It took several weeks for Scripps Health to get its computer network and medical records system back online after it was hit with a ransomware attack May 1.
Now, the five-hospital health system is facing several class-action lawsuits from patients who charge that system leaders failed to keep their medical data safe from hackers.
San Diego-based Scripps Health was besieged by a cyberattack that forced the health system to take a portion of its IT system offline for several weeks, which significantly disrupted care and forced medical personnel to use paper records.
But the cybercriminals didn't just disrupt operations; the hackers also stole data on close to 150,000 patients, the health system said earlier this month.
Scripps Health notified 147,267 patients that hackers acquired some health and personal financial information during last month's ransomware attack.
A lawsuit filed Monday in the Southern District of California on behalf of patients Michael Rubenstein, Richard Machado and others accuses the health system of negligence and invasion of privacy as a result of the data breach.
The personal information—including names, drivers’ licenses and Social Security numbers and/or patient care records of nearly 150,000 Scripps Health patients—was compromised in the massive data breach, according to Oakland, California-based law firm Scott Cole & Associates, which is representing the plaintiffs in the case.
“That medical histories were accessed in this data hack makes this situation unique,” Scott Cole, the principal attorney on the case, said in a statement. "Despite hundreds of data breaches every year in this country, most do not involve such highly sensitive patient information as was obtained here.”
The lawsuit claims Scripps Health maintained inadequate security measures for detecting and addressing the cyberattack, especially given knowledge of a heightened threat.
In addition to monetary damages, the suit demands Scripps Health implement and maintain sufficient security protocols going forward so as to prevent future attacks.
A Scripps Health spokesperson said the health system would not comment on pending litigation.
A class-action suit filed June 7 in San Diego County Superior Court on behalf of patient Johnny Corning alleges that because of the rise in high-profile data breaches among healthcare organizations, the health system "knew or should have known that its electronic records would likely be targeted by cybercriminals."
Scripps Health's "negligence in safeguarding" patients' medical information is "exacerbated by the repeated warnings and alerts directed to protecting and securing sensitive data," the lawsuit states.
The health system "failed to take appropriate" steps to safeguard patient's protected health information and could have prevented the data breach by "properly securing and encrypting" the medical data, the lawsuit alleges.
The lawsuit claims that Corning was harmed by the breach, such as by "suffering lost time, annoyance, interference, and inconvenience as a result of the data breach." The plaintiff also has suffered due to "anxiety and increased concerns for the loss of his privacy, as well as anxiety over losing access to the MyScripps portal," which enabled him to communicate with doctors, access test results, request prescription refills and manage appointments.
Corning's lawsuit wants Scripps Health to pay $1,000 per violation while also seeking actual damages and punitive damages of up to $3,000 per plaintiff and class member, as well as attorney's fees, litigation expenses and court costs.
Another lawsuit filed June 1 on behalf of Kenneth Garcia and thousands of other patients believed to have been impacted by the breach claims that medical history, mental or physical condition and treatment—including diagnosis and treatment dates—and other personal information was stored on Scripps Health's computer network in a "non-encrypted form."
The plaintiffs have suffered damages from the "unauthorized release of their individual identifiable medical information," the lawsuit claims.