- Surfside Non-Surgical Orthopedics has filed a class action lawsuit against Allscripts for allegedly failing to secure its systems during the ransomware attack that affected about 1,500 Allscripts users on January 18.
“As a result of the ransomware attack experienced by Allscripts and as further described below, Plaintiff could not access its patients’ records or electronically prescribe medications, forcing Plaintiff to cancel appointments, thereby causing significant business interruption and disruption, and lost revenues,” stated court documents obtained by EHRIntelligence.com.
“Additionally, Plaintiff has expended significant time and effort resolving these issues resulting from the breach, including communicating with patients to reschedule appointments,” continued Surfside legal representatives.
The Florida-based orthopedics practice is charging Allscripts with five counts, including negligence and breach of contract.
Surfside maintained Allscripts should have been aware of the strain of ransomware that attacked its Professional EHR and EPCS systems — SamSam — since March 2016. The health IT company’s alleged failure to adequately protect against a potential SamSam attack constitutes negligence, the orthopedics practice contended.
“Allscripts disregarded Plaintiff’s and Class Members’ rights by intentionally, willfully, recklessly, and/or negligently failing to take adequate and reasonable measures to implement, monitor, and audit its data systems, which could have prevented or minimized the effects of the SamSam ransomware attack it experienced in January 2018,” stated the documents.
Surfside claimed it was forced to interrupt its daily business and clinical processes as a result of the ransomware attack. The practice is holding Allscripts accountable for all economic damage and expenses allegedly incurred during the attack and in subsequent efforts to restore its systems.
Furthermore, Surfside claimed it was still experiencing disruptions from the ransomware attack as recently as January 25. Specifically, the practice was allegedly still having problems accessing and carrying out transactions with Allscripts product offerings, submitting e-prescriptions, and accessing patient EHRs.
“Allscripts wanton, willful, and reckless disregard caused a complete and total interruption of service, and further caused Plaintiff and the Class monetary and other damages,” wrote Surfside representatives.
Surfside also claimed Allscripts misrepresented the security of its products.
The practice stated it “would not have purchased Allscripts’ products and/or software had they known that Allscripts did not take all necessary precautions to protect itself from cyberattack, including ransomware attacks.”
In addition to negligence and breach of contract, Surfside is also charging Allscripts with unjust enrichment, violating the Illinois Consumer Fraud Act, and violating the Illinois Uniform Deceptive Trade Practices Act.
The practice alleged Allscripts engaged in deceptive, unfair, and unlawful trade acts by misrepresenting its security practices and ability to protect patient PHI.
Surfside will seek damages on behalf of all affected Allscripts clients. The amount in damages will be determined in a jury trial at a later date.
Allscripts’ client base currently includes 180,000 physicians at 45,000 physician practices and 19,000 post-acute care agencies, and 2,500 hospitals.
Allscripts users across the country were forced into EHR downtime following the ransomware attack. The Moss Free Clinic in Virginia was among the practices that reverted to relying on paper records and handwritten prescriptions in the days after the security incident. Physicians and nurse practitioners were required to manually write out patient encounter notes.
The clinic was not forced the cancel any appointments, but administrative staff members were reportedly unable to schedule future appointments during the period of EHR downtime. Allscripts functionality affected by the ransomware included InfoButton, regulatory reporting, clinical decision support, direct messaging, and Payerpath.
Allscripts has not posted an acknowledgment of the ransomware attack on its website.