Class Action Lawsuit Alleges EHR Vendor Failed to Secure Its Systems
Earlier, Allscripts said that approximately 1,500 of its healthcare clients, mainly small or midsized physicians practices, were affected by outages resulting from the ransomware attack.
But Steven Teppler of the Abbott Law Group, a member of the attorney team representing plaintiffs and class members in the case, says he suspects the number of affected practices to be potentially much higher and the impact significant.
“We really don’t know. [Allscripts] hasn’t disclosed the full extent of the impact. We don’t know if they had backup, or it the backup didn’t work,” he says. “We just don’t know. But I predict it will be a reportable event to the Securities & Exchange Commission.”
Last year, a number of other entities suffering ransomware attacks – including drug company Merck and medical transcription software vendor Nuance – ended up issuing statements warning investors and the SEC that the attacks would impact the companies’ financial results (see Nuance the Latest NotPetya Victim to Report Financial Impact).
The case is “a clarion call,” Teppler claims. “Allscripts is a poster child.” He says the lawsuit “is a first of its kind” in terms of a class action examining the risks and impact when a ransomware attack disrupts the systems and operations of an EHR vendor.
A Significant Case
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine – who is not involved in the Allscripts case – says that the class action lawsuit is significant for several reasons.
“This litigation just highlights one of the various risks that health IT vendors need to consider with respect to security,” he says. “A ransomware attack that disrupts services will lead to reputational harm, potential penalties under HIPAA and other laws, and can lead to substantial litigation from customers and potentially patients. Accordingly, vendors need to prepare through, first and foremost, good information security, and also good insurance coverage.”
The complaint notes that Allscripts had disclosed that it had been attacked and infected by the SamSam ransomware, resulting in the encryption of patient health-related information used to conduct Allscripts’ business. Allscripts has reported that its Professional EHR and Electronic Prescriptions for Controlled Substances cloud-based services were the hardest hit by the ransomware attack, the complaint notes.
“What makes the SamSam attack so pernicious is that by encrypting – and hobbling – key components of Allscripts’ network, it also hobbled Allscripts’ ability to conduct its business – the Allscripts Professional EHR System – and crippling an undisclosed number of e-prescribing system vulnerabilities,” the complaint alleges. “This attack hurt both patients and their healthcare providers using the Allscripts systems in that providers were unable to e-prescribe drugs, and patients were unable to obtain drugs e-prescribed for them by those providers.”
#Allscripts #Ransomware continues. We’re entirely offline. No access to past visits,results or even pt-schedules! No reminder calls or even pre-visit prep, since every arrival is a surprise. Allscripts told clients Mon it expected to restore “meaningful service to most by Tue AM” https://twitter.com/properconnects/status/956576180320153601 …
The complaint alleges that Allscripts was aware “that deficiencies in its products and services could result in privacy and security vulnerability or compromises, and failed to take adequate measures to protect against any such event.” In Allscripts most recent 10-K filing with the SEC, the company notes, “if our security is breached, we could be subject to liability, and clients could be deterred from using our products and services,” the lawsuit states. In that 10-K filing, “Allscripts poignantly forecasts what eventually happened here,” according to the complaint
Economic Damages Alleged
The lawsuit seeks a jury trial and plaintiff and class relief including, but not limited to, damages, restitution, punitive damages, injunctive relief and/or attorneys’ fees and costs.
The complaint alleges that “as a direct and proximate result of Allscripts’ wrongful acts and omissions, plaintiff and the class suffered, and continue to suffer, economic damage and other actual harm, including monetary losses arising from significant business interruption and disruption, together with expenses incurred in attempts to mitigate such business interruption and disruption. … Allscripts failed to implement appropriate processes that could have prevented or minimized the effects of the SamSam ransomware attack.”
The lawsuit says that the plaintiffs’ case involves “common questions of law and fact,” including whether Allscripts:
- Failed to implement, monitor and audit adequate processes to timely detect, prevent or mitigate a cyberattack;
- Unreasonably placed its clients at risk of having their business interrupted and disrupted as a result of a cyberattack;
- Failed to comply with the HIPAA Security Rule and also violated various state laws related to deceptive trade practices;
- Complied with any implied contractual obligation to use reasonable security measures, and what security measures, if any, must be implemented by Allscripts to comply.
More to Come?
Greene predicts more lawsuits will be filed against cloud-services vendors in the aftermath of a cyberattacks.
“I am not aware of a class action such as this on behalf of healthcare providers against a vendor for a ransomware disruption,” Greene says. But he stresses that the Allscripts case is not a sure-win for the plaintiffs.
“One challenge that the plaintiff may face is showing that the different healthcare providers are similarly situated for purposes of bringing a class action,” he says. “The impact of the disruption potentially could vary significantly between providers.”
As for the speed in which the lawsuit was filed, privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek, notes that in federal court class action litigation, “there is a doctrine that potentially rewards the ‘first to file’ because the courts abhor the proliferation of copycat lawsuits that clog up the dockets.”
But he notes that until a lawsuit is certified by the court for class action status, “the claims are solely on behalf of the Surfside Orthopedics.”
While the lawsuit alleges “numerous claims that cover the spectrum of all possible causes of action … there is little evidence contained in the complaint beyond the allegations that the company failed to adequately safeguard their information systems or respond to the ransomware incident,” Holtzman claims. “We will have to watch how this lawsuit progresses to learn if the plaintiffs can produce any evidence to back up their claims. ”