Billion-dollar American health care company Allscripts faces a lawsuit for failing to secure systems and data after it was crippled by a SamSam ransomware attack earlier this month.
The lawsuit was filed in Illinois by the Florida-based Surfside Non-Surgical Orthopedics on behalf of all clients affected by the incident. The company, which provides health care IT solutions like health record and practice management as well as electronic prescription services, was first hit by ransomware on Jan. 18. It took more than a week to fully recover.
In that time, the lawsuit alleges, patient records were out of reach, business and care was interrupted and revenue was lost.
“Allscripts was aware, however, that at all times pertinent hereto, that deficiencies in its product and services could result in privacy and security vulnerability or compromises and failed to take adequate measures to protect against any such event,” the lawsuit charges.
The plaintiffs then point to a recent Allscripts 10-K filing with the SEC that outlines cybersecurity risks faced by big health care firms.
SamSam, first spotted in early 2016, has been on a particularly destructive and profitable tear as of late. Two American hospitals were hit in quick succession by a new variant of the malware earlier this month. Administrators at those hospitals paid at least $45,000 to the attackers.
In total, the SamSam campaign has made at least $325,000 in ransom, according to Cisco’s Talos Intelligence.
An estimated 1,500 Allscripts clients were affected by the attack. The company called that a “limited” impact considering that its customer base extends into the hundreds of thousands.
Many took to social media to express their anger in the wake of the incident.
#ransomware attack on Allscripts has taken down our e-prescribing, EPCS and some other services! Yikes!! At least we don’t use their hosted application I hear many hosted practices couldn’t access their EMR yesterday. Talk about a shutdown!
— Yvette Crabtree, MD (@YCrabtreeMD) January 19, 2018
I work for a one physician office and we are at a stand still. Our practice mainly handles the elderly population who doesn't understand our reasoning for not being able to make appointments. We are unable to post charges. How does #Allscripts expect to get paid when we don't?
— Dawn Marie Ingram (@thrdmathis) January 22, 2018
#Allscripts #Ransomware continues. We're entirely offline. No access to past visits,results or even pt-schedules! No reminder calls or even pre-visit prep, since every arrival is a surprise. Allscripts told clients Mon it expected to restore "meaningful service to most by Tue AM" https://t.co/6g4YbL5XIg
— Gary Greenberg (@GGreenberg) January 25, 2018
You can read the full class action complaint below: