A group practice in Florida has filed the first lawsuit against Allscripts related to the ransomware attack that brought the company’s cloud-based services offline for more than a week.

The suit does not specify a specific amount of damages, asking the court to award an “equitable amount” for restoration of services and compensation for lost revenue, among other damages.

Meanwhile, the company announced on Friday that service to all affected clients impacted by its malware attack has been restored, eight days after the malware attack began.

Surfside Non-Surgical Orthopedics in Boynton Beach, Fla., filed a class-action complaint against the vendor, charging that Allscripts failed to secure its systems and data from cyberattacks, including ransomware attacks, preventing clients from conducting their routine and ordinary business.

The class represented in the suit is large, covering 45,000 physician practices and 180,000 physicians.

“As a result of the ransomware attack experienced by Allscripts…Plaintiff could not access its patient records or electronically prescribe medications, forcing Plaintiff to cancel appointments, thereby causing significant business interruption and disruption, and lost revenues,” the lawsuit states. “Additionally, Plaintiff has expended significant time and effort resolving these issues resulting from the breach, including communicating with patients to reschedule appointments.”

Allscripts does not comment on pending litigation, a spokesperson said. Surfside’s attorney provided a copy of the suit, but Surfside executives declined a request for an interview.

In the suit, Surfside notes that Allscripts’ web site emphasizes that the company promises extreme vigilance in protecting sensitive information with which it has been entrusted, and in its most recent 10-K filing to the Securities and Exchange Commission, the company stated it would be subject to liability in the event of a breach and acknowledged the significant risks and disruptions of such an event.

“We have devoted and continue to devote significant resources to protecting and maintaining the confidentiality of this information, including designing and implementing security and privacy programs and controls, training our workforce and implementing new technology,” Allscripts noted in the SEC filing. “We have no guarantee all these programs and controls will be adequate to prevent all possible security threats.”

The company also told regulators that while it has cyber insurance, it cannot give assurance that the coverage will prove to be adequate or continue to be available on acceptable terms.

In the suit, Surfside notes that Allscripts reportedly was attacked with the SamSam strain of ransomware that has been by hackers for nearly two years. “Healthcare industry knowledge and awareness of the widespread issues with SamSam ransomware have been known since at least as early as March 2016,” the plaintiff contends in the lawsuit. “Allscripts disregarded Plaintiff’s and Class Members’ rights by intentionally, willfully, recklessly and/or negligently failing to take adequate and reasonable measures to implement, monitor and audit its data systems, which could have prevented or minimized the effects of the SamSam ransomware attack it experienced.”

Also See: Fallout from Allscripts attack shows necessity of provider vigilance

The suit charges that Allscripts, by failing to reasonably safeguard systems, breached its contracts with all class members. It also contends that the vendor, headquartered in Chicago has violated the Illinois Consumer Fraud Act by falsely representing its security posture.

“Allscripts knew or should have known that its computer systems and security practices and procedures were inadequate and that the risk of a ransomware attack, data breach or theft was high. Allscripts’ actions in engaging in the above-named unfair practices and deceptive acts were negligent, knowing and willful, and/or wanton and reckless with respect to the rights of Plaintiffs and the Class.”

Consequently, the lawsuit seeks reliefs including damages, restitution, punitive damages, injunctive relief and/or attorneys’ fees and costs. The plaintiff asks for a jury trial.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access