Scripps Health Reports Data Breach

NOTICE: If you are a Scripps Health employee, physician or provider and received a NOTICE OF DATA BREACH, contact the Arnold Law Firm at (916) 777-7777 to discuss your situation.

breach digital locksLate on May 1, 2021, Scripps Health (“Scripps”) detected an apparent ransomware attack on their computer network that significantly disrupted patient care. Scripps immediately began to investigate the situation by isolating potential devices and turning off select systems. On May 10, 2021, it was concluded that patient information was taken.

On May 15, 2021, Scripps sent out an e-mail to their “Valued Scripps Patient[s]” addressing the “cybersecurity incident on May 1 that resulted in disruption to our IT systems at our hospitals and facilities.” On May 24, 2021, Scripps sent out a second e-mail to their “Valued Scripps Patient[s]” with an update to the cyber incident.

Finally, one month after the attack took place, on June 1, 2021, Scripps Health reported to the California Attorney General’s office that on April 29, 2021 an unauthorized person gained access to Scripps’ network, deployed malware and acquired patient information.

WHAT INFORMATION WAS INVOLVED?

On June 1, 2021, Scripps began to send two types of notices to individuals notifying them of the Data Breach. Together, the letters include the following information:

  • First and Last names
  • Addresses
  • Dates of Birth
  • Social Security numbers
  • Driver’s License Numbers
  • Health Insurance Information
  • Medical Record Numbers
  • Patient Account Numbers
  • Clinical Information including; physician names, dates of service, treatment information

The San Diego-based healthcare provider was forced to stop patient access to its online portal, postpone upcoming appointments, and divert trauma patients to other hospitals. Access to electronic medical records and other resources such as medical imaging and telemetry was also affected.

Hospitals are considered “soft” targets for ransomware attacks, and medical information is more valuable than other types of stolen personal information. Hackers view hospital systems as relatively easy to breach and healthcare providers are highly motivated to pay a quick ransom. Healthcare systems also tend to be highly connected, so if a breach impacts one part of the system, it has the potential to impact the whole system.

According to Scripps, they are still assessing the extent of the attack and will be providing affected individuals with a data breach letter. At this time, it is unclear how many letters are expected to go out.

Scripps is a $2.9 billion private, not-for-profit integrated health system in San Diego with over 16,000 employees. The healthcare provider treats more than 700,000 patients annually with 5 acute-care hospitals, home health services, 30 outpatient centers, 14 walk-in clinics, 4 emergency rooms, 3 urgent care centers and hundreds of physician offices.

NOTICE: If you are a Scripps Health employee, physician or provider and received a NOTICE OF DATA BREACH, contact the Arnold Law Firm at (916) 777-7777 to discuss your situation.