Electronic Healthcare Records , Litigation

$1 Billion Lawsuit Focuses on EHR Data Integrity Concerns

Suit Against eClinicalWorks Alleges Millions Potentially Harmed by Use of Software
$1 Billion Lawsuit Focuses on EHR Data Integrity Concerns

Some legal experts say a nearly $1 billion class action lawsuit filed against electronic health records vendor eClinicalWorks could be the first of many cases scrutinizing the data integrity issues of EHR vendors. Others, however, contend that those filing such lawsuits will face many hurdles.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

The suit alleges that eClinicalWorks' cloud-based EHR system failed to provide reliable health information for potentially millions of patients, which means "patients and doctors cannot rely on the veracity of those records."

The lawsuit against eClinicalWorks comes about five months after the Department of Justice announced that the Westborough, Massachusetts-based vendor agreed to pay a $155 million financial settlement, as well as enter into a five-year corporate integrity agreement, with the Department of Health and Human Services' Office of Inspector General (see eClinicalWorks Case Shines Spotlight on Data Integrity).

The Justice Department alleged the company falsely claimed it met the HITECH Act EHR incentive program's certification requirements. Among the requirements it didn't meet, according to DoJ: accurately recording user actions - such as orders for diagnostic tests - that are conducted in the course of a patient's treatment and ensuring data portability.

Alleged Shortcomings

The civil lawsuit against eClinicalWorks alleges that as a result of the failure of the vendor to meet certification requirements of the HITECH Act EHR incentive program, the company's software:

  • Periodically displayed incorrect medical information in the right chart panel of the patient screen;
  • Periodically displayed multiple patients' information concurrently;
  • In specific workflows, failed to accurately display medical history on progress notes;
  • Failed to have audit logs accurately record user actions, and in some cases the audit logs misled users as to the events that were conducted in the course of a patient's treatment.

"As a direct result of these deficiencies, millions of patients have had their medical records compromised, i.e. they can no longer rely on the accuracy and veracity of their medical records," the lawsuit complaint claims.

"Because the audit history does not accurately record user actions, there is no way for any patient to know if there records were deleted/altered/modified. In other words, ECW was grossly negligent, or in the alternative, intentionally coded their software to not accurately record user actions," the complaint says.

The lawsuit, which seeks class action status and $999 million in damages for breach of fiduciary duty and gross negligence, was filed on Thursday in a New York district court by Kristina Tot, the administrator of the Estate of Stjepan Tot, "on behalf of herself and all others similarly situated."

The complaint alleges that prior to his death from cancer, Stjepan Tot learned that eClinicalWorks "failed to accurately display his medical history on progress notes. In particular, he was unable to determine reliably when his first symptoms of cancer appeared in that his medical record failed to accurately display his medical history on progress notes."

More Cases to Come?

Attorney Steven Teppler of the Abbott Law Group, who is not involved in the eClinicalWorks case, says the lawsuit against the EHR vendor is likely the first of other similar legal cases that could be filed against vendors focusing on the data integrity of their EHR products and the potential impact on patients.

"How do you make these [electronic health records] testably reliable?" Teppler says. "He who controls the computing environment controls history," he says. "As long as you have ... super-user control, you can backdate, alter undetectably [patient record information]" he says. "There's no independent audit agent in the digital world."

Lisa Rivera, a healthcare regulatory and fraud attorney at law firm Bass, Berry and Sims, says eClinicalWorks, like Equifax, which reported a data breach affecting more than 143 million individuals, "was in the business of ... information gathering and storing of protected and very private and personal information." That's because eClinicalWorks processes and stores EHR data in the cloud.

The case against eClinicalWorks puts a spotlight on vendors' overall software practices for "what security is in place, how it's being monitored, how it's being tested," she says.

Commenting on the lawsuit, privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek says: "It is difficult to forecast how this action will progress."

A complaint alleging a third-party service provider caused injury to an individual has to overcome several hurdles, he points out. "Does the plaintiff allege that the defendant directly, or indirectly caused them demonstrable injury? Did the defendant have a recognized duty of care to prevent the injury? Is there some remedy available to make the plaintiff whole?" he asks.

"Patient safety has long been a concern in the use of electronic health records. One aspect that has received attention is the occurrence of medication errors that can potentially harm patients."

He notes that some research has shown "that electronic health record use is a direct or indirect cause of medication errors that reach the patient. It is likely that incidents which can be tied to serious patient harm could be litigated, although it is much more likely that the healthcare provider administering the treatment will be the more likely target for lawsuits."

Attorney Stephen Wu of Silicon Valley Law Group notes that the lawsuit doesn't specifically claim Tot's clinicians made poor treatment decisions about his care based on information in a record created using eClinicalWorks' EHR system, causing harm to Tot. "Damages will be very hard to prove," he says.

Holtzman adds: "It is both expensive and time-consuming to investigate if the electronic health record was the cause of serious patient harm. While it is possible that incidents which can be tied to serious patient harm could be litigated, it is much more likely that the healthcare provider administering the treatment will be the target for lawsuits."

eClinicalWorks did not respond to an Information Security Media Group request for comment on the lawsuit.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network