- Health and personal information on nearly 150,000 patients stolen in ransomware attack.
- Incident should serve as another warning to health care compliance professionals of the importance of cybersecurity.
Scripps Health (Scripps), a health system based in San Diego, was subject to a cyberattack in which unauthorized parties gained access to its network and deployed ransomware. The health system was forced to take its systems offline for several weeks.
In an op-ed, Scripps’ CEO indicated that the electronic medical record application was not compromised in the attack. However, protected health information – such as names, addresses, birthdates, and health insurance data – was exposed.
As of late June, four class action lawsuits were filed on behalf of impacted patients. The lawsuits essentially claim that the health system failed in its duty to protect patient information and thereby exposed patients to risks such as identity theft and medical fraud.
At least one of the lawsuits alleges that Scripps received repeated warnings and alerts related to protecting and securing sensitive data. It claims that Scripps “knew or should have known that its electronic records would likely be targeted by cybercriminals” and failed to take appropriate steps to safeguard protected health information.
The lawsuit also claims that Scripps could have prevented the breach by “properly securing and encrypting” the data. The parties to the lawsuit ask that Scripps pay $1,000 per violation, up to $3,000 in damages per plaintiff and class member, and other costs.
Learn about our Privacy Advisory Services.Get More Information
This incident should serve as another reminder to Compliance, Privacy, and Security Officers of the importance of working together to prevent similar problems in their organizations. Failure to do so can result in significant undesirable costs.
For more information on this topic, please contact Richard Kusserow at [email protected].Subscribe to blog