Healthcare providers reached out to SC Media after reports that their electronic medical records vendor, Eye Care Leaders, allegedly concealed ransomware attacks. (Airman Tyler Catanach/Air National Guard)

Unresponsive. Completely ignored. Misleading. Breached contracts. In a highly regulated industry like healthcare, these are not words one would expect to hear about a vendor tasked with hosting the electronic medical records of small providers and their related patient data.

But in the wake of the coverage detailing a number of cited violations against Eye Care Leaders stemming from multiple, allegedly concealed ransomware attacks in 2021, numerous providers reached out to SC Media eager to share their own experiences with ECL, hoping to get help dealing with what they said feels like an inescapable situation.

“We just wanted to be able to get out of our contract,” after losing a week's worth of data as a result of the ECL breach, one provider told SC Media, asking to not be named for fear of retaliation. “But they just completely ignored us.”

Eye Care Leaders did not respond to requests for comment. A spokesperson from the Department of Health and Human Services Office for Civil Rights, which enforces compliance with healthcare regulations including the Health Insurance Portability and Accountability Act, said the OCR can’t comment on open or potential investigations.

But pages of documents shared with SC Media about provider experiences during the spring incidents, paint a picture of at best customer service failures and at worst misleading practices.

Healthcare providers plea for help with ECL

One current ECL client detailed more than a year of failed conversations, ignored IT requests, and alleged legal threats from the vendor. Their story is nearly identical to countless others shared with SC Media, and upheld by copies of ECL contracts and other documents detailing correspondences with the vendor.

The provider described its own March 22 incident, where staff were unable to access the EMR. The practice called ECL, whose tech team told the provider repeatedly that they were working on the issue; to be patient.

The practice was without access to the EMR for a week, forced to rely on paper processes in order to keep patient care afloat. During that time, rumors in the provider community circulated that ECL was the victim of a ransomware attack. When the provider inquired with ECL directly, they were again told that the team was working on the issue, that it wouldn't be much longer, that a notice would likely go out the following day.

Each time the practice would reach out, the response was the same: there was no ransomware. ECL continued to give similar assurances that it was “just some issues” being worked out, though no official notice came. The provider spoke with several practices going through the same outages with similar responses from ECL. Their stories were virtually the same: they were “being ignored, not getting straight answers, being lied to, and not getting callbacks,” said the provider.

Two or three weeks later, confirmation of a ransomware attack came in the form of a post on another website.

ECL incident response, mixed messages

SC Media was provided a copy of the notice from ECL that came several weeks after the March 2021 incident, which noted cooperation with law enforcement and leveraging of outside forensic and cyber experts.

"At this stage, the attack appears contained and limited in scope, and based on an initial analysis, does not appear to have involved the extraction of data or other data theft," the notice stated. "Some customers continue to experience slow processing speeds due to the recovery environment currently hosting the product and recovered data...ECL is addressing these issues by migrating the affected instances of the product and data to a different server system.”

When providers asked ECL whether data was breached during the incident, they were told “nothing critical was compromised.” Similar claims of unresponsiveness and misrepresentation were detailed in an amended filing in the provider-led lawsuit filed by Alliance Ophthalmology, Dallas Retina Center, and Texas Eye and Cataract.

Fast forward to earlier this year: the provider who spoke with SC Media was given by ECL a list of all patients that were indeed affected by the March 2021 incident, though with no specifics on the data in question. The provider was later informed that a week’s worth of the practice’s data was lost by ECL, though it was unclear whether those loses was caused by the attack or due to the shift in servers. The provider claims the loss was caused by ECL’s backup processes, which purportedly only happened once a week, and ECL allegedly “had not backed anything up after March 12.”

“There were no updates made the week of the 20th, and the data is all gone,” as the provider wasn’t able to get into the system. “If anything was updated the week of the 15th or the 22nd, there’s no digital record of that either.” 

While the reason behind the data loss is unclear, the practice is missing data from March 15 through March 22, which means they can’t bill patients for those services.

Also noteworthy: if the data loss was indeed caused by the ransomware and not reported by OCR, questions emerge about ECL's compliance with HIPAA. OCR clarified in August 2016 that providers must assume ransomware attacks are data breaches unless they could prove otherwise. Stakeholders have stressed that once access to data is lost to encryption, it’s difficult to assert that a breach hasn’t occurred. It’s why most ransomware attacks are filed as breaches with OCR “out of an abundance of caution.”

Yet, none of the providers that raised the alarm or ECL filed a breach report with OCR about the alleged ransomware incidents. When asked if the provider knew whether their data was compromised in March 2021 and if they reported it to OCR, the provider said ECL told them “nothing critical was compromised.”

Such reliance on the vendor is not that unusual, particularly when medical offices so often lack technical forensic expertise to assess potential incidents themselves, said Impact Advisors’ Principal Dr. Dan Golder.

“Unfortunately, small providers and offices often simply do not possess the knowledge or financial resources necessary to assess the impact of a ransomware breach, and therefore, may not be able to adequately determine whether their electronic PHI was compromised,” he added. Even if data was encrypted on a hard drive prior to the breach, “the burden of proof that ePHI was not ultimately compromised remains with the owner of the data.”

Stuck between a communication rock and a hard contract

As more and more details emerged from providers about breached data, some cut ties with the vendor. But many that contacted SC Media still find themselves at the mercy of contract language.

“We’ve seen historically with some software vendors that contracts may establish significant barriers to exit, making it difficult and often costly to switch vendors,” said Golder, pointing to early termination penalties as one example. “It’s difficult enough to switch EMRs as it is, but providers sometimes sign contracts with less than favorable terms, and unfortunately they’ll be legally bound by those terms should they choose to switch vendors.”

Indeed, one practice asked ECL to let them out of their contract, pointing to failure by the vendor to provide description of protected health information involved in a 2021 breach, or the identity of individuals involved. According to the practice, ECL said the cost to terminate would be more than $200,000, or the cost associated with the remainder of their contract period. And unfortunately, the burden of proof necessary to terminate a contract due to breach of terms lies with the provider.

A lawyer representing a client tied to the April lawsuit, Russ Ferguson, partner of Womble Bond Dickinson, shared: “We have been retained by several ophthalmology practices to terminate contracts with ECL, recover data, and recapture damages lost as a result of ECL’s contractual breaches and subsequent misrepresentations.”

Indeed, at the heart of the lawsuit against ECL and the experiences shared with SC Media is contractual guarantee from the vendor that its software would maintain a 95% uptime. Providers claim ECL failed to maintain that guarantee. In March 2021 alone, uptime was just 77% if the EMR platform was, indeed, down for a week. 

Under the service level agreement, clients were told they would have a clear remedy: ECL will “reduce the next month’s subscription fee" in the event that the software uptime falls below 95% measured over a calendar month. For example, the contract states that the next month’s subscription will drop by 10% if the SLA drops between 94.9% to 85% or by 20% when the SLA drops between 75% to 84.9%.

But providers that spoke to SC Media said that discount standard was not applied. Though there were clear periods of outages and lack of access to their own patient records, ECL allegedly continued to bill clients.

“We were told we would not be charged, and we were charged the complete full service,” said the one provider. When they brought it to ECL’s attention, the provider was told “there’s no record that anyone told you that you wouldn’t be charged.”

Multiple interviewees shared the same interactions with ECL, which are also similar to the issues raised in the provider-led lawsuit: “ECL continued to invoice licensees for the full monthly service fee as if nothing had happened.”

"Contracts can get complicated very quickly,” Golder said. “And providers will be well-advised to engage experienced legal help in these types of cases.”

For ECL, more legal woes; for most providers, little recourse

As for ECL, legal woes continue. Since the initial lawsuit, a patient sued ECL over the allegations, as well as one reported ransomware attack and data theft from December 2021 that currently stands as the biggest healthcare data breach reported in 2022 with over 3 million impacted patients from nearly 40 providers.

Further, the initial provider-led lawsuit has since been amended with new evidence detailing alleged unresponsiveness and misrepresentation that breach the contract ECL itself provided to clients. Among other things, the amended complaint points to evidence of corrupt or encrypted databases as a result of the ransomware a week after the March 2021 attack – about when providers claim ECL was stonewalling their requests for information about outages.

Providers told SC Media that some patients ended up leaving, disenchanted when appointments or surgeries could not be delivered as scheduled.

And yet, providers who spoke with SC Media see no avenue of recourse for ongoing fallout from the incident that go beyond billing disputes with ECL. Some patients ended up leaving impacted practices, disenchanted when appointments or surgeries could not be delivered as scheduled. Other doctors said their reputations were harmed in their community given the unreliability of the technology supporting their practices. And more than a year later, most still don’t know the extent of the incidents, nor what happened to their data. Legal action may be required to get answers and compensation for losses, but they bring a heavy burden of proof that translate to thousands of dollars in forensics and legal fees.

“We spent a lot of money already. And we were trying to avoid a lawsuit, especially if we had to go to North Carolina for the litigation,” the provider told SC Media. “ECL has a lot more financial backing behind it than one little physician practice.”