Two class action lawsuits were filed against Scripps Health following a ransomware attack and data exfiltration in May, which impacted the protected health information (PHI) of 150,000 patients.
The lawsuits were filed in the U.S. Superior Court of California, San Diego County and the U.S. District Court of the California Southern District. The victims accused Scripps of negligence, invasion of privacy, and other security violations.
“That medical histories were accessed in this data hack makes this situation unique,” Scott Cole, the principal attorney on the case, said in a statement. “Despite hundreds of data breaches every year in this country, most do not involve such highly sensitive patient information as was obtained here.”
The lawsuits stem from a cyberattack that struck the San Diego health system the weekend of May 1. The ransomware forced Scripps into EHR downtime procedures, which resulted in a number of disruptions, including the diversion of critical care patients for more than a week.
All four Scripps hospitals were placed on emergency care diversion for stroke and heart attack patients, who were sent to local medical centers upon arrival to emergency departments.
The patient portal and website were taken offline during the attack, and some patient appointments were also canceled, as providers leveraged paper records to counteract outages in the telemetry and communications systems.
The EHR downtime and subsequent recovery efforts lasted for more than three weeks. But during the outage, Scripps maintained open transparency and communication for each step of recovery. In health care, transparency is crucial for empowering patients to preemptively protect their data and accounts from fraud.
However, open communication is not required by the Health Insurance Portability and Accountability Act (HIPAA). Scripps also notified patients well within the HIPAA-required 60-day timeframe that the attackers indeed breached patient data ahead of deploying the ransomware.
The June 1 notice showed the threat actors accessed a small amount of documents, including some health data, by gaining access to the network, deploying ransomware, and exfiltrating copies of data on April 21. The electronic health record was not accessed during the attack. Rather, the threat actors stole data stored within the network.
The investigation into the scope and type of data is ongoing, but officials said they’ve determined the stolen information varied by patient.
For 2.5% of the victims, Social Security numbers and driver’s licenses were compromised. The data also could include contact details, dates of birth, medical record numbers, health insurance information, patient account numbers, and or clinical data, such as provider names, dates of service, and treatments.
The lawsuit alleges Scripps health failed to “adequately secure and safeguard electronically stored, personally identifiable information and PHI... stored on its internal record systems for patients, staff and physicians.”
Among other accusations, the lawsuit takes issue with the patient portal outages caused by the attack, as staff and patients were unable to access test results, request prescription refills, or manage appointments, along with other care and communication functions.
The addition of the attack’s impact on care could be used to establish “actual harm.” As seen with most health care data breach lawsuit settlements and dismissals, breach victims must provide evidence that a security incident caused physical or financial harm.
For example, the US District Court for Pennsylvania’s Eastern District recently dismissed two out of three claims argued in a lawsuit filed against Universal Health Services, as the breach victims failed adequately demonstrate harm had occurred as a direct result of a ransomware attack.
The claim that was allowed to proceed stemmed from a patient whose surgery was postponed during the three-week network outage, which caused his employment and insurance to lapse as he waited for the surgery to be rescheduled.
A similar case was made in a breach lawsuit against Brandywine Urology Consultants. In February, the Delaware Superior Court dismissed the lawsuit stemming from a 2020 security incident, as the victims did not provide sufficient evidence of injuries or losses.
For the Scripps lawsuit, the breach victims claim they’ve suffered injury as a direct result of the incident, including lost or diminished value of personally identifiable information and PHI, out-of-pocket expenses tied to prevention, detection, and recovery from identity theft, and other related expenses.
The lawsuit further claims the stolen data “remains unencrypted and available for unauthorized third parties to access and abuse and may remain backed up in [Scripps]’s possession and is subject to further unauthorized disclosures” if the health system doesn’t bolster its security.
The breach victims are seeking equitable and injunctive relief, as well as a requirement for Scripps to encrypt patient data in its possession and to delete, destroy, or purge the data tied to the named breach victims.
The lawsuit is also asking the court to require Scripps implement and maintain a security program able to adequately protect patient data, in addition to engaging a third-party security auditor or pen-tester to find and remediate any security vulnerabilities.
As noted, health care breach lawsuits are highly common in light of the frequency of security incidents. However, the majority of these cases are settled out of court, leaving a gray area for enforcement and the lack of an established definition for “actual harm.”