Multiple class-action lawsuits have been filed in state and federal court against Scripps Health following the ransomware attack that took down its network this May.
As reported by the San Diego Union-Tribune, all four of the cases make the same basic claim: that Scripps failed in its duty to protect patient information, subjecting patients to potential consequences, including identity theft and medical fraud.
“Despite the prevalence of public announcements of data breach and data security compromises, Defendant failed to take appropriate steps to protect the PII and PHI of Plaintiff and Class Members from being compromised,” read one of the suits, filed on behalf of plaintiff Johnny Corning in San Diego Superior Court earlier this month.
Scripps declined to comment for this story, citing the ongoing nature of the litigation.
WHY IT MATTERS
Scripps spent most of May grappling with a network shutdown.
Although leadership was initially reticent regarding the attack, president and CEO Chris Van Gorder eventually said it was caused by ransomware.
In his statement, Van Gorder said his reluctance to share more details about the attack stemmed from a fear of “not being able to restore our systems safely and as quickly as possible for you.”
“This is not hypothetical. Other attackers are already using what is being reported in the media to send scam communications to our organization,” he said.
On June 1, as outlined in reports, Scripps began sending letters to more than 147,000 of its customers warning them that their personal information may have been at risk.
The data potentially included addresses, dates of birth, health insurance information, medical record numbers, patient account numbers and clinical information.
Only about 3,700 patients had their Social Security or driver’s license numbers compromised, reported the Union-Tribune.
The suits reportedly vary in terms of alleged harm, with one plaintiff saying he was forced to “beg a nurse” to provide his lab orders for him and another voicing concerns about his records regarding a “very personal surgery.”
The health system could face hefty damages, depending on how the cases proceed.
It wouldn’t be alone in shouldering a huge out-of-pocket cost.
A recent survey by Sophos, a British security company, found that the average bill for rectifying a ransomware attack – including downtime, people time, network cost and ransoms paid – was $ 1.27 million.
“Responding to a critical cyberattack or incident can be incredibly stressful. While nothing can completely alleviate the stress of dealing with an attack, having an effective incident response plan in place is a surefire way to minimize the impact,” wrote Sophos researchers in their survey write-up.
THE LARGER TREND
As the number of high-profile data breaches has risen over the years, so too have the number of lawsuits.
This past year, the Mayo Clinic was sued over a breach of patient health records, after an employee inappropriately accessed the data of more than 1,600 people.
And in 2018, the electronic health record vendor Allscripts was also sued following a ransomware attack, with patients accusing the company of “wanton” disregard.
ON THE RECORD
Scripps “could have prevented this Data Breach by properly securing and encrypting the PII and PHI of Plaintiff and Class Members,” argued one lawsuit.
“Alternatively, [Scripps] could have destroyed the data that was no longer useful, especially outdated data,” it continued.
Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.