Issue link: https://beckershealthcare.uberflip.com/i/1020287
35 CIO / HEALTH IT eClinicalWorks fined $132K for failing to comply with DOJ settlement agreement By Julie Spitzer T he HHS Office of Inspector General fined eClinical- Works $132,550 for violating a 2017 agreement with the Justice Department, which required the vendor to report patient safety issues with its EHR in a timely man- ner. Nearly one year ago, eClinicalWorks paid $155 million to the federal government as part of a settlement to resolve allegations it falsified its EHR certification standards. Part of that settlement included signing a five-year corpo- rate integrity agreement requiring eClinicalWorks to noti- fy regulators of reportable events — defined as issues that affect patient safety or "any identified instance of actual or suspected patient harm related to the EHR software" — within a specific timeframe. Should the issue result in a patient death, injury or readmission, the company would have 48 hours to notify OIG. Failure to comply with the agreement would result in a $2,500 penalty that "shall begin to accrue on the day after the date the obligation became due for each day eClinical- Works fails to establish and effectively implement" report- ing of patient safety issues. It is not immediately clear whether eClinicalWorks failed to report patient safety events altogether, if it failed to report the events in a timely matter or a combination of the two. n Hackers deface a Kaiser website By Julie Spitzer A Kaiser Permanente website used by employees, physicians and potential employees was hacked July 27 by a group called "Team Faceless Men," the blog DataBreaches.net reported July 30. The hacking group defaced the Oakland, Calif.-based healthcare company's site, healthinnovation.kp.org, by replacing its normal images and information with a black screen that read "Hacked by Dohaeragon," seemingly a nod to the fictional language on Game of Thrones. The healthinnovation.kp.org website provides information about an internal program within the health system. It did not include any protected health information, as the site was developed and hosted outside of the health system's network, a Kaiser spokesperson told Becker's Hospital Re- view. Hackers were also unable to access kp.org or any oth- er Kaiser system. The incident was reportedly fixed within a few hours, how- ever DataBreaches.net noted Kaiser's fix was to move the site to a different IP address. Kaiser told Becker's July 31 that an investigation into the incident is ongoing. The spokesperson provided the fol- lowing statement: "We have investigated and are confident that there is no risk to member or patient data confidentiality. While still under investigation, we will be working with this vendor [who maintains healthinnovation.kp.org] to ensure appro- priate levels of security going forward." n Allscripts seeks dismissal, arbitration in class-action lawsuit over January ransomware attack By Julie Spitzer A llscripts is asking an Illinois district judge to dismiss a class-action lawsuit over a January ransomware attack that took down multiple clients' EHRs for about a week, arguing the case should be resolved in arbitration, according to HIPAA Space. Surfside Non-Surgical Orthopedics in Boyn- ton Beach, Fla., filed a class-action lawsuit on behalf of all customers who were affected by the outages — roughly 1,500 physician prac- tices — against Allscripts' parent company, Allscripts Healthcare Solutions. e suit alleges Allscripts failed "to secure its systems and data from cyberattacks, in- cluding ransomware attacks," the complaint reads. According to Surfside, Allscripts' EHR and electronic prescription system outages resulted in canceled appointments, "signif- icant business interruption and disruption, and lost revenues." In the court filing, Allscripts argued Surfside in- tentionally sued its parent company, Allscripts Healthcare Solutions, to avoid the arbitration clause outlined in its contract with the ven- dor. Even if Surfside sued the right company, Allscripts claims the incident was caused by a criminal act and not Allscripts' negligence. "A criminal attack executed using a brand- new malware variant is precisely the kind of unforeseeable intervening act that breaks the chain of proximate causation," the court filing stated, according to HIPAA Space. Becker's Hospital Review reached out to Allscripts, but company spokesperson Con- cetta Rasiarmos declined to comment, as the company does not discuss pending litigation. Responding to Allscripts' counter filing, Surf- side argued the parent company was at fault, noting its "acts and/or admissions affected the circumstances that gave rise to the attack and its fall-out." In its original complaint, Surfside argued that the ransomware variant, known as SamSam, has been a known vulnerability since March 2016. It added that the company's "wanton, willful, and reckless disregard" led to service disruption. n