Electronic health record (EHR) vendor Allscripts may have restored service after being targeted by a ransomware attack, but now faces a class action lawsuit alleging it left clients vulnerable to hackers.
The suit from Bonyton Beach, Florida sports medicine practice Surfside Non-Surgical Orthopedics claimed Allscripts showed “wanton, willful, and reckless disregard” for cybersecurity and was aware of deficiencies in its software that could be exploited by attackers. Allscripts was the target of a “SamSam” ransomware attack on Jan. 18 which the suit said cut off Surfside’s access with the EHR platform and some e-prescribing functions.
“What makes the SamSam attack so pernicious is that by encrypting (and hobbling) key components of Allscripts’ network, it also hobbled Allscripts’ ability to conduct its business—the Allscripts Professional EHR System—and crippling an undisclosed number of e-prescribing system vulnerabilities,” the suit said. “This attack hurt both patients and their healthcare providers using the Allscripts systems in that providers were unable to e-prescribe drugs, and patients were unable to obtain drugs e-prescribed for them by those providers.”
SamSam attacks have been a known threat since 2016, but the suit said Allscripts neglected to “take adequate and reasonable measures to implement, monitor, and audit its data systems” against such an attack. The suit asks for damages related to the costs of business being disrupted by the attack, Allscripts breaching its contract by allegedly failing to secure its systems as well as consumer fraud for allegedly misrepresenting its security capabilities.
“Allscripts knew or should have known that its computer systems and security practices and procedures were inadequate and that risk of a ransomware attack, data breach, or theft was high,” the suit said.
The complaint also seeks class action status to include other providers impacted by the attack. Allscripts had said around 1,500 of its customers were affected.