147,000 Patients Affected by Scripps Health Ransomware Attack

Scripps Health, the second largest healthcare provider in San Diego, has started sending breach notification letters to 147,267 patients to inform them that some of their personal and health information was stolen in a May 1, 2021 ransomware attack.

The attack forced Scripps Health to adopt its EHR downtime procedures with its systems offline. Staff at its medical offices and hospitals were forced to work with paper charts while systems were restored and data was recovered. That process has taken almost a month, during which time access to important patient information such as test results was prevented. Scripps Health only regained the ability to create new records last week when the MyScripps patient portal was brought back online.

The attack affected many of the healthcare provider’s care sites and caused disruption to operations at two of its four hospitals. Scripps Health took the decision to divert some critical patients to other facilities, with all four of its main hospitals placed on emergency care diversion for stroke, heart attack, and trauma patients. Some non-urgent appointments also had to be delayed in the days following the attack.

Scripps Health said its main Epic medical record system was not compromised, but prior to the deployment of ransomware the attackers acquired documents that contained patient data such as names, addresses, dates of birth, health insurance information, medical record numbers, patient account numbers, and some clinical information such as physicians’ names, dates of service, and treatment information. The Social Security numbers and/or driver’s license numbers of around 3,700 individuals was obtained by the hackers. Complementary credit monitoring and identity protection support services are being offered to those individuals.

Scripps Health has commenced a manual review of the documents compromised in the attack and explained that it is a time-intensive process that will likely take several months. “We do not yet know the content of the remainder of documents we believe are involved,” said Scripps Health in a statement about the attack and said notification letters are being sent to affected individuals as quickly as possible.

“It is unfortunate that many health care organizations are confronting the impacts of an evolving cyber threat landscape,” said Scripps Health. “For our part, Scripps is continuing to implement enhancements to our information security, systems, and monitoring capabilities. We also continue to work closely with federal law enforcement to assist their ongoing investigation.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.