Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Cybercrime
Scripps Health Reaches $3.5 Million Data Breach SettlementRansomware Attack in 2021 Disrupted Hospitals and Compromised Patient Data
Scripps Health has agreed to spend more $3.5 million to compensate victims of a 2021 data breach.
See Also: Cyberwarfare in the Russia-Ukraine War
The San Diego, California-based nonprofit healthcare firm's settlement agreement with plaintiffs behind a class action lawsuit filed in the wake of an April 2021 ransomware attack was announced Wednesday. The agreement must still receive court approval and is due to be reviewed in California federal court, where the lawsuit was filed, on April 7, 2023.
"We are pleased to have reached a settlement that Scripps believes is beneficial to those who may have been affected," a spokesperson for Scripps told a San Diego CBS affiliate.
"The parties have not yet received final approval from the court, but preliminary approval has been granted and the parties will complete mailing notification postcards within 30 days of the approval order to the settlement class members," the spokesperson adds.
More details, including how to make a claim, are available on the settlement website.
Under the terms of the agreement, Scripps agrees to pay $3.57 million in "minimum cash settlements" of $100 per victim, as well as to cover some types of additional expenses.
According to a settlement notice published this week, ordinary claims can be reimbursed up to $1,000 for victims who can document out-of-pocket losses related to the attack, such as unreimbursed bank fees, credit card fees and credit monitoring expenses, or other costs tied to identity theft or fraud.
In more extraordinary cases with "documented and proven monetary losses related to identity theft that are fairly traceable to the ransomware attack," victims can claim up to $7,500 for unreimbursed fraudulent charges, professional fees needed to address identity theft or fraud - such as falsified tax returns, account fraud or medical identity theft.
To qualify, victims must file a claim form by March 23, 2023. All of the above, however, remains contingent on the agreement getting court approval.
All members of the settlement class will receive 36 months of prepaid identity theft protection and fraud resolution services without filing a claim, according to the proposal. CBS reports that 1.2 million people would be eligible to receive the identity theft protection and fraud resolution services.
Breach victims may also choose to opt out of the settlement. If more than 1,500 victims opt out, Scripps would have the option to nullify the settlement agreement, according to the settlement agreement.
The class action lawsuit was filed after Scripps suffered a data breach tied to a ransomware attack, in which an "unauthorized person" accessed Scripps' network beginning in late in April 2021 to deploy malware and stole "some documents," the original data breach notification said.
Scripps, which operates four San Diego-area hospitals, was forced to delay patient care and divert some patients seeking emergency treatment to other facilities at the time. The ransomware incident disrupted Scripps Health patient services for weeks, as the organization took offline its electronic health records, patient portal and other systems during its recovery. Clinicians had to resort to using paper records and other manual processes for patient care, and many appointments and procedures were postponed.
Information stolen by attackers included unencrypted medical information such as names, addresses, birthdates, Social Security numbers, driver's license numbers, health insurance information, medical record numbers and patient account numbers for more than 147,000 individuals, Scripps reported in its initial data breach notification, after the attack came to light on May 1, 2021. It said the attack also compromised clinical information such as physician name, dates of service and treatment information.
In March, NBC's San Diego affiliate reported that Scripps had begun notifying even more patients that their information had been exposed in the attack.