Ransomware Attack Leads to Class-Action Lawsuits for Scripps Health

— Patients say system should have protected their health information from breach

Last Updated June 23, 2021
MedicalToday
A photo of Scripps Mercy Hospital

Like many other healthcare systems besieged by ransomware attacks and their repercussions, Scripps Health of San Diego is facing two class-action lawsuits from plaintiffs who claim the five-hospital system's leaders were negligent in failing to secure patient data against breaches.

Each lawsuit is seeking at least $1,000 per violation and other costs.

According to a that Scripps Health reportedly sent to 147,267 potentially affected patients, the breach began when an "unauthorized person gained access to our network, deployed malware, and, on April 29, 2021," acquired some documents maintained by the Scripps system.

"Upon conducting a review of those documents, we determined that one or more files may have reflected your name, address, date of birth, health insurance information, medical record number, patient account number, and/or clinical information, such as physician name, date(s) of service, and/or treatment information," the letter continued, according to its filing with the California Office of the Attorney General.

The latest filed June 7 in San Diego County Superior Court on behalf of patient Johnny Corning asserted that because there have been so many "high-profile data breaches" involving millions of patients within the last 2 years, Scripps Health "knew or should have known that its electronic records would likely be targeted by cyber-criminals," but "failed to take appropriate steps" to keep patients' protected health information from being compromised.

The failure was preventable, the lawsuit claimed, because the Federal Bureau of Investigation potential targets repeatedly of the possibility of such attacks involving hospitals.

According to an published Tuesday afternoon in the San Diego Union-Tribune, two additional class action complaints were filed Monday in federal court alleging similar damages.

In terms of damage, the first two lawsuits in state court alleged that Corning in particular was harmed because he was unable to access his "MyScripps" portal, "which contained the ability to communicate with doctors, access test results, request prescription refills, manage appointments, pay as a guest, and view 'MyScripps' video visit tutorials, which was necessary for his medical treatment."

Corning spent an undisclosed amount of time and incurred anxiety "attempting to restart his medical services/online medical classes, verifying the legitimacy of the Data Breach, monitoring his medical records for identity/information theft, and self-monitoring his financial accounts" -- time that "has been lost forever."

Such stolen information, Corning's lawsuit claimed, can be sold "for as much as $363 per record, according to the Infosec Institute."

"Defendant could have prevented this Data Breach by properly securing and encrypting the PII and PHI of Plaintiff and Class Members. Alternatively, Defendant could have destroyed the data that was no longer useful, especially outdated data," the lawsuit said.

In addition to the $1,000 per violation, Corning's lawsuit is seeking actual damages and punitive damages of up to $3,000 per plaintiff and class member, as well as attorney's fees, litigation expenses, and court costs.

Another filed June 1 on behalf of Kenneth Garcia and 174,000 other patients believed to have been impacted by the breach alleged that medical history, mental and/or physical condition or treatment, including diagnosis and treatment dates, and other personal information were kept on the Scripps Health computer network "in a non-encrypted form."

As a result of the breach, the plaintiffs "have suffered damages from the unauthorized release of their individual identifiable 'medical information.'"

Attorneys for the law firms filing these two cases declined to speak on the record.

is a $2.9-billion private, nonprofit system with 3,000 physicians and five hospitals that treat 700,000 patients a year and provides roughly one-third of patient care in the region.

In response to a request for comment, Chris Van Gorder, president and CEO of Scripps Health, wrote in an email: "Anticipated these days sadly. That's all I can say."

In a June 10 in the San Diego Union-Tribune, Van Gorder described the "frustrating and challenging" situation for patients, physicians, nurses, and staff, but noted a trend in attacks from "threat actors" against numerous health systems around the country, as well as in Ireland and New Zealand. He pointed out that there was no unauthorized access to Scripps' electronic medical record application, Epic, and no evidence to date that patient information was used for fraudulent purposes.

Cyber-criminals have attacked multiple hospitals and health information systems in the last 2 years, and lawsuits have subsequently been filed against many of them, including in New Jersey; in St. Louis; in Tuscaloosa, Alabama; and , also in San Diego.

  • author['full_name']

    Cheryl Clark has been a medical & science journalist for more than three decades.

Disclosures

The author, a patient of the Scripps Health system, has personal knowledge of the disruptive impact of this breach on numerous physician practices through discussions with Scripps providers who were unable to access her medical records or complained of delayed and missed appointment times, problems with medical record transfers, and communication gaps between referring physician practices, all issues stemming from the breach. She is not involved in either lawsuit.