Scripps Health issues second round of 2021 breach notifications

por John R. Fischer, Senior Reporter | April 21, 2022
Cyber Security Health IT
Scripps Health says additional patients may have been affected by the breach in May 2021.
Nearly a year after its infamous ransomware incident, Scripps Health is still alerting patients about the breach, with a second set of letters sent out over the last few weeks.

Occurring in May of last year, the attack led the San Diego healthcare system to shut down its EMR, patient portals and other technology applications for nearly a month, and ended up costing it a revenue loss of almost $113 million.

Scripps sent a first round of breach notifications to an estimated 144,000 affected recipients in 2021. But the company now says a recently concluded manual review of internal documents determined that “additional patient information” was stolen by the hackers, according to La Jolla Light. “At this point, we have no indication that any of this data has been used to commit fraud. Maintaining the confidentiality and security of our patients’ information is something we take very seriously, and we sincerely regret the concern this has caused our patients and community," said the health system in a statement.
DOTmed text ad

Reveal Mobi Pro now available for sale in the US

Reveal Mobi Pro integrates the Reveal 35C detector with SpectralDR technology into a modern mobile X-ray solution. Mobi Pro allows for simultaneous acquisition of conventional & dual-energy images with a single exposure. Contact us for a demo at no cost.

In a court filing in February, the company’s lawyers said the organization “determined the information of additional individuals may have been impacted” and that a second round of notifications was required. The attack caused it to cancel hundreds of procedures and temporarily rely on paper charts to manage patients and take their information down. The hackers stole patient health and financial information, including names, drivers' licenses, addresses, dates of birth, health insurance information, social security numbers, patient account numbers, clinical information and patient records.

Scripps says it is continuing to improve its information security, systems and monitoring capabilities and is actively working with federal law enforcement in its investigation. The attackers have still not been found or held accountable, and the company has not disclosed how many additional patients were affected beyond the initial 144,000 notified last year. It says it will not release more specific information “due to ongoing litigation,” but says it is offering free credit monitoring to anyone whose social security or driver's license numbers were found in documents taken during the breach.

As Scripps serves about a third of patient care in the San Diego area, the incident also led to overcrowding at two EDs at the University of California, which saw average daily emergency medical service arrivals soar by nearly 60% year-to-year during the first week of the attack.

You Must Be Logged In To Post A Comment