By Kathie McDonald-McClure

What Happened. According to several healthcare news sources, on Thursday, January 18, 2018, Allscripts experienced a ransomware attack on the computer servers that host the Allscripts cloud-based EHR and the Allscripts cloud-based Electronic Prescriptions for Controlled Substances (“EPCS”) platform. Allscripts did not pay the ransom because it had recent data backups that were unaffected by the attack.¹

Initial Impact on Allscripts’ Clients. The EPCS reportedly was restored on Saturday, January 20, 2018. The EHR system reportedly continued to be adversely affected through at least Monday, January 22, 2018, with some providers still reporting log-in issues through Wednesday, January 24, 2018. Allscripts held a conference call with providers in which it advised providers that they may continue to experience usage interruptions with the cloud-based products until Allscripts completed a roll-out of security updates. During down times, Allscripts urged providers to use the Allscripts mobile solution (only available on the iPhone) to view medical histories and schedules but acknowledged that providers would be unable to enter new data or submit insurance claims during these down times.²

Allscripts’ Response & Investigation. Allscripts reportedly called incident response teams from Microsoft and Cisco to help remove the ransomware and restore data from backups. Allscripts engaged Mandiant, a cyber incident response firm and affiliate of the cyber security company FireEye, to investigate how the ransomware got access to the servers and was installed. Early reports are that the ransomware is not a strain that removes, exfiltrates or views actual data files. Rather the version of malware that attacked Allscripts, called SamSam, was reportedly a strain that merely encrypts the data so that it cannot be used or viewed by the data’s authorized users in order to extort money from the host.  Allscripts reports that no protected health information (PHI) was viewed or removed by the attackers.³

The Class Action Lawsuit. On Thursday, January 25, 2018, four law firms filed a putative, nationwide class action complaint against Allscripts in federal court in Chicago, Illinois, where Allscripts is based. The lawsuit was filed on behalf of Surfside Non-Surgical Orthopedics, P.A., based in Boynton Beach, Florida, and all others similarly situated. The lawsuit alleges that the Allscripts ransomware attack prevented Allscripts’ clients from accessing patient records or electronically prescribing medications, thereby forcing cancellation of appointments, an interruption in patient care, significant business interruption and disruption as well as lost revenues. The complaint alleges that as of the date of filing, the full functionality of Allscripts services had not yet been restored.⁴

Significantly, Paragraph 30 of the class action complaint alleges that the ransomware attack constitutes a “breach” under HIPAA, stating: “The SamSam [ransomware] attack on Allscripts’ systems and data is also considered a breach under the HIPAA Rules because there was an access of PHI not permitted under the HIPAA Privacy Rule: . . . ” Paragraph 30 goes on to quote material from the HHS Ransomware Fact Sheet.   The Class Action Complaint’s allegation that the Allscripts ransomware attack is a “breach” gives rises to notification and reporting obligations of covered entities under HIPAA, as further discussed below.

Notification Duties for a “Breach” under HIPAA. The HHS Ransomware Fact Sheet makes clear that providers who store PHI on a computer that is encrypted with ransomware have one of two choices: a) accept the presumption of a breach and notify all patients whose PHI was maintained on the attacked computer within 60 days of the attack; or b) document that one of the breach exceptions under 45 C.F.R. §164.402 applies.⁵  Specifically, if the provider, through forensic and other evidence, can rebut the presumption of a breach under 45 C.F.R. §164.402(2) as discussed in more detail below, the provider can avoid having to notify all his or her patients about the Allscripts ransomware attack.   Depending on the facts, a provider also may have an argument that the breach exception under 45 C.F.R. §164.402(1)(iii) applies if the evidence, including forensic evidence, supports a provider’s good faith belief that the unauthorized person to whom “disclosure” of PHI was made (i.e., the attacker) could not have retained the PHI accessed during the attack.  Although the HHS Ransomware Fact Sheet makes only a passing reference to the exceptions under §164.402(1), exception (1)(iii) is arguably available depending on the facts and circumstances.

The duty to provide notification within 60 days of a “breach” is what makes the lawsuit’s allegation of a “breach” under HIPAA most troubling.  Importantly, if a provider can demonstrate meeting a breach exception, the provider avoids the duty to notify patients of the Allscripts ransomware attack. If there is no documentation of an applicable exception, however, the provider may have a harder time defending a lack of notification to patients who had PHI on an Allscripts server encrypted with ransomware.  Will the HHS Office for Civil Rights (OCR) penalize providers who used the ransomware-attacked Allscripts servers but failed to comply with HIPAA’s breach notification provisions?

Rebutting the Presumption of a Breach: The LoProCo Analysis. The presumption of a breach may be rebuttable depending on the existence of evidence to support it.  Documentation of evidence that rebuts the presumption of a breach due to ransomware may avoid a duty to notify all patients of the Allscripts ransomware attack but the evidence must meet four specific criteria. The applicable criteria are set forth in 45 C.F.R. §164.402(2), which states:

Except as provided in paragraph (1) of this definition [which sets forth exclusions from the definition of a breach], an acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E [regarding the privacy of individually identifiable health information] is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

(i)   The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
(ii)  The unauthorized person who used the protected health information or to whom the disclosure was made;
(iii) Whether the protected health information was actually acquired or viewed; and
(iv)  The extent to which the risk to the protected health information has been mitigated.

(Bracketed material and emphasis added by author.)

HHS stated in its Ransomware Fact Sheet that a ransomware attack on a computer holding PHI constitutes “access” that triggers the presumption of a breach and the duty to notify unless there is a written analysis meeting the above “low probability of compromise” four-factor test (“LoProCo Analysis”).

What Providers Impacted by the Allscripts Incident Can Do. Each provider’s facts will vary. Accordingly, it’s best to consult with legal counsel with HIPAA expertise to obtain advice for your specific situation. At the same time, also check your insurance policies for data breach coverage (see below) and provide timely notification of the incident to your insurer.  Generally, legal counsel will need to review your Allscripts services agreement and Business Associate Agreement (BAA) to determine each party’s duties and responsibilities with regard to security incidents and breaches.  Providers may be able to delegate the notification duty to Allscripts but should have their legal counsel review their BAA with Allscripts to determine if and how to do so.  Your legal counsel might want to reach out to legal counsel for Allscripts in regard to the following:

• Whether Allscripts is investigating and collecting evidence that meets the criteria to rebut a presumption of a breach under HIPAA.  If so, determining who is performing the investigation and who is preparing the written LoProCo Analysis.
• Obtaining a copy of Allscripts’ written LoProCo Analysis in sufficient time to still notify patients within the 60-days if necessary.
• Reviewing Allscripts’ LoProCo Analysis to confirm that it meets HIPAA’s standard for rebutting the presumption of a breach.
• In lieu of a LoProCo Analysis, determining whether Allscripts can assume the duty to notify the provider’s patients who had PHI in the impacted servers that such servers incurred a ransomware attack. Ensuring proper notification will require coordination between Allscripts and the healthcare provider.

Legal counsel may advise you to take other steps to ensure your rights are protected with regard to the class action lawsuit and to advise you on how to document compliance with HIPAA for this incident in the event OCR follows up with an audit or investigation into your response to Allscripts’ ransomware incident.

Cyber Risk Insurance May Cover Legal Fees.  Many insurance brokers are now securing endorsements for healthcare liability policies that cover expenses related to security incidents and data breaches, including legal fees. But you must give the insurer notice of the security incident and obtain approval for the specific counsel you use.  Call your broker to confirm coverage and help provide notice.

¹ “Allscripts recovering from ransomware attack that has kept key tools offline,” by Steve Ragan, CSO – Salted Hash, Jan. 21, 2018 (click here); “Allscripts Ransomware Attack Impacts Cloud and EPCS Services,” HIPAA Journal, Jan. 22, 2018 (click here).

² Id.; “Providers Continue to struggle with access as Allscripts brings data back online,” by Evan Sweeney, FierceHealthcare, Jan. 24, 2018 (click here).

³ Id.

⁴ See Case No. 1:18-cv-00566, Surfside Non-Surgical Orthopedics, P.A. v. Allscripts Healthcare Solutions, Inc., Class Action Complaint, filed  Jan. 25, 2018 in the United States District Court, Northern District of Illinois (available here).

⁵“Ransomware still evolving, but paying hackers is still the wrong idea, The week-long Allscripts outage and hospitals shut down by ransomware provide valuable lessons for organizations hoping to avoid a similar fate”, by Jessica Davis, HealthcareITNews, February 1, 2018 (click here).

DISCLAIMER: This alert is not intended to be legal advice. The subject matter is complex and how it applies to any particular individual or organization may vary significantly depending on specific facts and situations. Recipients should not rely on information in this alert as a substitute for competent legal advice that is specific to the circumstances of the reader. The information in this alert also should not be relied upon to form an attorney-client relationship. This alert may link to other materials for convenience, however, such links do not imply responsibility for or endorsement of the linked material or its author(s). Lawyers who contribute content to this alert do not seek to practice in jurisdictions in which they are not properly permitted to do so. Legal services may be performed by lawyers other than the lawyers contributing content to this alert.