Share this article on:
San Diego-based Scripps Health is facing multiple class action lawsuits over an April 29, 2021 ransomware attack that affected 147,267 individuals. The attack forced the 5-hospital healthcare system to take systems offline while the attack was remediated, including its patient portal. While care continued to be provided, some patients were diverted to other facilities as a precaution.
The investigation into the breach confirmed that prior to the deployment of ransomware the attacker exfiltrated documents that contained patients’ protected health information. Information compromised in the attack included names, addresses, dates of birth, health insurance information, medical record numbers, patient account numbers, and/or clinical information, such as physician name, dates of service, and/or treatment information.
A lawsuit was filed on June 1 in the San Diego County Superior Court that named Kenneth Garcia as plaintiff. The lawsuit, which seeks class action status, alleges Scripps Health was negligent for failing to prevent the theft of protected health information, which was stored on Scripps Health systems in unencrypted form. The lawsuit alleges the plaintiff suffered damages from the unauthorized release of his individually identifiable medical information. In addition to monetary damages, the lawsuit requires Scripps Health to implement appropriate security protocols to protect patient data in the future.
A second lawsuit was filed on June 7 in the San Diego County Superior Court that names Johnny Corning as plaintiff. The lawsuit also seeks class action status and alleges Scripps Health was negligent for failing to take appropriate steps to keep patients’ protected health information secure. The lawsuit alleges Scripps Health should have been aware of the risk of an attack given the number of reported attacks over the past 2 years. Scripps Health should also have been aware of the high risk of an attack as the Federal Bureau of Investigation had issued alerts warning of ongoing ransomware attacks on hospitals.
In order for lawsuits of this nature to succeed, it is necessary to establish harm has been suffered. Conning alleges harm was caused as a result of him not being unable to access the MyScripps portal, which contained important information related to his treatment. He alleges he incurred anxiety restarting his medical services and online medical classes and spent a considerable amount of time verifying the legitimacy of the security breach, monitoring his medical records for identity theft, and checking his financial accounts for misuse of his data. Both lawsuits allege financial losses were suffered and the plaintiffs face an elevated risk of identity theft and fraud. The lawsuits seek monetary damages of at least $1,000 per victim and the Conning lawsuit seeking actual damages of up to $3,000 per victim, along with reimbursement for legal costs.
A further two class action lawsuits were filed in federal court on June 21, one naming patients Michael Rubenstein and Richard Machado as plaintiffs and the other naming Kate Rasmuzzen as plaintiff. Michael Rubenstein alleges his health suffered as a result of not being able to access the patient portal. Without access to the portal, he said he had to visit a Scripps Health hematology clinic and beg a nurse to provide for him his lab orders and was unable to determine if the timing of the doses of his medication was correct. Richard Machado claimed to have had highly sensitive information about a very personal surgery exposed and has caused him great concern. Like the lawsuits naming Corning and Garcia as plaintiffs, the Rasmuzzen lawsuit is focused on the costs incurred as a result of the attack and the potential for misuse of their personal data.
The lawsuits vary in terms of specificity, although they make the same basic claim, that Scripps Health was negligent for failing to prevent the attack and stop the theft of sensitive information and for the invasion of privacy. While evidence of harm must be provided in all four lawsuits for standing, the bar is set lower in Californian court than in federal court.
While the data breach affected 147,267 individuals, Scripps Health said fewer than 3,700 individuals had either their Social Security number or driver’s license number compromised, and that highly sensitive information contained in electronic medical records was not compromised. Individuals whose Social Security number or driver’s license number was compromised have been offered complimentary credit monitoring services for 12 months.