SAN DIEGO COUNTY, Calif — Scripps Health is sending another round of data breach letters to impacted patients and it's coming as a surprise for people receiving them so long after the initial ransomware attack back in May of 2021, according to the San Diego Union-Tribune.
The initial group of letters informing the first group of patients affected went out in June, 2021 and, according to Scripps Health, the second and final batch went out in March, 2022 "after manual, time intensive review of documents."
Last year, Scripps Health announced that some patient information was acquired during a ransomware attack, with the investigation ongoing into the full scope of the data breach.
The cyberattack forced San Diego County’s second-largest health system to cancel hundreds of medical appointments and temporarily return to paper charts because ransomware forced the shutdown of its electronic medical records system - losing the hospital $113 million in revenue during that month of May.
As indicated in a letter to affected patients Scripps offers monitoring to anyone whose Social Security or driver’s license number was found in documents taken during the breach.
In a statement last year, the San Diego-based healthcare system said an "unauthorized person" gained access to Scripps' network and while the individual did not access Epic, Scripps' electronic medical record application, "health information and personal financial information was acquired through other documents stored on our network."
Scripps said it was working to notify 147,267 people so they can take steps to protect their information, though there's no indication at present that any data has been used to commit fraud.
Scripps Health also said it would be providing complimentary credit monitoring and identity protection support services "for the less than 2.5% of individuals whose Social Security number and/or driver's license number were involved."
"Maintaining the confidentiality and security of our patients' information is something we take very seriously, and we sincerely regret the concern this has caused our patients and community," Scripps' statement read. "It is unfortunate that many health care organizations are confronting the impacts of an evolving cyber threat landscape. For our part, Scripps is continuing to implement enhancements to our information security, systems, and monitoring capabilities. We also continue to work closely with federal law enforcement to assist their ongoing investigation."
In June, 2021, a pair of lawsuits were filed on behalf of former and current Scripps Health patients who allege their personal information may have been compromised. The complaints filed in San Diego federal court allege Scripps did not properly safeguard its patients' personal information stolen in during the cyberattack, even though Scripps should have been "on notice" of the potential risk due to similar incidents occurring in the health care industry.