Before deploying ransomware on Scripps Health's computer network, cybercriminals stole data on close to 150,000 patients.
The San Diego-based health system said it is notifying 147,267 patients that hackers acquired some health and personal financial information during last month's ransomware attack.
The information could include names, addresses, dates of birth, health insurance information, medical record numbers, patient account numbers, clinical information and treatment information, the health system said.
Less than 2.5% of patients had Social Security or driver's license numbers stolen, Scripps Health said in a statement issued Tuesday. The health system will provide free credit monitoring and identity protection services to those patients.
Hackers did not access Scripps' Epic electronic medical record system, according to the health system.
"However, health information and personal financial information was acquired through other documents stored on our network," health system officials said. "Once we were able to identify a certain number of documents involved, we conducted a thorough review and determined that those documents contained patient information."
The health system is notifying those patients so they can "take steps to protect their information."
So far, there is no indication that any of these data have been used to commit fraud, according to the health system.
Scripps Health, which operates five hospitals in the region, was hit with a cyberattack on May 1 that forced the health system to take a portion of its IT system offline for several weeks, which significantly disrupted care and forced medical personnel to use paper records.
The health system immediately began an investigation, aided by computer consulting and forensic firms, and notified federal law enforcement.
Scripps Health's EHR system is now back online, the health system reported, and patients can log into their MyScripps account to see their healthcare information and to schedule appointments.
The health system continues to investigate the incident, including an through "extensive manual review of documents."
"This is a time-intensive process that will likely take several months, but we will notify affected individuals and entities as quickly as possible in accordance with applicable regulatory requirements," health system officials said.
Given the evolving cyberthreat landscape, Scripps Health said it is enhancing its information security, systems and monitoring capabilities.
Healthcare organizations have been plagued by an uptick in cyberattacks in the past year as cybercriminals take advantage of the COVID-19 pandemic and disrupt operations at hospitals across the country.
The cybercrime division of the FBI has warned that the same hackers that hit the Irish health system in May also targeted at least 16 U.S. medical and first responder networks in the past year. Cybercriminals using the malicious software dubbed "Conti" have targeted law enforcement, emergency medical services, dispatch centers and municipalities, according to a federal law enforcement alert.
In its latest alert, the FBI said it does not encourage paying ransoms, but some hospitals and health systems have paid up to get regain access to their systems.
Attleboro, Massachusetts-based Sturdy Memorial Hospital recently acknowledged that it paid hackers a ransom payment to prevent patient data from being further distributed following a cyberattack in early February.
"In exchange for a ransom payment, we obtained assurances that the information acquired would not be further distributed and that it had been destroyed," the hospital said in a privacy notice posted to its website.