Ransomware, Email security, Compliance Management

Scripps Health, Avalon Healthcare reach settlements after data breaches

One hundred dollar bills with Benjamin Franklin's profile are scattered in a pile.
Two recent healthcare data breach settlements spotlight the impact beaches have on the sector. ("Cash Money (part two)" by jtyerse is licensed under CC BY-NC-ND 2.0.)

States have ramped up enforcement efforts against entities affected by ransomware and other data privacy breaches, particularly those in healthcare, over the last year. At an even greater pace, there’s been a relentless uptick in the number of breach lawsuits filed against providers.

Two recent healthcare data breach settlements spotlight the growing dichotomy and impact on the healthcare sector. 

Oregon and Utah recently handed down a $200,000 fine to Avalon Healthcare Management to resolve compliance issues found in the wake of its 2019 email-related data breach, while Scripps Health reached a $3.5 million settlement with patients affected by its 2021 incident.

Avalon Health pays states $200K, with new security requirements

The attorneys general of Utah and Oregon reached a $200,000 settlement with Avalon Health, which also requires the provider to develop and implement practices that aim to bolster its information security for both patient and employee data.

In April 2020, the skilled nursing, therapy, senior living, and assisted living provider reported an email-related incident affecting 14,500 Avalon employees and patients. A threat actor gained access to an email account 10 months earlier in July 2020, after an employee fell victim to a phishing attack.

The account contained employee and patient names, addresses, Social Security numbers, dates of birth, driver’s license numbers, medical treatment information, including diagnosis, health conditions, and/or medications, and limited financial information.

The delayed notification prompted the states’ joint investigation, with a particular focus on Avalon’s email security practices and compliance with state breach notification laws and the Health Insurance Portability and Accountability Act. Under HIPAA, notices are required without undue delay and within 60 days of discovery. Under Oregon law, the timeline is just 45 days.

The delay, highly common with email-related breaches in healthcare, prompted the fine, as well as the sensitivity of the data it held, explained Oregon Attorney General Ellen Rosenblum in the announcement.

The impacted individuals “assumed — incorrectly — their information was safe with Avalon,” said Rosenblum. “We are committed to working with companies to make sure they have the highest data privacy safeguards in place.”

In addition to the $200,000 settlement, Avalon is required to implement an incident response plan that includes a range of scenarios. The plan will include assigned roles for employees, a process for investigating incidents, routine testing and review, and a report for incidents that don’t warrant a report to state or federal regulators.

Avalon must also add policies and procedures to monitor and log its network, including a written plan to monitor compliance. The state regulators also mandated Avalon to assign a qualified employee to maintain and monitor its security program. It should be noted that the role is also a requirement under HIPAA.

The settlement’s requirements will be monitored for seven years by the states.

Scripps Health to pay $3.5 million after 2021 ransomware attack

In the wake of the months-long outage and subsequent data theft impacting 147,267 patients of Scripps Health, multiple breach lawsuits were filed against the California health system. The $3.5 million settlement will resolve those legal filings, while requiring Scripps to add certain security elements. 

Scripps has already reported a whopping $112.7 million in lost revenue and recovery from the cyberattack and outage.

As previously reported, Scripps Health’s network was taken down for nearly a month in May 2021 after a ransomware attack. The incident led to care diversion for trauma, stroke, and heart-attack patients who were diverted to nearby hospitals and electronic health record downtime procedures.

The outage led to delays in care and overcrowding at nearby hospitals, as reported to Congress and extensively detailed by Christian Dameff, MD, a patient safety advocate and emergency room physician at the University of California San Diego Health — one of the nearby hospitals that experienced the fallout of the attack first hand.

The driving force of the lawsuits, however, was the impact on patient data. Two months after the incident, Scripps announced that the attackers had gained access to its network several days before deploying the ransomware and stole troves of patient data.

Allegedly, some of the stolen data was unencrypted medical information like names, Social Security numbers, dates of birth, provider names, driver’s licenses, health insurance information, and medical record numbers.

The lawsuit claimed ten causes of action, including negligence, violation of right to privacy, and breach of implied contract, among other claims. The filing shows that Scripps “has implemented or will implement certain reasonable steps to adequately secure its systems and environments.”

Under the settlement, affected individuals are eligible to receive up to $1,000 in ordinary out-of-pocket losses, such as unreimbursed bank fees, overdraft fees, charges tied to unavailability of funds, and a host of other charges directly attributed to the ransomware attack. 

Individuals may also receive up to $7,500 for reimbursement of extraordinary losses, such as an “actual documented and unreimbursed monetary loss arising out or relating to identity theft.” The settlement also includes 36 months of free credit monitoring, identity theft, and fraud prevention services.

What’s notable is the $3.1 million award for attorneys’ fees. A similar arrangement can be found in healthcare data breach settlements reached in the last year. Several weeks ago, Morley Companies reached a $4.3 million settlement with the 694,000 individuals affected by a 2021 data theft. Of the amount, 33% or $1.42 million was directed to attorneys’ fees and costs.

As revealed by BakerHostetler in May 2022, lawsuits filed against hospitals in the wake of a breach are on the rise. The Scripps Health lawsuit highlights another issue: many providers also face the growing trend of “duplicative litigation,” which has created a race to file, increases the initial cost of litigation defense, and overall settlement fees due to the sheer number of plaintiffs’ attorneys involved.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.