately helped contribute to the company’s downfall – and what the board should have done instead. Any statements of fact about Theranos in this article are taken from Carreyrou’s and Jarvis’s reporting.
Background: Theranos and Its Board of Directors
At age 19 and after only two semesters of chemical engineering classes at Stanford, Holmes dropped out to start Theranos, a privately held for-profit entity. Holmes, an aspiring billionaire, claimed she feared needles. The basic idea was to create a miniature laboratory that could perform blood tests using only a drop or two of blood pricked from a finger. Holmes’s grand vision was to revolutionize blood testing and place these miniature labs in homes across the world. Easy access to affordable and reliable blood testing would help with early detection and preventative medicine.
Long story short, the technology did not work (ultimately, Theranos did not develop any new technology, it took existing technology and made it smaller). Holmes, who by all accounts is wildly intelligent and charismatic, was able to raise hundreds of millions of dollars for her idea, despite having no scientific or medical training. Turns out, Holmes sold the company to investors through obfuscation and deception. When it became clear Holmes was willing to endanger patients by using questionable blood testing processes, some employees turned on Holmes and became whistleblowers.
It is important to be clear on a few things about the board’s role in the company’s failure. First, no board member is facing prosecution or even the threat of indictment. None of them participated in the fraud. They, like almost everyone else, were duped. Second, Holmes maintained complete control of the board and did not tolerate dissent. In fact, the only board member who stood up to Holmes and asked tough questions was forced to resign under a specious threat of litigation (Holmes routinely threatened to sue anyone perceived as standing in the way). So it is not clear that additional governance activity by Theranos’s board would have demonstrably prevented the course of events for the company.
There is no indication that any other board member, however, was even interested in asking questions or challenging Holmes. Each Theranos board member was highly accomplished, but none of them had any substantial scientific or health care industry experience. Holmes recruited famous diplomats, statesmen, and political and military leaders with significant connections for a reason, namely to work those connections, raise funds, and gain attention. Theranos’s board was window dressing. From a compliance perspective, Theranos is a good case study.
The Board’s Role in Compliance Oversight and Potential Liability
Directors are responsible for oversight of a company’s compliance function. Foremost, whether in a for-profit or non-profit entity, directors are fiduciaries.[i] As such, directors are responsible for ensuring a company’s activities comply with applicable industry, legal, and regulatory frameworks, the broad protections of the business judgment rule notwithstanding. The Federal Sentencing Guidelines set out the required elements of an effective compliance program, including the board’s role: “the organization’s governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.”[ii]
Under the seminal In re Caremark International, Inc. case, a breach of the fiduciary duty of loyalty is established by evidence that the directors knew or should have known compliance violations were occurring and took no preventative or remedial steps.[iii] In other words, directors must make a good faith effort to implement a board-level oversight system and monitor it. Proving such a failure is difficult – e.g., it requires evidence of a sustained or systematic failure to exercise oversight, such as “an utter failure to attempt to assure a reasonable information and reporting system exists.”[iv]
The recent Delaware decision in Marchand v. Barnhill, a case involving Blue Bell Creameries, paints a roadmap for how to establish this type of “utter failure.” Shareholders derivatively sued the board and executives for losses after the company failed to respond to a listeria outbreak in several factories, which caused the deaths of three customers.[v] Plaintiffs survived a motion to dismiss because their complaint included sufficient inferences that the board had not undertaken any effort to ensure it was informed about the compliance issues critical to the company’s operations.
Blue Bell does one thing: it makes ice cream. Blue Bell’s board, however, had no committee to address food safety issues, no processes or protocols for management to update it about food safety practices or risks, no regular schedule for considering food safety risks inherent to the industry, there was no evidence management notified the board of red or yellow flags from regulators about reported listeria problems, and there was a complete lack of any discussions about food safety in board meeting minutes – even during the time of the listeria outbreak.
Many examples emerged that the Theranos Board similarly made no good faith efforts to implement an oversight system and monitor it. Though Holmes advertised Theranos as a Silicon Valley technology startup, at its core Theranos was a blood testing company with a diagnostic laboratory subject to the same regulatory compliance requirements as any other lab. Notwithstanding, Theranos, at Holmes’s or Balwani’s direction, flouted regulatory requirements. The board had no system in place to monitor Theranos’s compliance with laboratory regulations or identify any of these problems.
For example, with regard to its proprietary lab equipment Theranos could not run most blood tests on its miniaturized equipment, so it hacked commercial analyzers, diluted small finger prick samples, and ran them on the hacked commercial machines, which negatively impacted accuracy. Theranos also segregated its proprietary miniature lab equipment from the commercial analyzers it used to run most of its blood tests. When state regulators conducted inspections of the lab, Theranos only showed the inspectors the lab with the conventional commercial analyzers. Finally, Theranos cheated on proficiency testing, a regulatory and accreditation required exercise aimed at identifying inaccurate blood testing, by testing proficiency samples on commercial analyzers rather than on Theranos’s proprietary lab equipment.
In operating its lab, Theranos went months without a director, which violated licensure requirements. When Theranos eventually appointed a lab director, it was a dermatologist who was not actually qualified to run a clinical laboratory and was mostly an absent figurehead. Theranos also set up protocols that allowed unlicensed personnel to conduct quality control procedures and process patient samples in the lab. Balwani regularly fired employees who dared question him. One victim included a microbiologist who pushed for industry standard and regulatory required environmental health and safety protections in the lab.
With regard to regulators, Holmes created an illusion that Theranos cooperated with the FDA and the FDA approved its blood testing processes. In fact, the FDA had approved only a few of Theranos’s tests (Theranos skirted FDA oversight for the most part). When the FDA inspected the lab, it determined that Theranos’s “nanotainer” for collecting blood from finger pricks was an uncleared medical device and prohibited Theranos from using it.
Perhaps most egregiously, Centers for Medicare and Medicaid Services (“CMS”) conducted a surprise inspection of the lab in September 2015 and found serious deficiencies with Theranos’s proprietary lab equipment and lab operations. CMS found that unqualified personnel were allowed to handle patient blood samples, blood was stored at the wrong temperatures, the presence of expired reagents (solutions used for blood testing), and that Theranos failed to notify patients about flawed test results. CMS required Theranos to void almost one million blood test results run on its proprietary equipment. In other words, Theranos’s propriety blood testing equipment was basically useless. In July 2016, CMS banned Holmes and Theranos from running a blood testing lab.
There are additional examples of serious compliance-like concerns the board should have addressed, but did not. For example, not one health care venture capital firm invested in Theranos, but board members never questioned that fact. The board approved hiring Balwani as president and COO despite having no blood testing, laboratory, or medical industry experience (as a salacious aside, Holmes never disclosed to the board that she and Balwani were dating and living together).
In March 2008, two high-level employees approached the board chair with evidence Holmes misled the board about the effectiveness of Theranos’s blood testing technology and revenue projections. Faced with this information, the Board decided to remove Holmes as CEO. Holmes convinced them to change their minds. Less than two weeks later Holmes fired both employees. Not one board member looked into the firing of two high-level employees who only a few weeks earlier provided evidence that had convinced them to remove Holmes.
Similarly, in November 2006 Holmes faked successful results of a blood test on Theranos’s proprietary mini device in a demonstration to a multi-national pharmaceutical company. Holmes did this routinely when demonstrating the devices to potential investors and pharma companies. When Theranos’s CFO learned about this practice and strongly objected, Holmes fired him. No board member seemed concerned a C-suite level employee was suddenly gone, or asked why.
How Can a Board Satisfy its Fiduciary Duty to Oversee Compliance?
The pattern of inaction of the Theranos board is similar to the Blue Bell case. So what should a board of directors do to oversee compliance? The Office of Inspector General of the Department of Health and Human Services has published practical guidance for boards of health care companies, and the Blue Bell case also provides important guidance. [vi] Effective board actions for compliance oversight may include the following.
Establish Board-Level Systems for Oversight. Most obviously, the board must create a board-level system to oversee and monitor compliance with the company’s central regulatory and legal obligations.
Reporting to the Board. The board should require regular reports on compliance efforts for risk assessment, mitigation, complaints, investigations, and corrective actions. Management should report on critical operations issues to the board, particularly on yellow or red flag concerns (e.g., whistleblower complaints, regulator actions). Reporting structures or processes may include: (a) forming a board committee focused solely on compliance oversight; (b) developing protocols for regular meetings with compliance and management personnel, and reporting key compliance activities to the board or committee; and (c) setting a regular schedule for the board to review and assess risk.
Minutes. Board minutes should reflect efforts to establish, implement, and continually monitor key compliance matters, and should include management reports on risks and compliance issues.
Board Education. Provide annual (at least) education to board members on their duties regarding compliance oversight and on the substantive regulatory areas the board is responsible for overseeing. This is especially important in health care, where the regulatory landscape changes quickly and human safety is a risk.
Board Member Expertise. Ensure board composition includes necessary expertise, or the board has access to necessary expertise. This will assist the board with risk identification, assessment, and knowing which questions to ask company management.
Culture Development. The board should put management on notice that it takes compliance seriously and expects compliance accountability across the organization. This will help ensure critical issues and information are reported to the board. Education efforts and properly staffing the board may help foster a strong culture for compliance.
The ultimately $9 billion Theranos fraud demonstrates a corporate board’s vital role in compliance oversight. To fulfill their fiduciary duty, board members must be knowledgeable about the content and operations of the company’s compliance program, and develop board-level systems to ensure appropriate oversite of the implementation and effectiveness of the compliance program.
Brent T. Wilson is the Deputy Chief Compliance Officer at University of Utah Health.
[i] See, e.g., Idaho Code §§ 30-29-830, 30-30-618.
[ii] United States Sentencing Commission, Guidelines Manual (“USSG”), §8B2.1(b)(2)(A) (Nov. 2018)
[iii] See In re Caremark Int’l Inc. Deriv. Litig., 698 A.2d 959 (Del. Ch. 1996).
[v] Marchand v. Barnhill, 212 A.3d 805 (Del. 2019).
[vi] See Caremark Liability for Regulatory Compliance Oversight, Harvard Law School Forum on Corporate Governance and Financial Regulation, Gail Weinstein, Warren S. de Weid, and Philip Richter (July 8, 2019) (available at https://corpgov.law.harvard.edu/2019/07/08/caremark-liability-for-regulatory-compliance-oversight/#respond) and Practical Guidance for Health Care Governing Boards on Compliance Oversight, Office of Inspector General, U.S. Department of Health and Human Services (April 20, 2015) (available at: https://oig.hhs.gov/compliance/compliance-guidance/docs/Practical-Guidance-for-Health-Care-Boards-on-Compliance-Oversight.pdf).