Allscripts hit with a class-action lawsuit one week after ransomware attack

lawsuit and book
A Florida practice claims Allscripts failed to secure its systems, which led to last week's ransomware attack. (Getty/eccolo74)

Allscripts has barely recovered from a ransomware attack that wiped out access for 1,500 clients and it's already being hit with a class-action complaint alleging it failed to adequately secure its systems against potential intruders.

Filed on Thursday by Surfside Non-Surgical Orthopedics, a sports medicine and pain practice in Boynton Beach, Florida, the complaint alleges Allscripts was aware of deficiencies that could compromise its systems, but its “wanton, willful, and reckless disregard” led to service disruption.

Surfside further argues that SamSam, the strain of ransomware that struck Allscripts on Jan. 18, has been a well-known threat at least since March 2016, and the company’s failure to audit or monitor data systems crippled its EHR and e-prescribing systems and disrupted patient care. Had providers known Allscripts failed to take the necessary precautions, they would have purchased services from another vendor, according to the complaint (PDF), filed in a Northern Illinois District Court.

RELATED: Allscripts offered to buy Practice Fusion for $250M. A DOJ investigation changed everything

In its failure to secure its systems, the class-action suit claims Allscripts committed negligence, breach of contract, unjust enrichment and violated several state laws. Surfside, on behalf of all affected clients, is demanding unspecified restitution and compensatory damages.

The lawsuit is not entirely surprising given the level of frustration from small physician practices impacted by the ransomware attack. Throughout the week, as Allscripts worked to get its cloud-hosted solutions back up, many small practices were irritated by the response and frequently complained that the company was downplaying the impact. Others said they were forced onto Allscripts' cloud during a 2012 upgrade with promises that the security features were better.

On Thursday, some users told FierceHealthcare they had filed complaints with the Office of the National Coordinator for Health IT, while talk of a lawsuit surfaced on the company’s client message board.

RELATED: Physician practices report lost revenue and patient care disruptions following Allscripts ransomware attack

Providers continued to struggle logging in to Allscripts Professional EHR and Patient Management (PM) applications on Thursday, even as company officials said their systems were back online and intact. Those that were able to access the applications complained of downtime and an inability to transfer data between PM and EHR applications. On a Thursday call with users, Allscripts officials acknowledged that many users were still having difficulty with their login and said they were working with Microsoft to resolve the issue.

Without access to scheduling and claims management tools, practices were forced to cancel procedures, and several office managers said they would have to take out loans to make up for lost revenue.