Data breach leads to class action lawsuits against hospital
The plaintiffs allege the hospital should have foreseen the breach due to the information it stores and the increasing number of cyberattacks.
California’s Southern District is considering four class-action lawsuits against Scripps Health (Scripps) in response to a data breach that occurred this past spring, in which sensitive personal and medical information of more than 147,000 patients was compromised.
The lawsuits allege that the month-long ransomware attack in April-May 2021 was “massive and preventable” and resulted from Scripps’ negligent and/or careless failure to properly safeguard and secure the data of patients, staff and physicians.
The information stored on the network and compromised in the incident included names, dates of birth, Social Security numbers, driver’s license numbers, medical records, lab results and more. According to one of the lawsuits, the attack also disrupted the IT systems for a full month, preventing patients from logging into their MyScripps accounts and scheduling appointments.
The suits state that following the hack, four of the five Scripps hospitals were unable to receive certain patients, including heart attack and stroke victims, due to the breach.
Also, during the month-long attack period, some employees were instructed to use paid time off or work without pay, as employees were unsure whether the pay system would work while systems were offline.
The cases allege that Scripps should have foreseen the possibility of a cyberattack, given the nature of the information stored and the increasing prevalence of data breaches against entities in possession of health and medical information.
Although the incident happened in late April, the litigation alleges that Scripps did not notify many people affected by the attack until June 1. The complaints also claim Scripps did very little to help protect those individuals who were affected by the breach and only offered 12 months of identity theft and credit monitoring protection to a select few victims.
Parties to the lawsuits ask that Scripps pay $1,000 per violation, up to $3,000 in damages per plaintiff and class member, and other costs.
Editor’s Note: It is unclear whether Scripps had any insurance policies under which coverage would be applicable in this case, but the severity of this ransomware attack and the fact that the complaints allege that Scripps should have foreseen the possibility of a cyberattack, given the nature of the information stored, and the increasing prevalence of data breaches against health providers, is yet another indication that such insurance coverage is becoming more important in our technology age.
Related: