Editor's note: portions of this article were updated on December 2 at 11:30 am, MST.
A surprising number of Casamba customers contacted us after their ordeal resulting from the November 14 ransomware attack entered its second week. We are respecting their request to remain anonymous but we have verified that the comments come from users of Casamba's HealthWyse home health and/or hospice software.
"We have been down for a week. Mobile is back up and they tell us Office should be back up this weekend. Our understanding is that ePHI has not been affected. All of it has been down."
"Casamba EMR has been down since Thursday 11/14 — putting thousands of patients at risk. Healthcare providers on their system have resorted to paper processes in order to manage during this massive outage."
"Casamba has admitted to being attacked by ransomware but has not spoken to any details and has not announced anything public about this outage in the last 12 days. This might be a record-setting outage for an EMR to be completely offline and I think the news should be surfaced. Their team has been quiet about the issue. They have posted to Twitter and Facebook three times during the outage with no mention of it."
"'Everything is fine,' that's rich. We could not be further from 'fine.' We are running at less than 20% capacity and still have scheduling on paper as it takes 12+ minutes to load a single patient for scheduling. That's not 'fine,' nor is it hyperbole. That is an actual timed session load. Only emergency departments with the worst bleeding, such as the billing department, are able to use the 'fine' state of the system we have now. 'Sometime next week' is their stated hope to 'get into a better place' for customers."
"Never a proactive outreach from their end; any info we get is always pulled out of them. Never an offer to assist with the endless manual data entry from paper notes. Worse than that -- the scan feature, ScanWyse, that would be a boon for this paper nightmare, is last on the list! They are treating it as a small treat after the 'real' work is done."
"If your car is totaled and they offer you a bicycle to 'fix' your transportation problem, are you happy? Not if you travel 60 miles to work each day. Yes, a couple of days ago some functionality was restored. Going down for weeks is bad enough, but to duck and hide from Day One told me something was amiss straight away. The downtime and lack of preparedness takes your breath away."
Casamba Customers Are Reading Their Contracts
One of the HealthWyse customers who contacted us may have inappropriately disclosed contract language that the company expected to remain confidential when that customer quoted portions of its contract to us. We originally published it verbatim, unaware it was not public information. Upon request, we have removed the verbatim contract language for this updated version, and limit our reporting to a background summary of typical contractual language important to understanding this story.
Knowing their customers are completely dependent on programs and data always being available through an electronic connection, all Software as a Service vendors promise to implement a disaster recovery plan to ensure their users' business operations are never disrupted. They may guarantee such services as backup restoral within two to four hours. They always include in their disaster recovery plan a secondary, backup server hundreds of miles away that can immediately take over from a compromised server, quickly re-establishing all hosting operations so their users may be confident they are just as safe as, perhaps safer than, they would be with traditional installations of software on their own in-house servers.