Allscripts Lawsuit: What Makes It Different?Attorney Steven Teppler Discusses Cyberattack at Center of Class Action Lawsuit
A class action lawsuit filed against Allscripts in the wake of a ransomware attack that recently disrupted patient care at hundreds of healthcare practices will spotlight a variety of critical security and legal issues, says attorney Steven Teppler.
"This is not your father's data breach case," says Teppler, a member of the attorney team representing plaintiffs and class members in the case that was filed against the cloud-based electronic health record vendor in an Illinois federal court on Jan. 26 (see Allscripts Ransomware Attack: Lawsuit Already Filed). "It is a case in which an entity has had its data system basically shut down because their data was encrypted [by the malware] and unable to be used," he says. As a result, Allscripts was unable to permit certain clients to access their remotely hosted EHRs or electronically prescribe drugs, he contends. And that cost these clients money, he adds.
"So the issue is you have a ransomware attack which prevents business from being done ... by at least 1,500 customers; but there's also this issue of whether this is considered a breach under the HIPAA Security Rule," he says in an interview with Information Security Media Group. Teppler contends the incident was a reportable breach under HIPAA because it impaired access to patient data.
"From our perspective not only is it pretty clear that there was an impairment of the ability of Allscripts' subscribers or customers to do business - to treat patients, to prescribe drugs, to view records of their patients - there was also a data breach pursuant to HIPAA rules," he says.
The lawsuit against Allscripts alleges that the vendor failed to secure its systems and data against cyberattacks, including ransomware attacks. So, as part of the discovery phase of the lawsuit, Allscripts' security practices will be put under the microscope, Teppler says.
"Security processes and policies are certainly within the purview of what we will be looking at to inspect, examine and scrutinize," he says. That includes "a combination of what an enterprise says it does - and what it actually does do - and then comparing that to what would be reasonable under the circumstances at other similarly situated providers."
An Allscripts spokeswoman says the company does not comment on pending litigation.
In the interview, Teppler also discusses:
- The potential extent of disruptions caused by the ransomware attack to Allscripts' healthcare provider clients and the patients they treat;
- Lessons about data security that other EHR vendors and their clients can learn from the Allscripts' ransomware attack;
- What comes next in the legal case against Allscripts.
Teppler is a partner at the Abbott Law Group in Jacksonville, Fla., where he leads the electronic discovery and technology-related litigation practice. He was also one of the attorneys who represented plaintiffs in a data breach class action lawsuit against health plan AvMed that ended in a $3 million settlement in 2013. Teppler is an adjunct professor at Nova Southeastern University Law School.