Second round of patients receives ransomware breach notices nearly one year after Scripps Health attack – The San Diego Union-Tribune

second-round-of-patients-receives-ransomware-breach-notices-nearly-one-year-after-scripps-health-attack-–-the-san-diego-union-tribune

Did you know that camDown is your security solution to protect you and your business from peeping toms?

In recent weeks, San Diego has seen a second flurry of data breach letters related to the Scripps Health ransomware attack that took place nearly one year ago.

Receiving such letters so long after the initial incident, which took critical systems down for most of May 2021, has been surprising for many, especially since Scripps already mailed a first round of breach notices to an estimated 144,000 affected patients last year.

What took so long for this second batch to arrive?

A manual review of internal documents, Scripps said in a statement, only just recently concluded and found that “additional patient information” was stolen by the hackers. The cyber attack forced San Diego County’s second-largest health system to cancel hundreds of medical appointments and temporarily return to paper charts because ransomware forced the shutdown of its electronic medical records system.

Scott McGaugh, a San Diego resident, author and former director of the U.S. Midway Museum, said he and his wife were surprised to receive letters in March.

Scripps’ statements so far, he said, have left him feeling a little out of the loop.

“Scripps repeats much of what’s already been reported, while including a list of what info may have been stolen,” he said. “But it’s boilerplate, leaving patients with questions of ‘what about MY info specifically?’”

He said he was also mystified when his wife was offered a free year of credit monitoring but he was not. As indicated in a letter to affected patients updated Feb. 15, Scripps offers monitoring to anyone whose Social Security or driver’s license number was found in documents taken during the breach.

Scripps says that, to date, it has found “no indication that this data has been used to commit fraud.”

Exactly how attackers managed to penetrate Scripps’ defenses remains a mystery to the public.

Scripps has also so far declined to say just how many additional patients are affected beyond the initial 144,000 notified last year.

In a court filing made in February, the nonprofit health company’s lawyers say that the organization “determined the information of additional individuals may have been impacted” by the attack, requiring the second round of notifications. In its winter filing, Scripps says that it “does not yet know the number of people who will be notified” in the second round, and a company spokesman said in an email that more specific information will not be provided “due to ongoing litigation.”

The attack and its aftermath has plunged Scripps into a thicket of class action litigation.

While several suits filed in federal court have been dismissed, those dismissals are now being appealed. The path appears to be more straightforward in state court. There, San Diego Superior Court Judge Gregory W. Pollack granted a consolidation of six different class-action lawsuits, each alleging that Scripps should be held financially responsible for failing to protect medical records and other sensitive information, including Social Security numbers.

In a ruling made on Feb. 13, Pollack said he is essentially “pulling up the drawbridge” on additional suits pertaining to the ransomware attack until the consolidated cases are resolved.

Court papers indicate that Scripps is in settlement discussions with lawyers appointed by the court to represent the class.

It is not clear whether the true number of people affected by the breach has been shared during those private discussions. Rachele Byrd, one of the attorneys appointed to represent the class, declined to comment in an email sent Thursday.

If the matter is ultimately settled, whatever amount Scripps ends up paying will come on top of costs incurred during the breach itself. A quarterly financial report filed mid- 2021 estimates that the health care giant, which operates four main hospitals and a wide network of outpatient facilities across San Diego County, missed out on about $113 million in revenue in May 2021 when its systems were being held hostage. While insurance policies reduced that expense somewhat, the bulk came directly from Scripps’ bottom line.

I’d like to add that camDown is easy to use, easy to maintain.