Cyberattack Lawsuit Against Allscripts Dismissed by District Judge

June 10, 2019 - The lawsuit filed against Allscripts after it was hit by a ransomware attack in 2018 was recently dismissed by an Illinois judge, as the plaintiff Surfside Non-Surgical Orthopedics named the parent company ‘INC’ instead of the appropriate ‘LLC’ that handles the EHR giant’s privacy and cybersecurity, Law360 first reported.

“While LLC may have carelessly used INC’s name in some documents, that is not a sufficient basis to allow the court to find that INC qualifies as a direct participant in the incident,” US Illinois District Judge Sara Ellis said in her decision.

“The majority of the evidence shows that INC’s behavior was consistent with normal parent-subsidiary behavior,” she added.

In January 2018, two of Allscripts’ North Carolina data centers fell victim to a SamSam ransomware attack. As a result, the centers were compromised and crippled, which left many Allscripts’ clients without access to their EHRs for up to a week.

The cyberattack crippled Allscripts’ InfoButton, e-prescription login, regulatory reporting, clinical decision report, direct messaging, and Paypath applications. All services were restored by January 26, a little more than a week after the attack.

Florida-based Surfside filed a lawsuit soon after, alleging Allscripts could have better mitigated the attack and the downtime significantly impacted its providers that rely on their EHRs.

“This attack hurt both patients and their healthcare providers using the Allscripts systems in that providers were unable to e-prescribe drugs, and patients were unable to obtain drugs e-prescribed for them by those providers,” according to the lawsuit.

“Allscripts disregarded plaintiff’s and class members’ rights by intentionally, willfully, recklessly, and/or negligently failing to take adequate and reasonable measures to implement, monitor, and audit its data systems, which could have prevented or minimized the effects,” the plaintiff added.

They argued that the healthcare sector had been aware of the SamSam threat since May 2016.

In July 2016, Allscripts asked the judge to dismiss the class-action lawsuit, arguing Surfside sued the wrong entity: the Florida provider sued Allscripts Healthcare Solutions, Inc., which is the nonoperating holding company of Allscripts Healthcare, LLC – the actual vendor hit by the cyberattack.

Further, they alleged Surfside purposefully filed the suit in that manner to avoid their contract’s arbitration clause.

“Even if Plaintiff had sued the right entity (though it did not), its claims would still fail for numerous reasons,” Allscripts argued. “Plaintiff asserts a breach-of-contract claim against an entity with which it has no contract (although it is now saying it is going to dismiss that claim after months of prodding).”

“But no matter: Because there is a valid contract governing the parties’ relationship, plaintiff’s tort claims are foreclosed by the economic loss doctrine,” they continued. “Its claim for unjust enrichment is precluded by the existence of an express contract with LLC.”

The dismissal upholds Allscripts claim, with Ellis explaining that both the testimony and evidence around Allscripts’ security policies demonstrated the INC does not have control over security wrongdoings. While Surfside argued that emails from 2016 showed the INC had more involvement in its security overview and policies, the judge did not agree with their argument.

“Because the attack impacted service to LLC clients — and Surfside concedes that INC was not a party to its contract with LLC — it makes sense that an LLC employee generated and sent these e-mails,” Ellis said in her decision.

“As such, Surfside asks the court to draw inferences about INC’s involvement that are inconsistent with the majority of the evidence and the court declines to do so,” she added.

Surfside intended to create a class-action status to cover all providers impacted by the Allscripts’ outage, as well as monetary damages for lost revenue and business disruptions. HealthITSecurity.com reached out to Surfside to determine their next steps and will update the story if more information becomes available.

Comments are closed.