SAN FRANCISCO — Scripps Health’s 2021 cyberattack was a major blow to the San Diego-based system. Care disruptions resulting from the breach drove more than $100 million in lost revenues, triggered class-action payouts and even had a ripple effect on surrounding, unaffiliated healthcare facilities.
Executives addressing J.P. Morgan Healthcare Conference attendees said they’ve learned a lot about cybersecurity in the years since. The exact cause of the 2021 breach, however, still eludes them.
“If you think you’re prepared, you’re fooling yourself,” Chris Van Gorder, president and CEO, told fellow health system leaders during a presentation. “We thought we were prepared. We had cybersecurity experts keeping everything up to date and they were able to penetrate."
“I’ll be honest with you, we still to this day do not know exactly how they were able to penetrate the system," he continued. "They were able to get into business systems, [but] they were not able to get into medical records. That’s a good thing. Nonetheless, there’s a lot of confidential information in business systems.”
Similar to other providers hit by a major cyberattack, Scripps worked with the Federal Bureau of Investigation to clean “thousands” of PCs and other systems, Van Gorder said. The health system was “very transparent” and “unloaded everything” to the law enforcement agency during a deep scrub that the executive said he’s still not allowed to detail to others.
While that lengthy investigation has since come to a close, Van Gorder has since made sure that the bureau’s expertise will be sticking around at Scripps.
“The FBI supervising agent in San Diego over cybersecurity — and San Diego now is the hub for cybersecurity for the FBI — retired. And I hired him,” the CEO said. “He knows what was going on on the other side. He still can’t tell me, but he knows.”
The retired special agent is Todd Walbridge, whose resume runs the gamut of software sales, cybercrime investigation and SWAT team leadership.
He’s now a few months into his new role as senior director for corporate and system safety and security at Scripps Health. The position has Walbridge beefing up the physical security of Scripps’ five hospital campuses — which saw a 31% rise in workplace violence and a 4x rise in assault incidents from fiscal 2022 to 2023 — as well as leading some of the system’s cybersecurity efforts, Van Gorder said.
“If any of you ever want to consult with him, let us know, because he’s brilliant and he’s got some experience that very few people have,” the CEO told attendees.
Since the attack, Scripps also took the FBI’s advice and hired Texas-based cybersecurity technology firm CrowdStrike to provide live, 24/7 monitoring of its systems to catch any suspicious activity.
“That’s really the latest thing — if you don’t have somebody monitoring the behavior of the users in your system, you’ve got a hole in your system,” Van Gorder said. “If [any users] look like they’re not doing what they should be doing, everything is frozen, locked out, until it’s verified.”
Still, Scripps’ leadership team has come away from the incident with a warning for other providers and their operating budgets: cyberattacks are inevitable, their effects linger for multiple years and will likely become more expensive to weather over time.
“Despite having the door locked, some of these folks are going to find their way in,” Brett Tande, corporate SVP and CFO at Scripps Health, told conference attendees. “It’s really the resilience of your employees and your teams to be able to recover from that. No two attacks are going to be similar; you’re going to have to address some of those issues very uniquely.
“It’s an area that I think, unfortunately, is going to require more dollars and capital dollars in the years to come just to maintain that posture,” he said.