SAN DIEGO — Scripps Health has agreed to pay more than $3.5 million dollars to victims of a massive data breach last year that compromised the personal information of more than one million patients.
CBS 8 obtained a copy of the settlement agreement, which still needs the judge's approval.
The May 1, 2021 ransomware attack crippled the healthcare company's computer system. In the breach, hackers obtained customers' health information and personal financial data and placed more than one million people at risk of identity theft.
Scripps' computer system was impacted for nearly a month as the company scrambled to prevent additional data breaches from occurring.
Since the May 1 breach, Scripps' customers whose information was obtained began filing class action lawsuits against the healthcare provider.
In recent months, Scripps and attorneys for the patients have agreed to end the lawsuit.
As part of the agreement, Scripps Health has agreed to pay $3.57 million in "minimum cash settlements" of $100 for each plaintiff. In addition, the healthcare company will pay up to $7,500 to those whose identities were stolen and who qualified for, according to the settlement, "extraordinary out-of-pocket expenses."
In addition, Scripps has also agreed to provide credit monitoring and identity theft protection to the nearly 1.2 million people who joined the lawsuit.
In a statement to CBS 8, a spokesperson for Scripps stated, "Since the incident, Scripps has notified impacted parties, conducted a full investigation, and implemented a variety of additional safeguards to help reduce the likelihood of a similar incident occurring again. As a reminder, there was no unauthorized access to MyScripps (MyChart) patient portal or Scripps’s electronic medical records application."
As for the settlement, the spokesperson told CBS 8, "We are pleased to have reached a settlement that Scripps believes is beneficial to those who may have been affected. The parties have not yet received final approval from the court, but preliminary approval has been granted and the parties will complete mailing notification postcards within 30 days of the approval order to the settlement class members. Settlement class members can go to www.ScrippsSettlement.com or call the settlement administrator's helpline at 800-708-8796 to ask questions or file a claim. If final approval of the settlement is granted, Scripps will compensate settlement class members for the benefits they are entitled to receive and validly claimed under the settlement, including eligible monetary losses."
According to the settlement website, those who feel they were included in the breach still have time to file a claim.
According to the Scripps Data Breach Settlement Website, if you do submit a claim, you sign away your right to sue the health agency.
In order to receive a cash payment or reimbursement for out-of-pocket losses you must submit your claim by March 23, 2023.
You do not need to file a claim to receive identity theft protection and fraud resolution services.
If you decide to object, you may submit an objection to the court explaining why you don’t agree with the settlement.
If you opt to exclude yourself, you will not receive a cash payment or have the chance to enroll in the free identity theft protection and fraud resolution services but are eligible to file your own lawsuit against Scripps. This must be done by March 8.
Lastly, if you chose to do nothing, you will remain in the settlement class and lose the right to get cash payments and reimbursement of any out-of-pocket losses. You’ll still be eligible to enroll and sign up for free identity theft protection and fraud resolution services.