Inside the 5-Count Class-Action Complaint Against Allscripts

Could the EHR vendor have prevented the SamSam ransomware attack or offset its effects?

When a strain of SamSam ransomware infected Allscripts last week, it kicked off a chain of problems that continues to grip the electronic health records (EHR) vendor. The most recent of which came to light this morning: a 5-count class-action lawsuit alleging that the company failed to establish protocols to prevent or negate the effects of such a cyberattack, among other things. The orthopedic group that filed the complaint yesterday hopes to win compensation—for itself and any other affected Allscripts clients—for service disruptions resulting from the debacle.

How much money the plaintiff, the Florida-based Surfside Non-Surgical Orthopedics, is seeking remains unclear, as does the number of healthcare practices that will sign on to the suit, which was filed in United States District Court for the Northern District of Illinois. (Allscripts has claimed that the ransomware attack and subsequent downtime for some of its services affected roughly 1500 clients; the complaint notes that the vendor provides data services to 45,000 physician practices and 180,000 doctors.)

But the complaint provides a glimpse of the frustration faced by community healthcare practices, some of whom have dealt with Allscripts service outages—specifically to the Allscripts Professional EHR System—hampering billing, appointment scheduling, EHRs, and more for 8 days, which allegedly harmed their businesses, according to the suit. The document also claims that Allscripts misrepresented how prepared it was to handle such a ransomware attack, which allegedly caused a data breach.

“What makes the SamSam attack so pernicious is that by encrypting (and hobbling) key components of Allscripts’ network, it also hobbled Allscripts’ ability to conduct its business … and crippling an undisclosed number of e-prescribing system vulnerabilities,” attorneys for the plaintiff wrote. “This attack hurt both patients and their healthcare providers using the Allscripts systems in that providers were unable to e-prescribe drugs, and patients were unable to obtain drugs e-prescribed for them by those providers.”

A spokesperson for Allscripts declined comment for this story, noting that the company does not discuss pending litigation.

The lawsuit, meanwhile, contains 5 counts alleging negligence, breach of contract, unjust enrichment, and violations of the Illinois Consumer Fraud Act and Uniform Deceptive Trade Practices Act. The gist of the plaintiff’s claims: Allscripts “breached its duties” by not instituting proper practices to deflect such an attack and violated HIPAA, which broke its agreements with its clients while lining company coffers. Further, the complaint alleges, Allscripts did this after “fraudulently advertising” its strong cyber defenses and ability to safeguard personal health information and keep services running smoothly.

Surfside and its attorneys claimed that Allscripts knew “deficiencies in its products and services could result in privacy and security vulnerability or compromises, and failed to take adequate measures to protect against any such event.”

After the company’s data centers in Raleigh and Charlotte, North Carolina, were locked up, some of its clients allegedly lost access to their EHR and e-prescribing systems, according to the suit. Billing and appointment scheduling problems further affected their businesses, hurting their bottom lines, according to the suit.

“This was a major disruption for physicians,” John Yanchunis, an attorney representing Surfside, told Healthcare Analytics News™ this morning.

Now, the orthopedic group and litigants who might join the class-action suit are seeking “equitable relief compelling Allscripts to utilize appropriate methods and policies with respect to ransomware protection,” along with restitution, monetary damages, and attorneys’ fees.

Yanchunis said it could take as long as 18 months to resolve the case, but Allscripts may choose to seek an immediate resolution. “I would hope that would be the case here,” he said.

In the meantime, according to the complaint, some medical practices are still experiencing problems with Allscripts services.

A Connecticut physician who practices internal medicine told HCA that his practice gained access to its system late afternoon yesterday, a week after the Jan. 18 SamSam attack. The EHR service appeared “slow and spotty,” he said, wondering what today might bring.

“Oddly, [Allscripts] initially told us we were going to have to change our passwords when we first logged on again, which made sense for security purposes,” the doctor said. “And then everyone logged in without having to—adding to how poorly managed this crisis was.”

Update: Allscripts says it has restored services to all clients as of 1:17 p.m. Jan. 26. Read more here.