Scripps Health was attacked by hackers. Now, patients are suing for failing to protect their health data

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.


It took several weeks for Scripps Health to get its computer network and medical records system back online after it was hit with a ransomware attack May 1.

Now, the five-hospital health system is facing several class-action lawsuits from patients who charge that system leaders failed to keep their medical data safe from hackers.

San Diego-based Scripps Health was besieged by a cyberattack that forced the health system to take a portion of its IT system offline for several weeks, which significantly disrupted care and forced medical personnel to use paper records. 

But the cybercriminals didn’t just disrupt operations; the hackers also stole data on close to 150,000 patients, the health system said earlier this month.

Scripps Health notified 147,267 patients that hackers acquired some health and personal financial information during last month’s ransomware attack.

A lawsuit filed Monday in the Southern District of California on behalf of patients Michael Rubenstein, Richard Machado and others accuses the health system of negligence and invasion of privacy as a result of the data breach.

RELATED: Before attacking IT systems, hackers stole information from 147K patients, Scripps Health says

The personal information—including names, drivers’ licenses and Social Security numbers and/or patient care records of nearly 150,000 Scripps Health patients—was compromised in the massive data breach, according to Oakland, California-based law firm Scott Cole & Associates, which is representing the plaintiffs in the case.

“That medical histories were accessed in this data hack makes this situation unique,” Scott Cole, the principal attorney on the case, said in a statement. “Despite hundreds of data breaches every year in this country, most do not involve such highly sensitive patient information as was obtained here.”

The lawsuit claims Scripps Health maintained inadequate security measures for detecting and addressing the cyberattack, especially given knowledge of a heightened threat.

In addition to monetary damages, the suit demands Scripps Health implement and maintain sufficient security protocols going forward so as to prevent future attacks. 

A Scripps Health…

Source…