Allscripts is asking an Illinois district judge to dismiss a class-action lawsuit over a January ransomware attack that took down multiple clients' EHRs for about a week, arguing the case should be resolved in arbitration, according to HIPAA Space.
Surfside Non-Surgical Orthopedics in Boynton Beach, Fla., filed a class-action lawsuit on behalf of all customers who were affected by the downtime — roughly 1,500 physician practices — against Allscripts' parent company, Allscripts Healthcare Solutions.
The suit alleges Allscripts failed "to secure its systems and data from cyberattacks, including ransomware attacks," the complaint reads. According to Surfside, Allscripts' EHR and electronic prescription system outages resulted in canceled appointments, "significant business interruption and disruption, and lost revenues."
In the court filing, Allscripts argued Surfside intentionally sued its parent company to avoid the arbitration clause outlined in its contract with the vendor. Even if Surfside sued the right company, Allscripts claims the incident was caused by a criminal act and not Allscripts' negligence.
"A criminal attack executed using a brand-new malware variant is precisely the kind of unforeseeable intervening act that breaks the chain of proximate causation," the court filing stated, according to HIPAA Space.
Becker's Hospital Review reached out to Allscripts, but company spokesperson Concetta Rasiarmos declined to comment because the company does not discuss pending litigation.
Responding to Allscripts' counter filing, Surfside argued the parent company was at fault, noting its "acts and/or admissions affected the circumstances that gave rise to the attack and its fall-out."
In its original complaint, Surfside argued that the ransomware variant, known as SamSam, has been a known vulnerability since March 2016. It added that the company's "wanton, willful, and reckless disregard" led to service disruption.