A recent ranswomware attack on Allscripts, a leading health IT and electronic health record (EHR) vendor, resulted in chaos for hundreds of providers as well as a class action lawsuit, according to court filings.
On January 18, Allscripts was attacked by a strain of ransomware called SamSam, disrupting the EHR and e-prescribing systems of at least 1,500 Allscripts subscribers. According to FierceHealthcare, 45,000 physician practices and 180,000 physicians use Allscripts, so not all subscribers were impacted. But for those that were affected, there was a mad scramble to document patient visits on paper records and to use hand-written prescriptions instead of electronic prescribing. And many providers felt that Allscripts dropped the ball on alerting providers about the disruption as well as taking proper security precautions to prevent such an attack in the first place.
Less than a week after the attack, a Florida-based sports medicine and pain practice called Surfside Non-Surgical Orthopedics filed lawsuit claiming that Allscripts failed to secure its systems and servers against this well-known threat, and that the company committed negligence, breach of contract, and unjust enrichment, and violated several state laws.
“Allscripts disregarded Plaintiff’s and Class Members’ rights by intentionally, willfully, recklessly, and/or negligently failing to take adequate and reasonable measures to implement, monitor, and audit its data systems, which could have prevented or minimized the effects of the SamSam ransomware attack it experienced in January 2018,” the lawsuit states, according to HealthITSecuirty.com.
“As of the date of the filing of this Complaint, Plaintiff and the Class continue to experience significant business interruption and disruption as a direct and proximate result of their inability to: access and transact with Allscripts’ products and services; submit electronic prescriptions; and to access any patient records or any of the above modules,” the document continues.
Additionally, rather than requesting damages for a specific amount of money, Surfside is asking “for an award of actual damages and compensatory damages, in an amount to be determined.”
Because the ransomware attack impacted scheduling and claims management tools, some practices had to cancel procedures, while other practices told FierceHealthcare that they would have to take out loans to cover the lost revenue during the outage.