One Week After Attack, Many Allscripts Clients Still Anguished

"A week out and they still cannot give us an estimated time we will all be back and running," a provider told Healthcare Analytics News.

(Error message sent to Healthcare Analytics News on January 24th by a physician whose practice is still experiencing outages).

The first messages were innocuous enough. Around 7:30AM on January 18th, a Twitter user complained about usage difficulties in response to a Tweet from Allscripts’ official account. Not long after, another added simply, “I’m having trouble as well.”

The electronic health records (EHR) provider would later confirm that between 2AM and 6AM that day, it had detected a ransomware attack affecting 2 of its data centers. Provider complaints ramped up throughout the day on social media as news outlets caught up. The attack took down some of the company’s cloud-based applications, including PRO EHR and Electronic Prescriptions for Controlled Substances (EPCS) platforms. The company says applications are being restored and it is working “unceasingly to restore all services to our clients who are still experiencing outages.”

Many providers, however, have yet to see relief.

A week after the attack was first detected, the torrent of Twitter anger has continued. “@Allscripts seriously still not working yet?! Our office is basically crippled without access to our charts,” one user asked today. “Wish they would just pay the ransom at this point. This is devastating!” another responded.

Staff from medical practices have told Healthcare Analytics News™ that they are still experiencing disruptions, mostly related to their ability to access to certain cloud applications. Practice staff repeatedly received an error message, pictured above, when attempting to connect.

“They sent an announcement out this morning saying almost everyone should be back online. No one I’ve talked to is back on line,” an internal medicine physician from Connecticut told HCA News earlier today.

More than 4 days after the attack was detected, the company provided an estimate of the scope of the outages. In a statement emailed to HCA News on Monday evening (January 22nd), Allscripts spokesperson Concetta Rasiarmos said that “roughly 1,500 clients” were affected, and “none were hospitals or large independent physician practices.”

Consistent with the company’s statement, many of the affected practitioners are from small practices, though that line did little to quell frustrations. Staff reported rather that they felt dismissed by the statement. Most of the complaints seem to have come from providers in the Southeast, Midwest, Mid Atlantic, and New England regions.

Beyond the difficult short-term situation, which providers say has forced them to switch to paper records and cancel appointments, the ransomware attack may also have long-term implications for many clinicians and patients.

“This is tax season and a lot of our patients need printed off statement to prepare their taxes,” Dawn Ingram, office manager of Starkville Urology in Starkville, MS, said in an email on Monday. “Their lack of proper communication and updates to their clients (as well as their servers obviously) has cost us a fortune." Her practice was finally able to reconnect earlier today, but others still can't.

“A week out and they still cannot give us an estimated time we will all be back and running,” the Connecticut-based internal medicine provider said. While he says some staff at the facility can access their EHR again as of today, their practice management system is still down.

The impacted data centers at Allscripts are infected with a variant of SamSam, the company confirms, a complex malware that isn’t acquired through phishing emails or bad links.

“SamSam is not very automated. The hackers behind it will brute-force their way into a network and then infect everything that they can connect to. It works a lot differently…and seems like it really targets healthcare and hospitals,” Adam Dean, practice manager of incident response at GreyCastle Security, said in an interview.

The hacker or group behind SamSam is known to use a unique variant of the ransomware in each attack. They also set the ransom differently depending on the organization they attack. Earlier this month, Hancock Regional Hospital in Greenfield, Indiana paid roughly $55,000 to rid themselves of the virus.

While SamSam encrypts entire systems, it is not believed to export data from them, and Allscripts says it has no reason to believe any information has been stolen. There is also no evidence that any client practices themselves have been infected with the virus. Allscripts says it notified the FBI upon detection and is assisting in the agency's investigation.

That may be limited comfort, however, to clinics struggling through a 7th straight day of outages.

Allscripts did not immediately respond to requests for further comment.

Related Coverage:

Allscripts Says Ransomware Attack Affected 1500 ClientsThe Ransomware Ravaging Allscripts Is Precise and Potentially DevastatingFor Hospitals, the Ransomware Threat is Heare to StayLessons from a Hospital Ransomware Attack