Scripps Health is being sued for its alleged "failure to properly secure and safeguard" patients' personally identifiable information during an April 29 malware attack on the San Diego-based health system, according to documents filed in the U.S. District Court for the Southern District of California. To contain the attack, the San Diego-based system took a portion of its network offline, disrupting access to email servers, the patient portal and other applications. Some systems were down for nearly a month. Here are five things to know about the legal action:
- The lawsuit represents anyone whose personally identifiable information like name, birthday, Social Security number or driver license number were compromised or whose personal health information like health insurance information, medical record number, patient account number or clinical information were exposed, according to the filings.
- The plaintiff's legal team, Scott Cole & Associates, said that data "can be sold on the dark web," opening 150,000 patients affected by the attack to "a lifetime risk of identity theft, which is heightened here by the loss of Social Security numbers." Scott Cole, the principal attorney on the case, in a statement said that the fact that medical histories were accessed "makes this situation unique. Despite hundreds of data breaches every year in this country, most do not involve such highly sensitive patient information as was obtained here."
- Scripps Health previously said it found out about the cybersecurity incident May 1 and began notifying affected patients about the data breach later that month and in early June. In a letter to patients on May 24, Scripps CEO and President Chris Van Gorder acknowledged patient frustrations that the health system wasn't communicating enough. But he said they haven't been as transparent because sharing more details has put Scripps at increased risk of more attacks.
- The system said Social Security numbers and drivers' licenses numbers were compromised for less than 2.5% of patients, all of whom were offered complimentary credit monitoring and identity protection support services.
- The lawsuit asks for Scripps Health to be required to implement stronger security protocols to prevent future attacks and to provide affected patients with monetary damages.
Scripps Health did not immediately respond to a request for comment.