What happens when a business associate allegedly fails to timely notify covered entities of ransomware attacks and a series of prolonged network downtime? A newly filed lawsuit details a host of care and business impacts, lost data, disruptions of service, and reputational damage due to a “concealed” ransomware attack and subsequent outages.
Filed in the U.S. Court for the Middle District of North Carolina, Alliance Ophthalmology, Dallas Retina Center, and Texas Eye and Cataract are suing ECL Group over these issues brought on by a series of ransomware attacks and other security issues, beginning in March 2021.
ECL, or Eye Care Leaders, is a healthcare business associate based in North Carolina that offers “ophthalmology-specific EHR and practice management systems.” The lawsuit notes the providers contracted with ECL for revenue cycle management and electronic medical records maintenance “to reduce the burden of the billing process, while improving continuity of care through a fluid EMR.”
Specifically, the providers purchased licenses to use ECL’s iMedicWare EMR software, which includes cloud hosting, backups, open platform booking sheet manager, adaptive templates, real-time audits, inventory and medication management, e-prescribing, and similar services.
There is no listing on the Department of Health and Human Services breach reporting tool or the ECL website regarding the ransomware incident.
However, the providers claim that ECL concealed the incident and related outage from clients for weeks, and “instead of working diligently to restore service, keeping its clients apprised of such efforts, and mitigating any damages, ECL did the opposite.” According to the suit, “ECL misrepresented to its clients what truly happened.”
ECL “continually promised service would be restored when it was not (to encourage physicians not to move to new service providers and invoiced its clients for services that were never provided. Many of those services remain unavailable months after the outage first occurred.”
The providers informed ECL of the “crippling effect” the outage had on their practices and subsequent and/or potential incurred damages. But the lawsuit claims ECL either failed to respond to those concerns, or misrepresented the situation, while the long-term outages were met with “further misrepresentations from ECL.”
“Rather than be transparent about experiencing a ransomware attack, ECL initially tried to hide what happened from its clients in order to keep them from exercising their remedies under the EMR contracts and to avoid having to make the fee concessions required under those contracts,” the lawsuit alleges.
Some service disruptions are allegedly ongoing, at the time of the lawsuit filing.
It should also be noted that according to ECL’s filings with the North Carolina Secretary of State, the company’s sole manager, Greg E. Lindberg, was “convicted of conspiracy to commit honest services wire fraud and bribery concerning programs receiving federal funds” last year and sentenced to 87 months in prison.
Initial attack details
The lawsuit sheds light on the security incident that impacted ECL’s iMedicWare “on or about March 2021.” One provider notified the vendor that it was unable to bill for testing after the event, which occurred “due to recent iMedicWare failures after an update.” The suspected update “caused complete disorganization of [the provider’s] charts."
The same provider informed ECL the platform was inaccessible between four and seven days and caused severe disruption to licensees’ practices because they could not access patient data during this period.
A second provider informed ECL of an outage it experienced on Mar. 22, 2021. The lawsuit explained that the vendor acknowledged the outage and would have the system restored on the same day, but that did not occur.
The platform was not restored the following day either, and while ECL acknowledged ongoing issues with the platform, the ransomware issue was not disclosed. The vendor instead sent emails enmasse to its clients, calling the outage a “technical issue” and omitting the alleged ransomware cause.
ECL did not inform clients of the ransomware attack until one week after the outages began, the lawsuit claims. “ECL also continued to claim via mass email to licensees that access and functionality would be restored soon thereafter. And after each promised restoration date passed, ECL moved the goalposts.”
The state of flux held clients “hostage to ECL’s limited communications and misrepresentations when it did communicate. Licensees could do nothing other than rely on ECL to plan and schedule for their practices during this period.”
By failing to be transparent about the outage, the providers claim they had to change their plans made on failed promises to match the shifting misrepresentations given by the vendor.
What’s more, ECL informed clients that the ransomware attack corrupted and encrypted some of its databases. The lawsuit claims the vendor never recovered patient data from March 15 to March 19, 2021, which means the clients’ data is permanently lost, and the impacted providers were unable to bill for those patient services without the records.
The functionality and services of the iMedicWare platform were not restored for more than 30 days after the attack. But even after the platform was restored, the providers allege the platform had numerous, shorter outages throughout April and another three-day outage beginning on June 7, 2021.
The lawsuit also claims ECL faced another ransomware attack deployed on April 8, 2021, causing another five separate outage periods. On April 27, 2021, led one provider to stop a scheduled surgery due to one of those outages.
Allegations of negligence
The ransomware attack also impacted the myCare integrity EMR between Aug. 27 and Aug. 27. ECL’s communications again omitted the ransomware cause, characterizing the outage as a performance or systems issue, according to the suit.
“Upon information and belief, the attack was by a former ECL employee,” the suit claims. After an employee left ECL, the vendor did not revoke access, which enabled the employee to continue accessing the systems and “wreaked havoc” with their prior credentials.
“This was not a sophisticated cyberattack: it was gross negligence,” the lawsuit continued. “Even after ECL finally disclosed the attack, it continued to misrepresent the extent of the attack and how long it could take to restore access to and the functionality of myCare Integrity, noting only via mass email that it was ‘diligently working to resolve the issue.’”
The outages on this platform lasted for several weeks. During that time, the providers claim they spent significant time and resources ensuring they maintained compliance with HIPAA and state law disclosure obligations, while ensuring there was no risk to patient safety or continuity of care, “and thus had to spend significant sums ensuring they complied with that duty.”
More than a month after this attack, ECL rolled out a viewer to give providers a limited view of patient information but it had no other functionality. The providers claim they had no access to scans or important images. In short, “for months on end, [the provider’s] were crippled due to ECL’s failures to maintain the security of patient information, access, and functionality of the EMR.”
At the time of the filing, providers still don’t have full functionality of the myCare Integrity platform. And when one provider attempted to transition to a new EMR vendor, they couldn’t export the patient data from ECL.
Lawsuit alleges severe losses, contractual violations
Despite these outage periods, the lawsuit claims ECL continued to invoice clients for the full monthly service costs “as if nothing had happened” and in violation of contract provisions.
Even worse, patients left the named providers’ practices “due to the continued negative impact of ECL’s failures,” the lawsuit claims. “ECL’s failures also harmed licensees’ reputations and abilities to attract new patients.”
The providers also couldn’t submit required reports to The Centers for Medicare & Medicaid Services because they didn’t have access to the required data, which resulted in the loss of incentive payments under the Medicare Merit-Based Incentive Payment System.
To address the outages, the providers either hired new staff or paid overtime for existing employees to manually input the data and manage payments and scheduling, while relying on paper records. Some providers were also forced to transition to a new EMR to address the unreliability of the platform during the impacted period.
The lawsuit details several contractual measures taken by the provider to prevent the alleged situation, including ensuring that ECL would return provider data if they transitioned to a new vendor and contract provisions to support providers when or if ECL systems were out of service.
But the providers claim ECL violated those contract provisions. Namely, the contract entitles the physician practices to receive their data when leaving ECL’s service. But the lawsuit alleges ECL “has continually refused to provide such data after repeated demands.”
Further, the contract stated that ECL would provide its EMR software for commercial use and would make reasonable efforts to keep the EMR software available 99% of the time and would not cause downtime due to scheduled maintenance or a “force majeure event counted against the 99% threshold.”
Should an outage occur, the lawsuit states that ECL agreed to fix the issue within an hour, if it ECL was at fault, or within 12 hours if it “was a defect that did not cause losses or interruptions of accessibility of the software, but could cause such issues if not corrected, such as one or more systems being down.”
At the latest, the contract stated that ECL would fix the problem within 72 hours if an outage was caused by a defect “that did not cause loss or interruption of accessibility of the software, but involved failure of a device or subsystem that had minor impact on site functionality and had not resulted in any performance degradation.”
Should an outage occur that violated those timeframes, the lawsuit claims ECL agreed to reduce monthly subscription fees by 10 - 50%. ECL also agreed to comply with federal, state, and local laws, as well as the Health Insurance Portability and Accountability Act in regards to protecting protected health information.
The three named providers all signed HIPAA business associate agreements attesting to the aforementioned contractual provisions.
“There are numerous questions of law and fact … these include, but are not limited to, common issues as to whether ECL breached its obligations under its contracts… whether ECL failed to use appropriate safeguards” and protect client data, and whether ECL failed to disclose the ransomware attacks involving the [client] data,” according to the suit.
The lawsuit also seeks to address whether ECL issued misleading, fraudulent, and deceptive statement and if the alleged conduct constitutes an unfair and deceptive trade practice. The providers are seeking a class-action suit given the alleged impacts and are seeking damages, which total an “excess of $75,000.”