Scripps Health faces four class-action suits citing ransomware records breach

Scripps Health is facing four lawsuits related to a ransomware attack on its electronic systems in May.

Information about 147,000 patients was stolen during a month-long attack in May.


Class-action lawsuits are starting to pile up around the ransomware breach that impacted Scripps Health facilities and patients in May.

Two such cases were filed in federal court June 21, joining two already on the books in state court from early June.

Though filed on behalf of different Scripps patients, all reference the same set of basic facts, noting that Scripps began sending letters to more than 147,000 of its customers on June 1 warning them that their personal information may have been compromised during the attack that kept electronic systems down for nearly a month.

One of the two federal cases is filed on behalf of San Diego County residents Michael Rubenstein and Richard Machado, while the second involves local resident Kate Rasmuzzen.

Superior Court records in San Diego County list cases filed June 1 and 7 on behalf of area residents and Scripps patients Kenneth Garcia and Johnny Corning.

All make essentially the same basic claim — that Scripps failed in its duty to protect patient information, subjecting patients to potential fallout from identity theft or medical fraud.

Scripps, whose five hospitals include Scripps Memorial and Scripps Green in La Jolla, declined to discuss the suits because they are pending.

San Diego County’s second-largest health care system has, however, said that only about 3,700 of those whose records were at risk have had their Social Security and/or driver’s license numbers compromised.

Other information said to have been siphoned from Scripps servers includes addresses, dates of birth, health insurance information, medical record numbers, patient account numbers and clinical information such as physicians’ names, dates of service or treatment.

The much more detailed and potentially sensitive information in Scripps’ electronic medical record system, everything from digital X-ray images to doctor’s notes, was not taken, according to the company.

Class-action legal action has become common after ransomware attacks.

Lawyers quickly filed similar suits after news of an attack against Universal Health Services Inc. in late 2020 that shut down the nationwide health care provider for three weeks.

Jocelyn Larkin, executive director of the Impact Fund, a legal foundation at UC Berkeley that provides training, funding and representation related to social justice litigation, said it is not uncommon for multiple cases to pop up following an incident that affects thousands of people.

Judges, she said, will first try to determine whether to certify a class, essentially deciding whether there is enough commonality among those affected to be represented as a group.

“The standards are a little bit different in federal and state court, but essentially the court looks to see if the claims are similar and if there is efficiency and fairness associated with litigating them as one case rather than many cases,” Larkin said.

She said cases may be consolidated, and attorneys generally will have to work together to some extent when trying to hammer out settlements with Scripps.

“Sometimes it can be a situation where there is overlap and people end up a party to more than one case; it can get kind of messy,” Larkin said. “Scripps will be looking to wrap it up in one settlement rather than continuously having people suing them over and over again.”

Determining standing is the first part of the process. Judges must decide whether the person or people named in each lawsuit has been harmed greatly enough to justify the suit and represent others who have been similarly affected.

The four cases on file so far have varying levels of specificity about harm.

Rubenstein’s claim references his specific health status, including a diagnosis of primary polychthemia, also called myelofibrosis, which requires him to undergo regular bone marrow biopsies. Unable to access his medical records on Scripps’ patient data portal due to the data breach and subsequent computer shutdown, the suit claims that Rubenstein “was forced to visit a Scripps Health hematology clinic and beg a nurse to provide for him his lab orders” and that he “was unable to confirm whether the timing of particular doses was correct.”

Machado, the other patient named in the Rubenstein suit, was concerned that his medical record contained information about a “very personal surgery” he underwent that was connected to his status as a Type 2 diabetes patient.

The Rasmuzzen, Corning and Garcia cases list fewer specific health care consequences as a result of the breach, focusing on the costs associated with personal data protection and the damage that could be done if fraudsters obtained and used purloined information for nefarious purposes.

“In federal court, the individual class members will need to be able to show that they have suffered either injury or imminent risk of an injury associated with the conduct of Scripps,” Larkin said. “In California, the level of proof needed to show that there has been an injury is different and somewhat less rigorous.”

What are those damages worth? Three of the suits indicate it’s at least $1,000 per victim, with potentially more in punitive and actual damages. Given that Scripps has said it notified about 147,000 that their records were potentially involved in the breach, the number could easily hit the $150 million mark if a class were certified to include all who received information breach notices.

— San Diego Union-Tribune staff writer Teri Figueroa and La Jolla Light staff contributed to this report.