Scripps Health Ransomware Attack Leads to Class-Action Lawsuits

June 23, 2021 - Scripps Health in San Diego, California is facing two class-action lawsuits after a recent ransomware attack that led to EHR downtime and disruptions in care. The plaintiffs claim that the attack was preventable, therefore the hospital system’s leaders were negligent in failing to stop the breach.

According to the San Diego Union-Tribune, the attack forced Scripps to shut down its patient portal and divert patients. Two of Scripps’ four main hospitals and backup servers were impacted by the ransomware attack.

In a letter sent to affected patients, Scripps wrote: “On May 1, 2021, we identified unusual network activity. We immediately initiated our incident response protocols, which included isolating potentially impacted devices and shutting off select systems.”

With further investigation, Scripps Health determined that an unauthorized individual deployed malware on the hospital system’s network and acquired copies of documents on April 29th, 2021.

“On May 10, 2021, we discovered that some of those documents contained patient information. Upon conducting a review of those documents, we determined that one or more files may have reflected your name, address, date of birth, health insurance information, medical record number, patient account number, and/or clinical information, such as physician name, date(s) of service, and/or treatment information.”

In a lawsuit filed on June 7th, the plaintiff claimed that the hospital system put them at risk as their personally identifiable information (PII) and protected health information (PHI) could be sold on the dark web, and the impacted patients now face a constant risk of identity theft. 

“Plaintiff brings this action on behalf of all persons whose PII and PHI was compromised as a result of Defendant’s failure to: (i) adequately protect the PII and PHI of Plaintiff and Class Members; (ii) warn Plaintiff and Class Members of its inadequate information security practices; and (iii) avoid storing and sharing the PII and PHI of Plaintiff and Class Members without adequate safeguards,” said the class action complaint. 

The plaintiff and class members claimed that the value of their PII and PHI have diminished, and their out-of-pocket expenses rose as they had to deal with the associated prevention and recovery. Both lawsuits are requesting $1,000 per violation.

Another class-action lawsuit filed on June 1st asserted that Scripps Health stored the Class members’ personal information in a non-encrypted form. The lawsuit claims that the “Defendant’s failure to properly protect from access, disclosure, and/or actual viewing of the Plaintiff’s and the Class’ confidential, individual identifiable ‘medical information' by unauthorized person or persons” is in violation of the law.

The lawsuits claim that Scripps should have been prepared for a breach of this nature because the FBI issued a warning to potential targets. The June 7th lawsuit specifically cites a November 2019 article published in Law360 that stated that senior FBI and Secret Service officials reported that “cybercriminals are increasingly using ransomware to target vulnerable entities like hospitals and municipalities, and urged victims to report attacks to authorities regardless of whether they capitulate and pay ransoms.”

Scripps Health is one of many healthcare organizations that have been hit hard by ransomware attacks and data breaches recently. Pennsylvania residents’ PII was put at risk recently due to security concerns Insight Global, a contractor hired by the state of Pennsylvania to conduct contact tracing during COVID-19.

Insight Global sent an email to former and current employees asking them to secure any documents that they might still have in their possession, months after the breach was supposedly secured. In addition, Ohio Medicaid, Catholic Health, and a Georgia fertility clinic all reported breaches recently that impacted patient information.