Second round of patients receives ransomware breach notices nearly a year after Scripps Health attack

In recent weeks, San Diego has seen a second flurry of data breach letters related to the Scripps Health ransomware attack that took place nearly a year ago.

Receiving such letters so long after the initial incident, which took critical systems down for most of May last year, has been surprising for many, especially since Scripps already mailed a first round of breach notices to an estimated 144,000 affected patients in 2021.

What took so long for the second batch to arrive?

Scripps, San Diego County’s second-largest health care system with a hospital group including Scripps Memorial and Scripps Green in La Jolla, said in a statement that a recently concluded manual review of internal documents found that “additional patient information” was stolen by the hackers. The cyberattack forced the health system to cancel hundreds of medical appointments and temporarily return to paper charts because ransomware caused the shutdown of its electronic medical records system.

Scripps offers free credit monitoring to anyone whose Social Security or driver’s license number was found in documents taken during the breach.

To date, Scripps says it has found “no indication that this data has been used to commit fraud.”

How the attackers managed to penetrate Scripps’ defenses remains a mystery to the public.

Scripps also has so far declined to say how many additional patients are affected beyond the initial 144,000 notified last year.

In a court filing in February, the nonprofit health company’s lawyers said the organization “determined the information of additional individuals may have been impacted” by the attack, requiring the second round of notifications.

A company spokesman said in an email that more specific information will not be provided “due to ongoing litigation.”

The attack and its aftermath have plunged Scripps into a thicket of class-action litigation.

Though several lawsuits filed in federal court have been dismissed, the dismissals are being appealed.

Meanwhile, in San Diego County Superior Court, Judge Gregory Pollack granted a consolidation of six different class-action lawsuits, each alleging that Scripps should be held financially responsible for failing to protect medical records and other sensitive information, including Social Security numbers.

In a ruling Feb. 13, Pollack said he is essentially “pulling up the drawbridge” on additional suits pertaining to the ransomware attack until the consolidated cases are resolved.

Court papers indicate that Scripps is in settlement discussions with lawyers appointed by the court to represent the class.

Rachele Byrd, one of those appointed attorneys, declined to comment.

If the matter is ultimately settled, whatever amount Scripps ends up paying will come on top of costs incurred during the breach itself. A quarterly financial report filed in mid- 2021 estimated that the health care giant missed out on about $113 million in revenue in May 2021, when its systems were being held hostage. Though insurance policies reduced that expense somewhat, the bulk came directly from Scripps’ bottom line. ◆