Class-Action Lawsuit Claiming Business Interruption Brought Swiftly After Ransomware Attack

Legal action arising from data breaches is a fairly common occurrence these days. To a large extent, such legal action focuses on the disclosure of confidential information and the potential impact of such disclosure"”for example, when credit card numbers are disclosed, the impacted consumers may bring a lawsuit claiming they suffered damages due to their credit card numbers being improperly used or sold on the black market. A recent lawsuit involving a ransomware attack, however, shows how impacted entities are broadening the scope of their legal thinking. Instead of focusing on the impact of an improper disclosure of information, the lawsuit focuses on the concrete business consequences caused by a lack of access to necessary electronically stored data.

Allscripts Healthcare Solutions, Inc., a major American electronic health record and practice management vendor, is facing a class-action lawsuit only ONE WEEK after suffering a ransomware attack. The class action complaint filed in the U.S. District Court for the Northern District of Illinois by Surfside Non-Surgical Orthopedics, P.A. of Boynton Beach, Florida, alleges that Allscripts failed to secure its systems and data from the ransomware attack, which blocked practices' access to patient records and caused cancelled appointments, significant business interruption, and lost revenues.

On January 18, 2018, Allscripts's data centers in Raleigh and Charlotte, North Carolina, were attacked by a strain of ransomware called "SamSam," resulting in the encryption of patient health-related information in Allscripts's network. Allscripts's Professional EHR and Electronic Prescriptions for Controlled Substances services were reportedly hit hardest by the attack. The class action complaint states that the ransomware attack has prevented practices from being able to access and use Allscripts's products and services, submit electronic prescriptions, and access patient records. The complaint demands restitution and compensatory damages.

Allscripts's products and services reportedly connect 45,000 physician practices; 180,000 physicians; 19,000 post-acute agencies; 2,500 hospitals; and 7.2 million patients through its patient engagement platform. The complaint states that Allscripts "intentionally, willfully, recklessly, and/or negligently fail[ed] to take adequate and reasonable measures to implement, monitor, and audits its data systems, which could have prevented or minimized the effects of the SamSam ransomware attack it experienced."

Allscripts reported it has restored services to all of its clients affected by the ransomware attack and notified the Federal Bureau of Investigation (FBI). The class-action complaint against Allscripts includes causes of action for negligence, breach of contract, unjust enrichment, violation of Illinois Consumer Fraud Act, and violation of the Illinois Uniform Deceptive Trade Practices Act.

Ransomware is a unique type of malware because it denies access to data, typically by encrypting the data and locking access to it unless a decryption key, only known by the hacker, is provided. The hacker will usually demand payment in crypto-currency before allowing access to the data. The class-action complaint calls attention to how ransomware attacks can be particularly dangerous in the health care industry where rendering patient data "completely inaccessible to the enterprise or computer user . . . can mean life or death." The HIPAA security rule requires covered entities and business associates to implement security measures to help prevent malware. Health IT vendors such as Allscripts are typically required to implement these security measures as business associates of the practices to which they provide services.

If this class-action lawsuit is successful, it could have a significant impact on the health information technology industry. Vendors and other players will be forced to reassess their security measures and potential liability, which could further impact pricing and liability terms in health IT contracts. The swiftness with which the lawsuit was brought should also serve as a warning. In an age when instant access to electronically stored data and computer systems is not just expected but is often necessary, any interruption to that service could have significant and immediate consequences. Cybersecurity and breach response policy reviews and "risk assessments" appropriate to the type and amount of data maintained by an organization must be regularly reviewed and updated.