AllScripts Faces Class Action Lawsuit Because of Ransomware Attack

AllScripts was attacked by ransomware last week resulting in the unavailability of their services. Thousands of healthcare providers cannot access patient data or the e-prescription service. AllScripts now faces a class action lawsuit filed by Surfside Non-Surgical Orthopedics in Florida.

AllScripts is the provider of EHR and e-prescription services to 2,500 hospitals as well as 19,000 post-acute care organizations. Because of the SamSam ransomware attack on the company’s data centers in Raleigh and Charlotte, NC last week, several applications went offline and inaccessible to 1,500 clients.

Microsoft and Cisco’s incident response teams helped restore AllScripts’ e-prescribing service by Saturday. But the PRO EHR system remained unavailable. There’s no confirmation as to the time the system will be fully restored.

The lawsuit against AllScripts was filed in the U.S. District Court for the Northern District of Illinois. Allegedly, AllScripts knew about the vulnerabilities of its security but still neglected its responsibility to secure its systems against cyberattacks. As noted in the company’s recent 10-K filing “If our security is breached, we could be subject to liability, and our clients could be deterred from using our products and services”.

According to Surfside Non-Surgical Orthopedics, the plaintiff, they suffered significant business interruptions and lost revenues because of the ransomware attack and resulting loss of services. The list of class action lawsuits against AllScripts include: breach of contract, unjust enrichment and violations of the Uniform Deception Trade Practices Act and Consumer Fraud Act of Illinois.

AllScripts still has not disclosed yet the full extent of the ransomware attack. It’s possible that more clients had been impacted than what AllScripts declared. This lawsuit could last 18 months unless AllScripts would opt for a immediate resolution.  

AllScipts may also face penalties for Violating HIPAA. The Department of Health and Human Services stated that if ePHI becomes encrypted by ransomware, it is assumed that unauthorized invidividuals have already taken control of the ePHI.  Such an incident results in unauthorized disclosure of PHI. Under the HIPAA Privacy Rule, it must be reported to HHS unless the risk of PHI compromise is very low.

Whether the company gets penalized for the unauthorized ePHI disclosure or not, HHS may still continue to investigate the class action lawsuit against Allscripts. Each aspect of HIPAA compliance e.g. employee security training, ransomware recognition, security incident report will be  scrutinized by HHS.