Breaking News
More () »

San Diego's Scripps Health says some patient info acquired during ransomware attack

Scripps said it was working to notify 147,267 people so they can take steps to protect their information.

SAN DIEGO COUNTY, Calif — Scripps Health announced Tuesday that some patient information was acquired during last month's ransomware attack, with the investigation ongoing into the full scope of the data breach.

In a statement, the San Diego-based healthcare system said an "unauthorized person" gained access to Scripps' network and while the individual did not access Epic, Scripps' electronic medical record application, "health information and personal financial information was acquired through other documents stored on our network."

“They lock the system down, and then they communicate with the victim/company, and they say, 'hey we will not unlock your system unless you pay us a ransom,'” said Gil Vidals, Chief Technology Officer for HIPAA Vault. 

HIPAA Vault, a San Marcos-based, cybersecurity firm that works with health networks, practitioners and plan providers, said hackers like those who attacked Scripps are getting bolder and more expensive.

“The ransomware attacks have been happening for many, many years now and it’s only getting worse. It’s grown by about 500% in the last few years because the rewards are handsome. These organizations are getting rewarded in the millions of dollars so of course, they’re incentivized,” said Vidals. 

Scripps said it was working to notify 147,267 people so they can take steps to protect their information, though there's no indication at present that any data has been used to commit fraud.

Scripps Health also said it would be providing complimentary credit monitoring and identity protection support services "for the less than 2.5% of individuals whose Social Security number and/or driver's license number were involved."

A review is ongoing into the content of the remainder of the documents involved. Scripps described the ensuing investigation as "a time-intensive process that will likely take several months, but we will notify affected individuals and entities as quickly as possible in accordance with applicable regulatory requirements."

Anyone with questions can contact a dedicated call center at 855-535-1822 on weekdays, between 6 a.m. and 6 p.m.

"Maintaining the confidentiality and security of our patients' information is something we take very seriously, and we sincerely regret the concern this has caused our patients and community," Scripps' statement read. "It is unfortunate that many health care organizations are confronting the impacts of an evolving cyber threat landscape. For our part, Scripps is continuing to implement enhancements to our information security, systems, and monitoring capabilities. We also continue to work closely with federal law enforcement to assist their ongoing investigation."

WATCH RELATED: Scripps Health hack forcing appointments to be canceled and more (May 2021)