We usually measure the cost of a data breach or cyberattack in terms of financial damage to organizations. However, a recent incident involving Scripps Health underscored how criminal cyber activity can actually lead to serious physical harm involving patients.
In 2020, the world experienced a 150% surge in ransomware attacks amid the global pandemic, specifically attacks targeting healthcare entities. In the wake of this unprecedented wave of attacks, healthcare services are facing elevated scrutiny from the government, regulatory bodies, and the public at large.
In the healthcare space specifically, compliance is becoming increasingly important to manage risk by implementing proper security safeguards and to protect your organization from further legal action.
LIFARS Compliance Advisory is designed to understand your compliance needs, ascertain current status, provide remediation guidance, and conduct a post-remediation assessment to ensure compliance with regulatory mandates such as GDPR, CCPA, PIPEDA, FFIEC, NYDFS, HIPAA, HITRUST, PCI DSS, and SOX.
In May 2021, Scripps Health was hit with a ransomware attack. Not only did the attack result in Scripps having to take down a significant portion of its e-healthcare systems, but also lead to a massive personal data leak of nearly 150,000 of its patients.
The leaked information included compromising details, such as personally identifiable information (PII) compromised Social Security numbers, driver license numbers, health insurance information, and medical records, among others.
Not only does this seriously compromise the security and safety of Scripps’ patients, but also their right to privacy.
However, in the aftermath, a potentially more damaging result of the ransomware attack became evident: patients with severe or complex medical conditions were unable to access the resources they have been relying on to manage their health and access healthcare services.
Court documents relate, in detail, the challenges faced by Michael Rubenstein; a Scripps patient suffering from a rare, but curable, condition Myelofibrosis:
“Because of Rubenstein’s condition, he must constantly monitor his disease state through lab results accessible through Defendant’s patient portal and Epic EMR in order to determine the proper administration of his ongoing prescribed medications.
However, as a result of the Data Breach, both the past lab results and future lab orders that Rubenstein had through July 2021 were inaccessible to him. Additionally, there were no alternative or backup systems in place for Rubenstein to access his laboratory information since all of the Defendant’s lab results and lab orders are electronically stored and accessible.”
It also led to Mr. Rubenstein having to take uninformed decisions that acutely impacted his quality of life in other ways:
“Rubenstein altogether missed a regularly scheduled bone marrow biopsy in May 2021 due to the Data Breach and its resultant online network failure. Rubenstein receives a bone marrow biopsy every four to five years in order to accurately assess his current health condition.
Reviewing the results of these biopsies is critical for his doctors to determine and advise in favor or against different treatment options. Similar to his reactions to the other events described above, Rubenstein experienced emotional distress in the form of anxiety and lost sleep due to missing this critical appointment.”
This shows the severe consequences disruptions to e-health services can have to patients like Mr. Rubenstein. Stories like these are leading to a series of class-action lawsuits against Scripps.
Multiple Class Action Law Suits Brought Against Scripps Health
In June, a number of plaintiffs filed a class-action lawsuit in the Southern District of California against the San Diego-based healthcare provider. While there were initially four lawsuits brought against the company, more might be on the way with Scripps notifying 147,267 patients of their PII being compromised.
It’s alleged in the lawsuits that Scripps was negligent in maintaining inadequate security measures as well as that their response was lacking.
The plaintiffs are seeking actual and punitive damages as well as demanding that Scripps implement adequate security measures to prevent future incidents. According to the lawsuits, patients are seeking recompense for “suffering lost time, annoyance, interference, and inconvenience as a result of the data breach.” Some even report experiencing acute anxiety as a result.
While it’s not clear at this stage, Scripps might face substantial fines for not complying with rules and regulations enforced by the California Confidentiality of Medical Information Act, Federal Trade Commission, and HIPAA.