Following a ransomware attack that disrupted its IT systems for nearly a month, Scripps Health is now facing four class-action lawsuits from patients for allegedly failing to protect their personal health information.
In early May, the San Diego-based health system experienced a cybersecurity incident, which it later confirmed was a ransomware attack. In response, the health system took several of its systems offline and blocked user access to certain IT applications, including its website and the MyScripps patient portal.
Scripps Health later notified an estimated 147,267 patients that their data was stolen by hackers in the attack, Modern Healthcare reported. The stolen data included both health and financial information.
The four class-action lawsuits, filed over the course of the month, claim that Scripps Health did not adequately protect their information. The health system declined to comment as it is “ongoing litigation,” said Janice Collins, Scripps’ senior director of public relations, social media, content marketing, in an email.
The first suit specifically claims that the health system “negligently created, maintained, preserved, and stored Plaintiffs’ and the Class members’ confidential, individual[ly] identifiable medical information in a non-encrypted form.”
The exposure of the data has resulted in injury to the patients, another lawsuit states. This includes the lost or diminished value of their personal health information, out-of-pocket expenses associated with the prevention, detection and recovery from identity theft, tax fraud and/or unauthorized use of the information, and lost opportunity costs, including but not limited to lost time.
Further, the exposed personal health information of the plaintiffs could be sold on the dark web, which opens them up to a “lifetime risk of identity theft,” according to one of the lawsuits.
The health system has done very little to protect plaintiffs and the class members, providing only 12 months of identity theft and credit monitoring protection to a select few victims, alleges another one of the suits.
“In effect, Defendant is shirking its responsibility for the harm and increased risk of harm it has caused Plaintiff and members of the Class, including the distress and financial burdens the Data Breach has placed upon the shoulders of the… victims,” it states.
In three of the lawsuits, plaintiffs want the court to award $1,000 per violation to the plaintiffs individually and to each member of the class. This could result in the health system paying out about $150 million if all those who received data breach notices are included in the class.
The fourth lawsuit asks that the court require Scripps Health to engage independent third-party security auditors and internal personnel to run automated security monitoring and to segment data by creating firewalls and access controls, among other actions.
Plaintiffs in all four suits are demanding a jury trial.
Photo: anyaberkut, Getty Images