- Florida-based Surfside Non-Surgical Orthopedics, P.A. (Orthopedics) filed a class-action lawsuit in the wake of the Allscripts ransomware attack that took place on January 18, 2018.
Allscripts’ EHR system was infected by SamSam ransomware, which encrypted patient data and made certain systems inaccessible, explained the lawsuit, which was obtained by HealthITSecurity.com.
Along with the Allscripts Professional EHR System being impacted, there were also “an undisclosed number of e-prescribing system vulnerabilities”
Allscripts reported its e-prescription login page on January 18 that EPCS functionality was down and there was not yet a firm ETA for when it would be restored.
“Please note that EPCS users in EPCS mandated states (CT, NY, ME) pursuant to the state EPCS statute, write paper scripts due to a temporary technical difficulty with the EPCS service,” Allscripts stated. “It is recommended you note the "pharmacist special instructions" and in the EHR that a paper or oral prescription was provided due to technical issues.”
An Allscripts spokesperson confirmed to HealthITSecurity.com in an email on January 26 that service to all affected clients had been restored.
Orthopedics maintained though that the incident had a significant impact and that Allscripts should have done more to better mitigate a cybersecurity attack.
“This attack hurt both patients and their healthcare providers using the Allscripts systems in that providers were unable to e-prescribe drugs, and patients were unable to obtain drugs e-prescribed for them by those providers,” the lawsuit stated.
“Allscripts disregarded Plaintiff’s and Class Members’ rights by intentionally, willfully, recklessly, and/or negligently failing to take adequate and reasonable measures to implement, monitor, and audit its data systems, which could have prevented or minimized the effects of the SamSam ransomware attack it experienced in January 2018,” the Plaintiff added, noting that healthcare has been aware of SamSam ransomware since at least May 2016.
Orthopedics added that it relies on Allscripts’ services for daily operations, and continues to suffer “economic damage and other actual harm.” This includes the monetary losses from business interruptions and the expenses needed to mitigate that disruption.
“As of the date of the filing of this Complaint, Plaintiff and the Class continue to experience significant business interruption and disruption as a direct and proximate result of their inability to: access and transact with Allscripts’ products and services; submit electronic prescriptions; and to access any patient records or any of the above modules,” the lawsuit read. “Allscripts wanton, willful, and reckless disregard caused a complete and total interruption of service, and further caused Plaintiff and the Class monetary and other damages.”
The Plaintiff stated that it would not have purchased Allscripts’ products and/or software had it known that the company would fail to take the necessary precautions against potential cyberatacks.
Orthopedics explained that it hopes to determine several issues, including but not limited to whether Allscripts committed gross negligence, unreasonably placed clients at risk from the cyberattack, and whether Allscripts’ system was vulnerable to cyberattack by reason of its acts and omissions.
Allscripts failed in its HIPAA requirements to maintain PHI security and did not implement necessary safeguards to prevent ransomware from infiltrating its system, the Plaintiff stressed.
“Allscripts breached its duties by failing to implement, monitor, and audit the security of its data and systems, resulting in a ransomware attack that significantly impeded and/or prevented its clients’ ability to conduct business,” the lawsuit stated, adding that failure to implement the necessary safeguards was also a breach of contract.
“Allscripts agreed to provide its specialized services in a professional and workmanlike manner,” said the lawsuit. “Implicit in performing these contractual duties is an obligation to reasonably safeguard its systems and data from cyberattack, including ransomware attacks, which can cause an interruption in the flow of an enterprise’s routine and everyday provision of services to its clients.”
In addition to federal violations, Allscripts violated the Illinois Consumer Fraud Act. Allscripts is an Illinois-based organization and committed “deceptive trade practices,” according to the class-action suit.
A specific number being sought in damages was not listed in the lawsuit. However, the Plaintiff said that on behalf of all Class members, it explained it was asking “for an award of actual damages and compensatory damages, in an amount to be determined.”
Orthopedics added that it was also seeking “an award of costs of suit and attorneys’ fees, as allowable by law” and what the court determined to be “just and proper.”
Class-action lawsuits often follow healthcare data breaches, with patients and even healthcare employees demanding that entities take steps to better protect sensitive data.
Earlier this month, Aetna reached a $17 million settlement after an incident where 12,000 individuals had their information exposed.
In 2017, Aetna sent letters in the mail where information about ordering prescription HIV drugs was clearly visible through the envelope's clear window. The settlement required Aetna pay $17,161,200 and develop and implement best practices for use of PHI in litigation.