Tag Archive for: Scripps

Scripps Health, Avalon Healthcare reach settlements after data breaches

/in


One hundred dollar bills with Benjamin Franklin's profile are scattered in a pile.
Two recent healthcare data breach settlements spotlight the impact beaches have on the sector. (“Cash Money (part two)” by jtyerse is licensed under CC BY-NC-ND 2.0.)

States have ramped up enforcement efforts against entities affected by ransomware and other data privacy breaches, particularly those in healthcare, over the last year. At an even greater pace, there’s been a relentless uptick in the number of breach lawsuits filed against providers.

Two recent healthcare data breach settlements spotlight the growing dichotomy and impact on the healthcare sector. 

Oregon and Utah recently handed down a $200,000 fine to Avalon Healthcare Management to resolve compliance issues found in the wake of its 2019 email-related data breach, while Scripps Health reached a $3.5 million settlement with patients affected by its 2021 incident.

Avalon Health pays states $200K, with new security requirements

The attorneys general of Utah and Oregon reached a $200,000 settlement with Avalon Health, which also requires the provider to develop and implement practices that aim to bolster its information security for both patient and employee data.

In April 2020, the skilled nursing, therapy, senior living, and assisted living provider reported an email-related incident affecting 14,500 Avalon employees and patients. A threat actor gained access to an email account 10 months earlier in July 2020, after an employee fell victim to a phishing attack.

The account contained employee and patient names, addresses, Social Security numbers, dates of birth, driver’s license numbers, medical treatment information, including diagnosis, health conditions, and/or medications, and limited financial information.

The delayed notification prompted the states’ joint investigation, with a particular focus on Avalon’s email security practices and compliance with state breach notification laws and the Health Insurance Portability and Accountability Act. Under HIPAA, notices are required without undue delay and within 60 days of discovery. Under Oregon law, the timeline is just 45 days.

The delay, highly common with email-related breaches in healthcare, prompted the fine, as well as the sensitivity of the data it held,…

Source…

Scripps Health was attacked by hackers. Now, patients are suing for failing to protect their health data

/in


It took several weeks for Scripps Health to get its computer network and medical records system back online after it was hit with a ransomware attack May 1.

Now, the five-hospital health system is facing several class-action lawsuits from patients who charge that system leaders failed to keep their medical data safe from hackers.

San Diego-based Scripps Health was besieged by a cyberattack that forced the health system to take a portion of its IT system offline for several weeks, which significantly disrupted care and forced medical personnel to use paper records. 

But the cybercriminals didn’t just disrupt operations; the hackers also stole data on close to 150,000 patients, the health system said earlier this month.

Scripps Health notified 147,267 patients that hackers acquired some health and personal financial information during last month’s ransomware attack.

A lawsuit filed Monday in the Southern District of California on behalf of patients Michael Rubenstein, Richard Machado and others accuses the health system of negligence and invasion of privacy as a result of the data breach.

RELATED: Before attacking IT systems, hackers stole information from 147K patients, Scripps Health says

The personal information—including names, drivers’ licenses and Social Security numbers and/or patient care records of nearly 150,000 Scripps Health patients—was compromised in the massive data breach, according to Oakland, California-based law firm Scott Cole & Associates, which is representing the plaintiffs in the case.

“That medical histories were accessed in this data hack makes this situation unique,” Scott Cole, the principal attorney on the case, said in a statement. “Despite hundreds of data breaches every year in this country, most do not involve such highly sensitive patient information as was obtained here.”

The lawsuit claims Scripps Health maintained inadequate security measures for detecting and addressing the cyberattack, especially given knowledge of a heightened threat.

In addition to monetary damages, the suit demands Scripps Health implement and maintain sufficient security protocols going forward so as to prevent future attacks. 

A Scripps Health…

Source…

Scripps ransomware shutdown hits the two-week mark

/in


As Scripps Health reaches the two-week mark in its ongoing ransomware outage, the “will be back soon” message posted on its website is beginning to look more than a little optimistic.

Though a company spokesman said the health system had nothing new to report on the situation Friday, employees who said they wished to remain anonymous to avoid losing their jobs, confirmed that critical electronic medical records systems remained offline, continuing to force paper documentation and slowing down the pace of care, especially in emergency departments.

Two independent individuals privy to the current situation inside Scripps said that a decision was made Friday to once again divert stroke, trauma and heart attack cases from Scripps Memorial Hospital La Jolla due to concerns over a recent influx of emergency patients at the facility, one of the largest in San Diego.

“I cannot stress this enough, every minute we are there we feel like we are playing with our license,” one nurse said, adding that many have been advising their own family members to stay away. “We are all buying malpractice insurance at this time.”

Regulators, so far, have not expressed similar concerns. In an email sent Friday afternoon, the California Department of Public Health said it “continues to monitor” Scripps facilities, adding that they “are operational and caring for patients using appropriate contingency protocols.”

Patients continue to give mixed reviews of how their care is being influenced by such a long-running cyber attack.

Steve Bernitz of Encinitas said he has been a Scripps spine surgery patient for six years and currently has two ruptured discs in his back that will likely require surgery.

Simply getting Scripps to acknowledge that he was its patient, despite the fact that he has been in “great pain” for the past 10 days, he said, has been nearly impossible.

“They won’t take appointments, they won’t answer any questions about what is happening or when they might re-open, aren’t referring people to outside doctors, and will not even allow their doctors to speak with their patients via telephone as they say they cannot do that without a functioning medical records system,”…

Source…

What We Know About San Diego Scripps Health Cyberattack – NBC 7 San Diego

/in


What to Know

  • The California Department of Public health calls the cyberattack “ransomware attacks”
  • Scripps did not provide any information on how the cyberattack occurred but later determined that the outage was due to a security incident involving malware on its computer networks
  • The cyberattack caused rescheduled appointments, affected Scripps email servers, and suspended access to patient portals and other tech applications

One of San Diego’s main health care systems, Scripps Health, had its technology servers hacked on May 1 in what has been deemed a ransomware attack by the California Department of Public Health (CDPH).

And, although the incident has disrupted access to patient information, affected the ability of health care workers to do their jobs and led to a lack of communication with patients, Scripps Health has provided little details about the cyberattack.


NBC 7

Patients who have appointments scheduled in the coming days can call 1-800-SCRIPPS for more information about their appointment status.

The local health-care provider, operates five hospitals in San Diego, along with a series of clinics.

Here’s what happened in the last week, what we know and what we don’t know:

May 2, 2021

Scripps Health first confirmed on Sunday that their technology servers were hacked overnight forcing the health care system to switch to offline chart systems and causing a disruption to their patient portals.

Scripps did not provide any information on how the cyberattack occurred or state exactly what systems were affected by the breach.

The health care system said they suspended access to their patient portals and other “technology applications related to our operations at our health care facilities,” but stressed that patient care continues using “established back-up processes, including offline documentation methods.”

The San Diego County Office of Emergency Services (OES) said ambulances were being diverted from Scripps’ facilities to other hospitals in the area but that it was a precautionary measure.

As of May 5, the county had stopped adjusting its routing of…

Source…