Allscripts EHRs fall victim to ransomware attacks

January 23, 2018

Allscripts, an EHR company headquartered in Chicago, is still working to recover from a ransomware attack on Thursday, January 18, affecting two of its national data centers. Several users of Allscripts EHR systems have experienced outages and other difficulties.

Here is a brief timeline of events.

  • On January 18, HIStalk posted, “Allscripts reports that a ransomware attack has taken down some of the applications that are hosted in its Raleigh and Charlotte, NC data centers. The company says Allscripts Professional EHR is unavailable to customers hosted in those data centers, as are instances of its electronic prescribing of controlled substances system. Allscripts says it expects to restore its systems quickly from backups.”
  • On January 19, Health IT vendor Allscripts acknowledged that a ransomware incident had impacted a limited number of its applications, per Healthcare Informatics.
  • On January 22, Healthcare Informatics reported that Allscripts outages continued and were expected to continue throughout the day on Monday, Allscripts’ recovery strategy “is focused on getting data restored via backups and alternative access methods.” According to the report incident response teams from Microsoft and Cisco were called in to help. As systems were restored, Allscripts stated that backup systems were not affected by the incident and only minimal data loss was anticipated. Electronic prescribing functions were restored.

Physicians are expressing frustration on social media over the inability to access their patient records. There are numerous reports of offices closing and surgeries cancelled.

Per MedCityNews, Allscripts released the following statement:  

On early Thursday morning, January 18, we discovered a ransomware attack had affected two of our data centers, which house a small subset of our products. The ransomware has since been identified as a new variant of the SamSam malware. Of the roughly 1,500 clients impacted, none were hospitals or large independent physician practices, and services to many already have been restored. In addition, we immediately notified the FBI and have been providing information to assist with their investigation. Importantly, there is no evidence that any data was removed from our systems. We continue to work unceasingly to restore all services to our clients who are still experiencing outages.

As medical practices have moved to electronic health records (EHR) many have been attracted by the cloud based or hosted environments offered by various vendors. In many ways, practices have been relieved of the HIPAA Security Rule requirement to have a contingency plan, including data backup plan and testing procedure in place.

However, as a covered entity, you are required by the Privacy Rule to obtain satisfactory assurances from your business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity.

The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate. Read more about Business Associates on Health and Human Services website.

Cyber security and Privacy attorneys, Adrian Senyszyn and Shawn Tuma provide the following recommendations for using EHRs, especially Allscripts:

  1. Document whether or not your practice had trouble accessing the system.
    1. If no, sign and date the incident report
    2. If yes, document the nature of the problems, how long it persisted, and if you can access information
  2. Contact Allscripts if you were affected; document all calls with Allscripts.
  3. Identify your patients who could have been potentially affected.
  4. Review your Allscripts contract and business associate agreement to determine Allscripts requirements to report information to you and your breach notification requirements.
  5. Determine if your Allscripts/EHR agreement has a downtime clause and the vendor is meeting this agreement.
  6. Report a cyber incident. All TMLT policyholders have a cyber insurance endorsement on their policies. It is important to report a cyber incident as soon as you are aware an incident has occurred, but no later than 60 days after you become aware of the incident to determine if you have coverage for the incident. 
  7. Know where your data is maintained. In the case of Allscripts two of its data centers were affected. Knowing where your data is hosted and where the redundant backup is hosted is an important part of your practice’s contingent planning.
  8. If you have a local server (not hosted by Allscripts or another EHR), it is a good time to determine if you have clean backups for all of your data or electronic protected health information you maintain. When your IT vendor or in-house IT staff do a test, restore from backup and document it as part of your ongoing HIPAA Security Plan.

It is a good time for all practices to check their insurance to determine if they are comfortable with their current cyber insurance coverage and limits. Questions about your TMLT cyber insurance coverage should be addressed with your underwriter, by calling 1-800-580-8658. 

General questions about HIPAA and Cyber Risk Management can be addressed by calling TMLT’s Product Development and Consulting Services at 1-800-580-8658 by or by emailing us at You may also visit our website.

Previous Presentation
Case Closed: HIPAA and patient privacy
Case Closed: HIPAA and patient privacy

This presentation is a case study based on alleged violations of HIPAA privacy rules.

Next Article
Cyber security: Physical safeguards are important too

Protecting sensitive data involves a variety of physical safeguards.

Podcast: Tech, Telemedicine, Tomorrow