Scripps Health reaches $3.5M proposed settlement to compensate victims of 2021 ransomware attack

Scripps Health agreed to pay more than $3.57 million to the victims of a 2021 data breach as of Dec. 27. The settlement agreement (PDF), which promises payments to the 1.2 million people who joined several lawsuits, is awaiting a judge’s approval.

Personal information of 1.2 million current and former patients was compromised on April 29, 2021, when the Scripps’ computer system was crippled for nearly a month during the ransomware attack. Plaintiffs alleged in multiple lawsuits that Scripps failed to adequately secure and safeguard sensitive patient information.

If the agreement is approved, minimum cash settlements of $100 will be paid to each plaintiff, with $7,500 given to those whose identities were stolen and qualified for suffering “extraordinary out-of-pocket expenses," according to information provided on the Scripps' settlement website.

“We are pleased to have reached a settlement that Scripps believes is beneficial to those who may have been affected,” wrote a Scripps spokesperson in a statement to Fierce Healthcare. “The parties have not yet received final approval from the court, but preliminary approval has been granted and the parties will complete mailing notification postcards within 30 days of the approval order to the settlement class members.”

Plaintiffs in several lawsuits alleged that Scripps Health violated several laws including violations of the Confidentiality of Medical Information Act and the right to privacy.

The first lawsuit was filed on June 1, 2021, on behalf of Kenneth Garcia and thousands of other patients whose information was accessed during the ransomware attack.

A class-action suit was filed on June 7 in San Diego County Superior Court on behalf of patient Johnny Corning. The lawsuit alleged that the health system "knew or should have known that its electronic records would likely be targeted by cybercriminals" due to the recent rise in hospital data breaches.

On June 21, a third lawsuit was filed, this time in the Southern District of California on behalf of patients Michael Matthews and others accusing the health system of negligence. 

Information breached included medical history and other personal information that was stored on Scripps Health's computer network in a "non-encrypted form." It's believed that hackers accessed the Social Security numbers and driver’s license numbers of less than 2.5% of individuals impacted by the ransomware attack.

Following the incident, Scripps stated that it notified impacted patients, conducted a full investigation and worked to beef up security to avoid the recurrence of any such incident. The San Diego-based nonprofit health system’s patient portal, My Scripps, was inaccessible to patients for weeks following the attack.

Clinicians were forced to move to paper charting, redirect ambulances and cancel scheduled appointments. After nearly a month of an offline IT system, San Diego’s second-largest health system reported losses of $113 million in revenue for May 2021.

Initial letters were sent to 147,267 affected patients in June 2021 while a second round of letters went out in March 2022 following a “manual, time-intensive review of documents,” according to the health system. According to the lawsuits, a total of 1.2 million patients had their sensitive information placed at risk of identity theft.

"Maintaining the confidentiality and security of our patients' information is something we take very seriously, and we sincerely regret the concern this has caused our patients and community," Scripps' wrote in a 2022 press release. "It is unfortunate that many healthcare organizations are confronting the impacts of an evolving cyber threat landscape. For our part, Scripps is continuing to implement enhancements to our information security, systems and monitoring capabilities. We also continue to work closely with federal law enforcement to assist their ongoing investigation."

Scripps told Fierce Healthcare that neither its MyChart patient portal nor its electronic medical records system were accessed in the attack.

On top of monetary compensation, Scripps has agreed to provide credit monitoring and identity theft protection to all plaintiffs.

Scripps has admitted no wrongdoing in the case. Claims for ordinary out-of-pocket reimbursements max out at $1,000 per class member to cover bank fees, telephone charges, cost of credit reports, etc. Extraordinary losses are those related to identity theft due to the attack.

Settlement class members can visit or reach a settlement administrator's helpline at ­­­­­­­­­­­­­­­­­­­­­­800-708-8796 to make inquiries or file a claim. The deadline to file a new claim is March 23, 2023.