Scripps Health in San Diego is looking at several class-action lawsuits due to a ransomware attack on April 29, 2021 that affected 147,267 people. As a result of the attack, the 5-hospital healthcare system needed to take systems off the web as it mitigates the attack, which includes its patient webpage. Though Scripps Health continued to provide patient care, certain patients were redirected to other providers as a preventative measure.
The breach investigation revealed that before the deployment of ransomware the attacker exfiltrated records that included patients’ protected health information (PHI). Data exposed in the attack involved names, birth dates, addresses, medical insurance data, patient account numbers, medical record numbers, and/or clinical data, for example, name of the doctor, dates of service, and/or treatment details.
On June 1, a lawsuit listing Kenneth Garcia as plaintiff was filed in the San Diego County Superior Court. The lawsuit, which wants class-action status, states Scripps Health was negligent for not preventing the theft of PHI, which was saved unencrypted on the Scripps Health database. The legal action claims the plaintiff sustained damages because of the unauthorized viewing of his individually identifiable health data. Aside from monetary compensation, the lawsuit calls for Scripps Health to carry out proper security standards to secure patient information down the road.
Another legal action identifying Johnny Corning as a plaintiff was sent in on June 7 in the San Diego County Superior Court. The lawsuit likewise wants class-action status and states Scripps Health was at fault for not undertaking the proper steps to make the PHI of patients protected. The lawsuit claims Scripps Health ought to have noticed the probability of an attack considering the number of reported attacks in the last two years. Scripps Health should likewise have recognized the high risk of an attack when the FBI had released warnings of continuing ransomware attacks on healthcare providers.
For legal cases of this type to have great results, it is essential to prove that harm was sustained. Conning states harm happened due to the fact that he could not gain access to the MyScripps website, which had necessary data associated with his treatment. He claims he struggled with anxiety restarting his healthcare services and web-based medical classes and put in a substantial amount of time making sure of the legitimacy of the data breach, keeping track of his health documents for identity theft, and tracking his financial statements for data misuse. The two legal actions assert financial losses were experienced and the plaintiffs are confronted with an increased risk of identity theft and fraud. The legal cases demand monetary damages of no less than $1,000 for every victim and the Conning legal action wants actual compensation of nearly $3,000 for each victim, in addition to repayment for legal expenses.
On June 21, two more class-action legal actions were submitted in federal court. The plaintiffs of one of the lawsuits are patients Richard Machado And Michael Rubenstein and the plaintiff of the other lawsuit is Kate Rasmuzzen. Michael Rubenstein states his health had problems resulting from not having the means to access the patient site. With no access to the patient portal, he claimed he had to stop by a Scripps Health hematology clinic to request a nurse for information about his laboratory orders. He also could not find out whether the schedule of his medication was correct. Richard Machado maintained to have had very sensitive information concerning a very personal surgery treatment exposed and has created great issues. Like the legal cases identifying Garcia and Corning as plaintiffs, the Rasmuzzen legal action focuses on the expenditures accrued due to the attack and the possibility of misuse of their personal records.
The lawsuits are different with regards to specificity, though they have an identical primary claim, that Scripps Health was responsible for failing to avert the attack and prevent the stealing of sensitive data and for the privacy violation. Although proof of harm needs to be provided in all four legal actions to be accepted, the standard is placed lower in Californian court in comparison with in the federal court.
Though the data breach impacted 147,267 persons, Scripps Health mentioned less than 3,700 people had either their driver’s license number Or Social Security number breached, and that highly sensitive data included in electronic medical records were not affected. People whose driver’s license number or Social Security number was exposed have been given free credit monitoring services for 12 months.