Florida practice sues Allscripts after ransomware attack
Surfside Non-Surgical Orthopedics has filed a class-action suit against Allscripts alleging the company didn't protect against a ransomware attack to its cloud-based applications. The Jan. 18 attack caused clients to lose access to the applications, reported Fierce Healthcare.
The Boynton Beach, Florida-based practice alleges that Allscripts knew of issues with its systems, but did not fix the problems despite knowing about the threat, which ultimately led to the access issues this month.
Providers were still having problems logging onto Allscripts EHR and other applications at the end of last week, which led providers to cancel procedures and lose revenue.
Allscripts hasn't posted any explanation of the problem on their Twitter account, but many healthcare officials have spoken out about the issue and how it has impacted their practices.
Allscripts hasn’t provided any concrete answers or solutions. They have left us in the complete dark. It’s clear they don’t have contingencies in place. Horrible system horrible service.— Angela Grant (@Sweetpeagrant) January 19, 2018
I work for a one physician office and we are at a stand still. Our practice mainly handles the elderly population who doesn't understand our reasoning for not being able to make appointments. We are unable to post charges. How does #Allscripts expect to get paid when we don't?— Dawn Marie Ingram (@thrdmathis) January 22, 2018
Ransomware attacks are on the rise and issues with cybersecurity remain a problem. A recent Protenus and DataBreaches.net report found 477 cybersecurity problems reported in 2017, a slight increase from 2016. The report suggested the trend will continue throughout 2018. Ransomware and malware attacks more than doubled from 30 in 2016 to 64 in 2017. Fifty-eight breaches involved theft and 18 included lost or missing records.
Another problem facing health IT is that it’s taking longer for companies to realize they were even attacked. The report said it took an average of 308 days in 2017 for companies to detect breaches, up from 233 days the previous year. One incident lasted 14 years before anyone noticed.
In recent ransomware attacks, Indiana-based Hancock Health and Coplin Health System in West Virginia found ransomware temporarily shut down computers and may have compromised patient information.
Though Allscripts is far from the only healthcare company hit by ransomware and other IT attacks, the lawsuit shows organizations may need to defend themselves in court if they’re not protecting themselves. Not only does this mean money spent on a legal case, but also a potential hit to an organization's reputation.
What’s a system to do? Cybersecurity experts recommend stronger authentication and procedures to access computers. The HHS Office of Civil Rights suggested organizations improve their electronic authentication methods, conduct enterprise-wide risk analyses to identify cyber vulnerabilities and look into how breaches could impact operations. The ORC has also taken action against breaches and threatened more investigations into organizations' security.
Congress is also concerned about data breaches. A recent bill introduced in the Senate called the Data Security and Breach Notification Act would require companies report data breaches promptly or face being held criminally accountable. The legislation came on the heels of Uber acknowledging that hackers stole personal data on 57 million drivers and riders in 2016. Uber paid hackers $100,000 to destroy the data and didn't report the breach until the next year. The bill would require companies alert consumers within 30 days of discovering a breach. Employees who willfully conceal a breach could face five years in prison.