United States v. eClinicalWorks, LLC
| Decision Date | 06 December 2022 |
| Docket Number | Civil Action 5:18-cv-382 (MTT) |
| Parties | UNITED STATES OF AMERICA, ex rel. ALEX PERMENTER, ERIC RODIGHIERO, and CHRIS WHEELER, Plaintiffs, v. eCLINICALWORKS, LLC, Defendant. |
| Court | U.S. District Court — Middle District of Georgia |
In this action under the False Claims Act (“FCA”), 31 U.S.C. § 3729, Defendant eClinicalWorks moves to dismiss the relators' amended complaint on the grounds that the relators fail to state a claim. Doc. 69. The one count amended complaint alleges two theories, and each theory is based on discrete flaws in eClinicalWorks' software. Doc 34. eClinicalWorks does not move to strike specific allegations of flaws; it moves to dismiss the amended complaint in its entirety. Thus, relators maintain that if any one flaw supports a plausible theory of recovery eClinicalWorks' motion must be denied. For the reasons discussed below, eClinicalWorks' motion (Doc. 69) is DENIED.
eClinicalWorks is a healthcare technology company whose principal business is developing and licensing electronic healthcare records (“EHR”) software to healthcare providers such as physician practices and hospitals. Doc. 34 ¶¶ 14, 16. According to eClinicalWorks, more than 130,000 healthcare providers use their software, making eClinicalWorks an industry leader. Id. ¶¶ 17-18. In 2017, eClinicalWorks settled an FCA claim alleging that eClinicalWorks' EHR software had numerous functional defects, including failing to reliably document and track medications administered to patients, failing to record and track patients' laboratory results, and failing to prevent editing of patient notes. Id. ¶ 19 (). As part of the settlement of that FCA case, eClinicalWorks entered a Corporate Integrity Agreement (“CIA”) with the Office of Inspector General of the U.S. Department of Health & Human Services (“HHS-OIG”). Id. ¶ 20.
The CIA went into effect on May 30, 2017 and remained in place five years. Docs. 34 ¶ 20; 17-1 at 2. As part of its obligations under the CIA, eClinicalWorks was required to provide “timely access to ... relevant software, media, and code” to an independent software quality oversight organization (“SQOO”) approved by the HHS-OIG. Doc. 17-1 at 34. One of the SQOO's express obligations under the CIA was “to ensure that eClinicalWorks and its EHR software . comply with applicable ONC Health IT Certification Program requirements.” Id. at 32. In return for satisfying its obligations under the CIA, the HHS-OIG agreed not to seek eClinicalWorks' exclusion from participation in Medicare, Medicaid, or other federal healthcare programs.[1]Doc. 34 ¶ 20.
Relators are computer and information technology (“IT”) specialists who live and work in Macon, Georgia. Id. ¶¶ 9-11. Relators' company, Alex's PC Solutions, provides IT, telecom, and web services to eighty-five businesses in the Middle Georgia area, including many healthcare practices. Id. ¶ 9. Relators service and support their healthcare clients' EHR software, some of which is provided by eClinicalWorks. Id. ¶ 47. Through this work, the relators gained “substantial knowledge” and “technical expertise” of eClinicalWorks' EHR software. Id. ¶¶ 9-11. According to the relators, eClinicalWorks' EHR software suffers from “grave security vulnerabilities” that “allow malicious actors to access the Protected Health Information (‘PHI'), social security numbers, and other private information of tens of millions of federal healthcare beneficiaries and other Americans.” Id. ¶ 2. These “grave security vulnerabilities”- which are distinct from the deficiencies raised in Delaney-are the bases of the relators qui tam action. Id. ¶¶ 2, 19.
The relators' 78-page amended complaint alleges numerous flaws and vulnerabilities in eClinicalWorks' flagship EHR software. See Doc. 34.
According to the relators, eClinicalWorks' EHR software cannot verify that anyone-whether authorized or unauthorized-is who they claim to be. Id. ¶¶ 56-86, 89-90, 95-102, 105-106. The relators claim eClinicalWorks' servers “include thousands of .jsp files,” most of which are accessible through a web browser without logging into the system. Id. ¶ 56. As a result, a user, without administrator access, a login, or a password, can browse the website of a particular healthcare provider's eClinicalWorks server, execute a .jsp command, and obtain the usernames of the healthcare provider's administrators and the security parameters that govern administrators' passwords. Id. With that information, the relators contend “any motivated bad actor could easily and quickly determine the actual passwords of individual practice administrators,” which in turn would allow complete access to the provider's EHR and underlying PHI. Id. ¶ 57.
Another alleged flaw is eClinicalWorks' use of a “bogus CAPTCHA feature,” which, according to the relators, is functionally useless and does “nothing to stop a bot from manipulating passwords and gaining access to the system.” Id. ¶¶ 59-61. Similarly, the relators allege eClinicalWorks' software uses a cracked password algorithm, MD5, which is “generally recognized to be a weak hashing algorithm” that is below “standard industry security practices.” Id. ¶¶ 62-68. By exploiting the MD5 algorithm, the relators “were able to determine the plain text passwords associated with 50% of the users' password hashes within 20 seconds.” Id. ¶ 68.
The relators also allege eClinicalWorks' software is vulnerable to Structural Query Language (“SQL”) injection attacks, which the relators note have led to some of the largest data breaches in history. Id. ¶¶ 69-71. Specifically, the relators contend eClinicalWorks' servers are vulnerable to this “widely known” type of attack because their servers “are misconfigured so that this extra language will execute a command on the web server rather than return a webpage.” Id. ¶¶ 73-74 (internal quotation marks and citation omitted). After the relators' initial complaint was filed, eClinicalWorks released a security patch which purported to address the SQL injection attack vulnerability, but the relators allege that eClinicalWorks “used an extremely convoluted computer code to create the mere illusion” that the vulnerability had been remedied. Id. ¶ 85.
Further, the relators contend eClinicalWorks' EHR software “stores PHI-such as diagnostic tools used in connection with specific patients- ‘locally,' meaning on the physical computer on which the PHI is created.” Id. ¶ 104. Because the locally stored PHI is not encrypted, the relators allege any person “with access to one of these computers could access the files containing locally stored PHI regardless of whether that person was logged into eClinicalWorks' EHR software.” Id.
The United States Department of Health and Human Services Office of the National Coordinator for Health Information Technology (“ONC”) “administers the [government's EHR] certification program and creates certification requirements for EHR vendors.” Id. ¶ 116. Under the certification program, eClinicalWorks, as an EHR vendor, “is required to certify to agents of the federal government, called ‘authorized certification bodies' and ‘accredited testing laboratories,' that the vendor's EHR technology satisfies ONC's certification requirements.” Id. According to eClinicalWorks' website, “eClinicalWorks V11 is a 2015 Edition ONC Certified Health IT Product.” Id. ¶ 119.
Relators allege that because of the flaws in eClinicalWorks' EHR software, eClinicalWorks necessarily made false representations to the government to obtain certification from the ONC. Id. ¶¶ 118-120. In turn, the relators contend eClinicalWorks caused healthcare providers to falsely certify that their EHR software complied with federal regulations, which allowed healthcare providers to obtain incentive payments or downward payment adjustments under various federal programs for which they would otherwise be ineligible. Id. ¶¶ 115-151. As a separate theory of FCA liability, the relators allege the security flaws in eClinicalWorks' EHR software make it impossible for healthcare providers using the software to truthfully certify compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Id. ¶¶ 107-114.
Both the government's Meaningful Use Incentive Program and the Merit-Based Incentive Payment System (“MIPS”) that replaced it offered hospitals and physicians financial incentives to implement modern EHR systems in their practices. Id. ¶¶ 130131, 135-136. “The Medicare Meaningful Use program provided ... incentive payments of as much as $43,720 [to] healthcare provider[s] who established meaningful use of certified EHR technology.” Id. at ¶ 131. Similarly, Medicaid's Meaningful Use program offered incentive payments of up to $63,750 to healthcare providers. Id.
Although Medicare meaningful use payments ended in 2016 and Medicaid meaningful use payments ended in 2021, the MIPS program that followed offered similar financial incentives for the use of certified EHR technology. Id. ¶¶ 131, 135 136. “Healthcare providers who participate in MIPS receive ‘positive payment adjustments' while non-exempted healthcare providers who do not participate in MIPS or do not satisfy governing MIPS criteria receive ‘negative payment adjustments.'” Id. ¶ 137. The payment...
To continue reading
Request your trial