[indie perfume oils] "Does anyone know what's going on with AlphaMusk right now?" Another promising indie maker skids out, and then flames out amidst a hail of accusations, cross-accusations, and tears. Featuring gnomes and receipts in the form of math!
I'm a moderate participant in the world of "indie" (small batch, usually single maker, usually natural or naturally-based) perfumes. For perfume lovers, the world of indie fragrances can often be a major revelation---highly unusual scents, custom scents, and fandom scents--usually at very affordable prices compared to niche designer fragrances. There are a few older major players such as Nocturnal Alchemy and Black Phoenix Alchemy Lab, but every few months or so, a fresh "house" enters the scene usually through etsy and Instagram.
Generally the routine follows a well-trodden path: a launch announcement with giveaways, small fanfare, and samples. A few people test it out, then come back with glowing reviews. Then more and more people hop on the bandwagon and start the hype train. Soon the "resale" market is established with people looking for rare or limited edition scents. Soon the new house is everywhere and everyone is trying them out.
For a house with established business best practices and/or marketing experience + no personal challenges this is the best case scenario.
But about half the time, there's a spectacular flame out that results in TONS of drama. (and that usually follows a well-trodden path too---flailing, blaming emergencies, a well-timed distraction, cross-accusations, and then a tearful retreat/flounce. This is all conducted under an absolute hail of back and forth from skeptics/the 'I told you so' crowd and rabid fans)
This is one of those second kind of stories.
Alphamusk launches September 2019. Shoppers are immediately taken by the maker's deft hand with scent blends. Alphamusk gets tons of positive attention in the form of gushing reviews on specific subReddits [that I won't link to as to avoid brigading] that cover these things.
Alphamusk starts pumping out collections with dozens of options. She also offers a complicated custom fragrance option with what turns out to be, mathematically, hundreds/thousands of options. By July of the next year, close to 300 perfumes were being offered for sale. One key aspect of the popularity of this house is the super-approachable price point. The owner was offering 5ML for like $8 or similar. Most indie fragrances are about $25 per 5ML plus $8 or so for shipping. A combination of "dollar sign eyes" and FOMO and hype meant an absolute feeding frenzy started occurring on the etsy page.
An important note here is that for most indie sellers of hand-blended perfumes, the perfumes are made to order. So it's not like there's a big jug of "Strawberry Madness" or whatever laying around and they just pour it into a 5ML amber vial and go. Blending the master jug takes 2-4 hours generally once the formula has been developed.
I will say that I checked out the house around this time on etsy. I recall being put off by the owner's very casual use of celebrity or entertainer's intellectual property (such as using their name, image, or likeness) for profit and that turned me off the house completely. I decided I had enough stinkies in my collection and moved on. I foolishly did not draw this to anyone's attention, because it felt like crappy pearl-clutching and me being a prude and a hall monitor. I now wish I had because it was (to me) a pretty clear indication that the maker on at least one level, believed the rules of business engagement did not apply to her.
Meanwhile, the house was starting to have serious rumbles of concern from buyers that were seeing huge turnaround times (TAT as it's called) and delayed shipments. In January the owner quietly admitted in a few forums that she was overwhelmed with orders and struggling. The owner feinted towards putting the shop on hiatus in July 2020 but the proposed hiatus start date came and went with no hiatus. Meanwhile hundreds of orders were pouring in.
About 3 months ago, the maker announced that she would make a spin-off page that offered "ready to ship" pre-made scents. At that time, the owner claimed they were still conceptualizing and making new scents, despite disquieting rumors that they were absolutely buried in orders.
About 60 days ago, concerning reports started tricking into the subReddit.
"Is the etsy page down?"
"Has anyone else been waiting 5 months?"
"At what point do you ask for your money back through a dispute?"
"Are these scents really worth this 4-month wait?"
Cue the fireworks.
About half the crowd was initially extremely sympathetic to the maker. To her credit at the time, she explained she was having a family emergency and closed and reopened the shop on etsy a few times to catch up. The buyers who had gotten purchases rallied on her side. Another set of buyers still waiting for their treasured scents decides to just wait it out, after all...she's a single maker, she's a small house, etc. It felt like at this time the very beginnings of a...cult-like worship and defense of the maker was congealing.
Just about a month ago, the fireworks landed on a gasoline factory when a fairly new to the scene indie maker of his own perfume line joined the fray with some hard, cold math and numbers. (He also used the phrase "horse-puckey" which made me biased towards him in the positive). Owners of indie perfumes are welcome in the subReddit and often post ask me anything, new launches, or explainers, as well as popping in to comment as owners.
He pointed out in a scathing comment that got both many awards and the eternal hatred of super-fans:
"According to the Alpha Musk Etsy shop which was also opened in 2019, and has been closed since September 12, 2020 "TO CATCH UP ON ORDER BACKLOG", the Alpha Musk Etsy shop has made 7560 sales. This thread [in the hobby subReddit] features an Instagram post in order to crosspost the update about order fulfillment for those who do not have Instagram; that post announces that this previous WEEK Alpha Musk processed orders that "contain a total of just over 600ml of perfume, or over 20 ounces)." This was for 23 orders, a fact based on the order numbers posted in the pictures and referenced to in the body text.
So, let's look at this two ways:
Let's say that 7560 SALES equals 7560 ORDERS. At a rate of 23 orders per week, it would take 328 weeks, or 6.32 years, to fulfill all those orders.
Let's instead say that 7560 SALES equals 7560 5ml items. If process throughput per week is around 600ml, or 120 x 5ml units, 7560 sales as 5ml items equals 63 weeks, or 1.2 years to process all that merchandise.
Again, I'm speaking up as a brand owner because: these kinds of activities are improper; they are characteristic of Ponzi schemes (making future sales to fulfill previous transactions when the inventory never existed to begin with); and, for those here who are at risk of losing their right to make claims for refund, these snowballing promises are potentially, greatly damaging to the goodwill and trust of the community at-large — especially for newbies — as well as on the precipice of financial loss for many."
Someone pointed out that etsy counts each item in the order as an order in a confusing system to count "order" so the "math guy" re-calculated:
"7,560 sales is the figure on AM's shop page for the entire time it's been operational, but a sale isn't the same thing as an order for Etsy's accounting purposes and this does not reflect the total number of orders. Based on this seller's explanation of the system, an order with 20 items in it can be counted as anywhere from 1-20 sales depending on the number of shop listings that were in each order. That means the sales figure vastly overestimates the number of orders she has had since opening and what she would have had at closing, but may undercount how many items were ordered. It also means that the six year time estimate given for all of her orders since opening to be fulfilled is likely much too high. If we assume that the 600mL figure from Friday corresponds to 23 orders completed (in a week's time as implied), that's about 26mL per order or 5 standard bottles and a sample so let's call it 5-6 sales for simplicity.
7560 sales ÷ ~5-6 sales/order = ~1260-1512 orders since opening. That tracks decently well with the 967 orders AM says were outstanding at closing time, since she obviously filled many (but not enough) orders since opening, but that her rate of order filling was truly bad before making changes and closing shop: (~1260 - 967) orders filled ÷ 43 weeks being open = just under 7 orders filled week. 1260 orders at that rate is a workload of a bit over 3.5 years of orders to fill in less than a year of being open. If we use the higher order count estimate, that's closer to 13 orders/week and about 2 years and four months of workload she was handling alone. Both of these estimates still indicate a huge problem for her business pre-changes, but definitely less of one."
Cue the meltdown.
The comment section exploded and set off many other "I'm new to the party, WHAT just happened?!" threads for a few weeks afterwards.
The hobby was divided between people who argued that another indie perfume seller had no right (and in fact it was sus as hell) to drill into someone's business like that and quibbled with the numbers repeatedly, and the other half who expressed relief that someone had called the Emperor on their lack of clothing, so to speak, and pointed out that there was no possible way people were getting their smellies from that maker and strongly encouraged buyers to make a PayPal, etsy, or credit card claim if they still could.
One very concerning aspect of this is that once you cross a certain time threshold, usually about 90 days, from purchase, credit card, etsy, and PayPal claims become very difficult to make and prove. So the owner asking for people to wait for 4-5-6 months TAT felt to some like a way to evade the credit card chargeback window or etsy claim window.
The owner tried to mitigate some of the damage just prior to that explosion by bringing customer service helpers called "gnomes" to answer emails and handle other admin tasks while the owner concentrated on filling her huge volume of orders.
Heartening IG posts went out with batch lists of what orders the maker was working on at that time. In late August there were 600 outstanding orders in queue. About 30-60 days later, the gnomes left, and the owner was on social media directly blaming critical comments for making them leave. From that point forward, it was a battle between the owner and critics, with the owner apparently lurking or otherwise seeing the subReddit comments and directly responding and referencing them in IG rants and veiled threats/meltdowns.
Another brand owner came on a "what's going on with Alphamusk?" thread and sympathetically but firmly explained their own process that takes tons of time and pointed out that the pandemic was causing huge delays in product sourcing and shipping, but ultimately conceded that sweeping changes to Alphamusk's business model were needed to stay afloat.
About 25 days ago, the etsy shop closed with no clear indication of a plan on how the owner would be fulfilling the huge backlog of orders. The owner's IG page went to private amidst somewhat-baseless legal threats and the subReddit removed most comments that included screenshots, just to be on the safe side.
*There was also a really ugly muck-raking incident involving the "math" shop owner but I don't want to open that all up again so I'll just reference that it happened as part of this huge drama and leave it at that.
Finally the mods from the subReddit came on with an ominous (but necessary) PSA "Your rights as a consumer" at the top of every thread that revolved around the shop. The subReddit had to update their rules around arguing and targeting those critical of the shop. (Which started it's own little fireworks show, naturally).
It's been a RIDE y'all!
If you have a weird feeling about an etsy shop or indie seller for any reason, trust your gut, y'all! There are many established makers and transparent, honest, and trustworthy makers. It's a shame that a few bad apples cast a bruise on the industry at large.
submitted by Chazzyphant
HIPAA-Compliance for Cloud Storage Services
Cloud computing provides undeniable benefits for storing and accessing electronic health records. Files stored in the cloud are accessible anytime and anywhere from any device, which makes it easy to share critical medical information between healthcare workers. But is cloud storage secure enough to store, access and transfer sensitive personal and medical information?
For clinics, hospitals and other healthcare organizations, ensuring that patients’ medical information stays private isn’t just an ethical issue, it’s a legal one as well. The Health Insurance Portability and Accountability Act (HIPAA) provides clear rules about the storage and sharing of medical data. Any organization that handles health records is required to be in compliance.
Therefore, before moving health-related data to cloud storage, healthcare organizations need to make sure that the software they plan to use is HIPAA compliant.
This article covers HIPAA-compliant storages and explains your responsibility in making your cloud storage compliant.
What is HIPAA?
HIPAA is a set of rules
that establish the allowable uses and disclosures of health and medical information. It places restrictions on who may access health information and when, and also sets standards for protecting health data from individuals who do not have the right to view it.
The key provisions of HIPAA include:
- HIPAA Privacy Rules — Regulate how an individual’s health information may be disclosed or used
- HIPAA Security Rules — Specify standards for safeguarding and protecting electronically created, processed, accessed or stored healthcare information
- The HIPAA Breach Notification Rule — Requires organizations to notify individuals whose personal health information has been exposed and regulates the process of notification
- The HIPAA Omnibus Rule — Clarifies definitions, procedures and policies; provides a checklist for Business Associates; and implements the requirements of the Health Education Technology for Economic and Clinical Health (HITECH) Act
- The HIPAA Enforcement Rule — Governs investigations following a data breach and states the penalties imposed on the responsible party
Healthcare entities must develop specific safeguards, procedures and policies to comply with these rules.
Protected Information Types
HIPAA calls for the protection of “individually identifiable health information
,” which is defined as information regarding:
- An individual’s past, present, or future physical or mental health
- The provision of health care to the individual
- Past, present or future payment for the provision of health care to the individual
- The identity of the individual, or data which there is a reasonable basis to believe could be used to identify the individual
Types of Security Safeguards
The HIPAA Security Rule covers three types of safeguards for protected health information:
- Physical safeguards — HIPAA requires developing policies for the use and positioning of workstations and procedures for use of mobile devices, as well as implementing facility access controls, if applicable.
- Technical safeguards — HIPAA requires implementing activity logs and controls, as well as a means of access control. Compliance might require mechanisms for authenticating information and tools for encryption.
- Administrative safeguards — HIPAA requires conducting risk assessments, implementing risk management policies, developing a contingency plan and restricting third-party access to information.
HIPAA Key Terms
Here are the most important terms used in HIPAA:
- PHI: Protected health information
- ePHI: Protected health information that is stored or transmitted electronically
- Covered entity — A healthcare provider, a health plan provider (such as an insurer or employer) or a healthcare clearinghouse
- Business associate — A person or business that provides a service to or performs a particular function or activity for a covered entity
- Business Associate Agreement — A legal contract stating what PHI the business associate may access, how the PHI is to be used, and requirements for returning or destroying the PHI once the task for which it is needed is complete. A covered entity must obtain a Business Associate Agreement before allowing a business associate to access
HIPAA Compliance and Cloud Storage
No cloud server is HIPAA-compliant right out of the box, but there are ways that IT experts can step in and make the cloud compliant for the needs of covered entities.
Organizations should keep in mind that there is no official HIPAA or HITECH certification, and no government or industry certifies HIPAA compliance for cloud services. That means it’s up to the covered entity and the cloud service provider to ensure adherence to the law’s requirements. The cloud service must review HIPAA regulations and possibly update its products, policies and procedures to support a covered entity’s HIPAA compliance goals.
How does HIPAA apply to cloud storage?
When a covered entity store PHI in the cloud, the cloud storage service is considered by law to be a business associate of the covered entity. To be HIPAA compliant, therefore, a Business Associate Agreement has to be in place. That agreement needs to state that the cloud service provider shall:
- Secure the data transmitted to the cloud
- Store the data securely
- Provide a system that allows careful control of data access
- Record logs of all activity, including both successful and failed attempts at access
A HIPAA-compliant cloud storage incorporates all the required controls to ensure the confidentiality, integrity and availability
of ePHI. The covered entity is responsible for developing policies and procedures covering the use of HIPAA secure cloud storage for this information.
Which cloud services are not considered HIPAA-compliant?
Some cloud services cannot be made HIPAA-compliant for various reasons. Apple and iCloud, for example, cannot be HIPAA-compliant because they don’t offer a BAA for covered entities.
Other services fail to provide essential integrated security capabilities, such as data classification, and therefore cannot be used to store ePHI.
Why is data classification essential? Data classification
is required to inventory ePHI and group it according to sensitivity level, so that the organization can ensure its confidentiality, integrity and availability as required by the HIPAA Security Rule. By distinguishing between regulated and non-regulated data, classification enables organizations to:
- Prioritize security controls
- Protect critical assets
- Improve risk management by helping to assess the value of the data and the impact of data loss, misuse or compromise
- Streamline legal discovery
- Improve user productivity
Data protected by HIPAA typically follows a three-level data classification scheme:
- Restricted or confidential data— Information that could cause significant damage if disclosed, altered or destroyed. This data requires the highest level of security using controlled access according to the principle of least privilege.
- Internal data — Information whose disclosure, alteration or destruction can cause moderate or low-level damage. This data is not released to the public and requires reasonable security controls.
- Public data — Public data doesn’t need protection against unauthorized access, but still requires protection from unauthorized alteration or destruction.
How does the HIPAA Privacy Rule affect cloud services?
The HIPAA Privacy Rule requires covered entities and business associates to establish the integrity of ePHI and protect it from unauthorized destruction or alteration. Organizations must identify where ePHI is stored, received, maintained and transmitted. That task requires special care in the case of cloud storage services.
The safest bet when using cloud storage for ePHI is to use a service that’s known to be compatible with HIPAA and HITECH requirements.
The Most Popular Cloud Storage Services that Support HIPAA and HITECH
There are a number of popular cloud storage services that support HIPAA and the HITECH Act.
Keep in mind that not all versions of these services will be compliant — usually only a particular version or license supports HIPAA-compliant use. All of the following platforms, however, have at least one version with the appropriate security capabilities to be made compliant, and all are willing to sign a Business Associate Agreement.
- Dropbox BusinessDropbox Business offers a BAA for covered entities and can be configured to offer HIPAA-compliant cloud storage. The service provides a variety of administrative controls, including user access review and user activity reports. It also allows for the review and removal of linked devices and enables two-step authentication for additional security.
- G Suite and Google DriveGoogle offers a BAA as an addendum to the standard G Suite Agreement. While not all G Suite products can be made HIPAA compliant, a number of useful Google apps do follow legal requirements for the storage and sharing of ePHI.Google Drive and related applications like Docs, Sheets, Slide and Forms can all be configured for HIPAA compliance, as can services like Gmail and Calendar. However, Google Contacts, as well as non-core Google sites like YouTube and Blogger, cannot be made HIPAA compliant and therefore can’t be included in a BAA.
- Microsoft OneDrive and E5Microsoft’s Online Service Terms automatically provide a Business Associate Agreement. The agreement is available for OneDrive for Business, Azure, Azure Government, Cloud App Security and Office 365, among others. Covered services include email, file storage and calendars. Microsoft also provides data loss prevention tools.Microsoft’s Enterprise E5 license offers the most robust security features the company has available. The package also includes advanced security management for assessing risk.
- Box Enterprise and EliteBox Enterprise and Elite accounts include access monitoring, reporting and audit trails for users and content. The service also provides granular permissions or authorizations. Box can securely share data through a direct messaging protocol and allows secure viewing of DICOM files, including X-rays, CT scans and ultrasounds.
Essential Security Features for HIPAA Compliance
HIPAA requires a number of security features from services that work with covered entities. The cloud storage services mentioned all allow for a combination of the following security configurations:
- A HIPAA-compliant cloud storage must offer two-step authentication or single sign-on and encryption of transferred ePHI.
- All devices used to access or send ePHI must be able to encrypt messages to be sent outside the firewall and decrypt the messages received. All encryption must meet NIST standards.
- Configuration of file sharing permissions allows covered entities to implement a permission-based system that limits unauthorized user access. The controls must be configured correctly to be effective, including two-step authentication, secure passwords and secure file-sharing procedures to protect data from unauthorized access.
- Account activity monitoring requires you to review access logs regularly to ensure you can spot improper activity promptly. Solutions like Netwrix Auditor help you gain visibility into business activities in the cloud. Netwrix Auditor reports on both access events and changes, including changes to content, security settings and mailbox settings.
- Data classification is essential for grouping and protecting information based on sensitivity level. Netwrix Data Classification provides predefined taxonomies that are easy to customize, classifies data accurately and automates critical workflows to improve data security.
- A cloud drive cannot be made HIPAA compliant unless you properly configure security controls and monitor activity around data stored in the system. To ensure your organization’s cloud storage service stays compliant, be sure to regularly perform risk assessments and develop strict cybersecurity policies and procedures.
Using a trusted cloud provider is critical but does not guarantee compliant cloud storage. Even when a cloud service signs a Business Associate Agreement and offers administrative security controls, encryption and other security tools
, that doesn’t automatically make your organization HIPAA compliant.
In order to make sure your cloud storage services are HIPAA compliant, be sure to:
- Properly configure the settings
- Check third-party app access to the cloud
- Use specialized tools for log audits to ensure file security and privacy
Health organizations and patients alike rely on strong cybersecurity protocols to keep ePHI safe from damage, destruction, alteration and unauthorized access. Using one of these services can help keep your data safe and your healthcare organization compliant with the law.
FAQ Which security features make cloud storage HIPAA-compliant?
HIPAA-compliant cloud storage services all offer:
What is the purpose of a Business Associate Agreement (BAA)?
- Data classification
- Permission restrictions for access and file-sharing
- Encryption and decryption of data
- Two-step authentication or single sign-on
- Activity logs and audit controls to register attempted access and record what is done with the data once accessed
Before a covered entity can use a cloud storage service, they must sign a BAA agreement with the service. This agreement:
Does having a BAA ensure my organization’s compliance with HIPAA and the HITECH Act?
- Specifies which PHI the business associate can access
- States how the PHI may be used
- Establishes how the PHI will be returned or destroyed once the task for which it was needed is complete
No. It is up to you, the healthcare entity, to establish appropriate configurations, create necessary policies and perform due diligence to achieve and maintain HIPAA compliance
. Original Article - Most Popular HIPAA-Compliant Cloud Storage Services
submitted by Jeff-Netwrix