Ransomware Sparks Class Action

Hospital Hall

On January 25, 2018, Allscripts, a platform service provider for managing electronic health care records, experienced a ransomware attack. The ransomware was a variant of the “SamSam” malware. Allscripts restored its systems with backups, but after several days, some users could not access the system. The affected users filed a class action lawsuit against Allscripts in federal court. This case demonstrates how a ransomware infection can carry significant liabilities for a company.

SamSam Ransomware

SamSam is different than many types of ransomware. Attackers distribute SamSam manually through compromised servers instead of using a traditional attack vector such as a phishing campaign. Also, SamSam focuses its attacks on the health care industry, which is troubling for medical providers.

JexBoss – click to enlarge

Using JexBoss, an open source exploit tool, attackers leverage vulnerabilities in a JBoss Application Server to distribute SamSam. Once the attackers gain access to the network, they encrypt systems running Windows with the ransomware. SamSam utilizes the RSA-2048 asymmetric encryption algorithm, which uses a public and private key. To obtain the private key, the victim must send a ransom payment to the attacker.

Before the Allscripts attack, another version of SamSam infected two hospitals in Indiana, Hancock Health and Adams Memorial. CSO reported that Hancock paid 4 bitcoins to recover the encrypted files. Hancock decided that paying the ransom was a better solution than manually restoring the system.

Reasonable Measures

The class action complaint, filed in the Northern District of Illinois, alleges that Allscripts failed to prevent the ransomware attack. The plaintiffs accuse Allscripts of negligence, breach of contract, unjust enrichment, and violating Illinois statutes regarding fraud and deceptive practices. They claim to suffer economic damages from significant business disruptions. They explain that Allscripts did not apply “appropriate processes” that would minimize an attack’s effects. Notably, they claim that Allscripts failed “to take adequate and reasonable measures to implement, monitor, and audit its data systems.”

Reports indicate that Allscripts prepared by taking some basic measures for a cyber attack. These “reasonable measures” include making scheduled backups and having a response policy.

Allscripts made full backups on Fridays and incremental backups during the other weekdays. As a best practice, the backup method that Allscripts used should restore operations in a short period of time. However, after several days of being down, Allscripts admitted that some users still could not log in. Affected users complained on Twitter that they could not access their records or billing system. A health provider for the elderly commented that patients did not understand why they could not make appointments.

An attorney for the plaintiffs, Steven Teppler, did not verify any details about Allscript’s backups. However, Teppler believes that the number of affected users may potentially be higher than currently known. Teppler further explained that Allscripts did not disclose the full extent of the impact.

Protection and Monitoring

With a ransomware infection, management must decide either to pay the ransom or restore the data. Unfortunately, either decision could have unintended consequences that can deepen a company’s liability.

The class action against Allscripts is a reminder that one ransomware infection can damage multiple businesses. Companies must take adequate measure to protect and monitor their networks. For example, the presence of JexBoss on a system without management’s approval could be an indication of malicious activity. This is why companies need to monitor their systems and have security practitioners perform periodic vulnerability testing.

To learn all about ransomware protection, Pixel Privacy offers a comprehensive guide:
Ransomware: What Is It And How Can You Prevent It?.

Share this article!

Alice is a member of the Florida Bar, and she focuses on data privacy and cybersecurity compliance. She attended the Warrington College of Business at the University of Florida and earned a Bachelor of Science in Business Administration. After graduating, she earned a Juris Doctor at the Stetson University College of Law. During law school, she served as an Assistant Executive Editor for Stetson Law Review and also as a Staff Editor for Stetson Journal of Advocacy and the Law. She also served as a member of The Florida Bar Journal/News Editorial Board from 2018-2024. She is currently a member of the Florida Bar Cybersecurity and Privacy Law Substantive Law Committee.