San Diego-based Scripps Health on Tuesday said it's notifying an estimated 147,267 patients that their data was stolen by hackers in last month's ransomware attack.
A ransomware attack on Scripps' information systems in early May led the health system to take a portion of its network offline, disrupting access to the health system's electronic health record system and other applications for multiple weeks. Scripps' ongoing investigation into the incident revealed that the hackers who accessed the network stole copies of some documents.
Documents stolen the breach contained health information and financial information of some patients, according to Scripps. Less than 2.5%—nearly 3,700—of patients had Social Security or driver's license numbers stolen; Scripps will provide free credit monitoring and identity protection services to those patients.
Hackers did not access Scripps' EHR, according to the health system.
Scripps is continuing to investigate the incident, including manually reviewing documents that officials believe were stolen by the hackers to determine which patients had data involved in the incident—in a "time intensive process that will likely take several months," according to the health system. It will continue to notify patients as it learns whether more people had data exposed in the cyberattack.
"We are beginning to mail notification letters to approximately 147,267 individuals so they can take steps to protect their information," reads a statement from the health system. "The investigation is ongoing, and we do not yet know the content of the remainder of documents we believe are involved."
So far, Scripps said there's no evidence to suggest stolen data has been used to commit fraud.
Scripps on May 1 experienced a "disruption" to its IT systems, which has since been tied to ransomware discovered on the health system's computer network. Scripps brought its EHR and patient portal back online last week, and Scripps on Tuesday said it is continuing to restore other systems from back-up versions.
Scripps said it has tapped computer consulting and forensic firms to assist in its investigation and that it's "work closely" federal law enforcement.
The breach at Scripps comes as the American Hospital Association calls on the U.S. government to play a bigger role in responding to ransomware attacks against the healthcare industry.
"It is unfortunate that many healthcare organizations are confronting the impacts of an evolving cyber threat landscape," reads Scripps' statement. "Maintaining the confidentiality and security of our patients' information is something we take very seriously, and we sincerely regret the concern this has caused our patients and community."