Like many other healthcare systems besieged by ransomware attacks and their repercussions, Scripps Health of San Diego is facing two class-action lawsuits from plaintiffs who claim the five-hospital system’s leaders were negligent in failing to secure patient data against breaches.
Each lawsuit is seeking at least $1,000 per violation and other costs.
According to a letter that Scripps Health reportedly sent to 147,267 potentially affected patients, the breach began when an “unauthorized person gained access to our network, deployed malware, and, on April 29, 2021,” acquired some documents maintained by the Scripps system.
“Upon conducting a review of those documents, we determined that one or more files may have reflected your name, address, date of birth, health insurance information, medical record number, patient account number, and/or clinical information, such as physician name, date(s) of service, and/or treatment information,” the letter continued, according to its filing with the California Office of the Attorney General.
The latest lawsuit filed June 7 in San Diego County Superior Court on behalf of patient Johnny Corning asserted that because there have been so many “high-profile data breaches” involving millions of patients within the last 2 years, Scripps Health “knew or should have known that its electronic records would likely be targeted by cyber-criminals,” but “failed to take appropriate steps” to keep patients’ protected health information from being compromised.
The failure was preventable, the lawsuit claimed, because the Federal Bureau of Investigation warned potential targets repeatedly of the possibility of such attacks involving hospitals.
In terms of damage, the lawsuit alleged that Corning in particular was harmed because he was unable to access his “MyScripps” portal, “which contained the ability to communicate with doctors, access test results, request prescription refills, manage appointments, pay as a guest, and view ‘MyScripps’ video visit tutorials, which was necessary for his medical treatment.”
Corning spent an undisclosed amount of time and incurred anxiety “attempting to restart his medical services/online medical classes, verifying the legitimacy of the Data Breach, monitoring his medical records for identity/information theft, and self-monitoring his financial accounts” — time that “has been lost forever.”
Such stolen information, Corning’s lawsuit claimed, can be sold “for as much as $363 per record, according to the Infosec Institute.”
“Defendant could have prevented this Data Breach by properly securing and encrypting the PII and PHI of Plaintiff and Class Members. Alternatively, Defendant could have destroyed the data that was no longer useful, especially outdated data,” the lawsuit said.
In addition to the $1,000 per violation, Corning’s lawsuit is seeking actual damages and punitive damages of up to $3,000 per plaintiff and class member, as well as attorney’s fees, litigation expenses, and court costs.
Another lawsuit filed June 1 on behalf of Kenneth Garcia and 174,000 other patients believed to have been impacted by the breach alleged that medical history, mental and/or physical condition or treatment, including diagnosis and treatment dates, and other personal information were kept on the Scripps Health computer network “in a non-encrypted form.”
As a result of the breach, the plaintiffs “have suffered damages from the unauthorized release of their individual identifiable ‘medical information.'”
Attorneys for the law firms filing these two cases declined to speak on the record.
Scripps Health is a $2.9-billion private, nonprofit system with 3,000 physicians and five hospitals that treat 700,000 patients a year and provides roughly one-third of patient care in the region.
In response to a request for comment, Chris Van Gorder, president and CEO of Scripps Health, wrote in an email: “Anticipated these days sadly. That’s all I can say.”
In a June 10 op-ed in the San Diego Union-Tribune, Van Gorder described the “frustrating and challenging” situation for patients, physicians, nurses, and staff, but noted a trend in attacks from “threat actors” against numerous health systems around the country, as well as in Ireland and New Zealand. He pointed out that there was no unauthorized access to Scripps’ electronic medical record application, Epic, and no evidence to date that patient information was used for fraudulent purposes.
Cyber-criminals have attacked multiple hospitals and health information systems in the last 2 years, and lawsuits have subsequently been filed against many of them, including Hackensack Meridian Health in New Jersey; BJC Health System in St. Louis; DCH Health System in Tuscaloosa, Alabama; and Rady Children’s Hospital, also in San Diego.
![author['full_name']](https://clf1.medpagetoday.com/media/images/author/cherylClark_188_2.jpeg)
Disclosures
The author, a patient of the Scripps Health system, has personal knowledge of the disruptive impact of this breach on numerous physician practices through discussions with Scripps providers who were unable to access her medical records or complained of delayed and missed appointment times, problems with medical record transfers, and communication gaps between referring physician practices, all issues stemming from the breach. She is not involved in either lawsuit.
For all the latest Health News Click Here
For the latest news and updates, follow us on Google News.
Denial of responsibility! NewsBit.us is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.
