Share this article on:
Last week, a ransomware attack against the EHR vendor Allscripts resulted in thousands of healthcare providers being unable to access patient data or use the e-prescription service. Already, a class action lawsuit against Allscripts has been filed by Florida-based Surfside Non-Surgical Orthopedics.
Allscripts provides EHR and e-prescription services to 2,500 hospitals and 19,000 post-acute care organizations. Last week, a new variant of SamSam ransomware infected the company´s data centers in Raleigh and Charlotte, NC, leaving several application offline for up to 1,500 clients.
Microsoft and Cisco incident response teams helped the company restore its e-prescribing service by Saturday; but, for many clients, the Allscripts PRO EHR system is still unavailable or experiencing outages. An Allscripts spokesperson has been unable to confirm when a full restore will be completed.
The Class Action Lawsuit against AllScripts
The class action lawsuit against Allscripts was filed in the United States District Court for the Northern District of Illinois where the company is based. It alleges Allscripts was negligent in failing to secure its systems against cyberattacks and that the company was aware of vulnerabilities in its online security. The complaint quotes the company´s most recent 10-K filing which notes: “If our security is breached, we could be subject to liability, and our clients could be deterred from using our products and services”.
According to lawyers representing the plaintiff – Florida-based Surfside Non-Surgical Orthopedics – Allscripts forecast the ransomware attack in the K-10 filing; and, as a result of the attack, their client suffered “significant business interruption and disruption, and lost revenues”. The class action lawsuit against Allscripts also alleges breach of contract, unjust enrichment, and violations of Illinois´ Uniform Deception Trade Practices Act and Consumer Fraud Act.
Steven Tapper – a member of the team that filed the class action lawsuit against Allscripts – believes the ransomware attack could have affected many more clients than the company is admitting. He told reporters: “We really don’t know. Allscripts hasn’t disclosed the full extent of the impact”. His colleague – John Yanchunis – added it could take as long as eighteen months to resolve the case, but Allscripts may choose to seek an immediate resolution. “I would hope that would be the case here,” he said.
Allscripts Could Also Face Penalties for Violating HIPAA
According to the Department of Health and Human Services´ “Fact Sheet: Ransomware and HIPAA” (PDF), when ePHI is encrypted by ransomware, unauthorized individuals are presumed to have taken control of the ePHI. This is an unauthorized disclosure of PHI under the HIPAA Privacy Rule and will have to be reported to HHS, unless it can be demonstrated there is a low probability that the PHI has been compromised. It is not known whether Allscripts maintained ePHI in an encrypted format.
Even if the company escapes a penalty for the unauthorized disclosure of ePHI, the HHS may well launch an investigation following the revelations made in the class action lawsuit against Allscripts. The likely aspects of HIPAA compliance that would go under HHS scrutiny include employee security training (for example, how did the ransomware attack breach network defenses), ransomware recognition, security incident reporting and – considering the delay in fully restoring its systems – disaster recovery plans.