Allscripts seeks arbitration in class-action ransomware suit

Legal Review
Allscripts says a class-action lawsuit over January's ransomware attack belongs in arbitration. (iStock-BrianAJackson)

Allscripts has asked an Illinois district judge to dismiss a class-action lawsuit filed after a ransomware attack took down the EHR vendor’s servers for a week, adding that the dispute belongs in arbitration.

The lawsuit revolves around a January cyberattack involving a new variant of the SamSam virus. The attack brought down the company’s servers in North Carolina and knocked out access for nearly 1,500 physician practices. Several of those providers reverted to paper records and reported lost revenue and canceled procedures due to the disruption.

In a court filing (PDF) last week, Allscripts argued that Surfside Non-Surgical Orthopedics, the specialty practice that filed the lawsuit, intentionally sued the parent company of Allscripts Healthcare, LLC known as Allscripts Healthcare Solutions Inc. to avoid the arbitration clause outlined in its contract with the vendor.

Allscripts Healthcare Solutions Inc. is a "non-operating holding company with only eight officers, no employees, and no products or customers," according to the filing. 

“Plaintiff apparently hopes that, by suing a party with which it has no contractual or other business relationship, it can avoid the contract that governs the provision of the services it received from LLC,” Allscripts attorneys wrote in a court filing last week.

RELATED: Physician practices report lost revenue and patient care disruptions following Allscripts ransomware attack

The company added that even if Surfside sued the right company, the injury was caused by a criminal act rather than Allscripts’ negligence. The company added that it explicitly warns about the inability to prevent all cyberattacks in its annual financial filings.

“A criminal attack executed using a brand-new malware variant is precisely the kind of unforeseeable intervening act that breaks the chain of proximate causation,” the court filing stated.

RELATED: Allscripts hit with a class-action lawsuit one week after ransomware attack

In a subsequent filing, Surfside’s attorneys maintained the parent company was to blame, adding that the company’s “acts and/or admissions affected the circumstances that gave rise to the attack and its fall-out.”

Surfside originally argued that SamSam has been a known vulnerability since March 2016, and the company's “wanton, willful, and reckless disregard” led to service disruption.

In response, Allscripts apparently couldn’t resist a dig at Surfside, and any other providers that encountered disruptions from the attack.

“Customers who had appropriate contingency plans in place—the existence of which practices may certify annually to the federal government in exchange for certain financial incentives—were minimally impacted by the attack,” the company wrote in a footnote in its motion to dismiss.