Patients of Scripps Health who had their personal health information compromised in a cyberattack in April and May are taking the healthcare system to court for negligence, invasion of privacy and other issues related to the incident.
Scott Cole & Associates, the firm representing the patients, filed the class action suit this week in the U.S. District Court for the Southern District of California. It says in the documents filed that Scripps’ inadequate security measures prevented it from detecting the attack sooner and has potentially created "a lifetime risk of identity theft” for nearly 150,000 patients. The suit is entitled Rubenstein, et al. v. Scripps Health
“That medical histories were accessed in this data hack makes this situation unique. Despite hundreds of data breaches every year in this country, most do not involve such highly sensitive patient information as was obtained here,” said Scott Cole, the principal attorney on the case.
The attack disrupted Scripps’ patient portals
, forcing it to suspend access to them, its email servers and other technological applications. It switched to offline charts to keep up with patient care but did have to reschedule some appointments. While the organization would not specify at the time what type of attack it was, many media outlets reported it to be a form of ransomware.
Among the personal information breached were names, driver's licenses, addresses, dates of birth, health insurance information, social security numbers, patient account numbers, clinical information and patient records. Social security numbers and driver's license numbers compromised belonged to less than 2.5% of patients, all of whom were offered complimentary credit monitoring and identity protection support services.
Online operations resumed around the beginning of June
. An investigation found that the attackers accessed the network in late April and deployed malware throughout May to exfiltrate copies of data. The attackers reportedly did not access Scripps’ electronic medical record application, Epic.
The suit is demanding monetary damages from Scripps for patients, and that it implement and maintain sufficient security protocols to prevent future attacks.
Scripps said it became aware of the attack on May 1 and began notifying patients that month and in early June. President and CEO Chris Van Gorder responded in a letter about lack of transparency from the health system regarding the incident by saying that it acknowledged patient frustrations but that sharing more details put it at risk for more attacks, reported Modern Healthcare
Scripps did not respond to HCB News’ request for comment on the suit.