Scripps Health Data Breach: Class Actions Claim Co. Negligently Handled Medical Info of More Than 147K People

New to ClassAction.org? Read our Newswire Disclaimer

Scripps Health faces at least two proposed class action cases over a late-April 2021 data breach in which the sensitive personal and medical information of more than 147,000 people was reportedly compromised by cyber criminals. 

The lawsuits, filed in California’s Southern District on June 21, allege the “massive and preventable” month-long ransomware attack to which the healthcare provider fell victim is the result of Scripps’ negligent and/or careless failure to properly safeguard and secure the data, including that of patients, staff and physicians. 

Information stored on the Scripps network and compromised in the incident includes names, dates of birth, Social Security and/or driver’s license numbers, medical records, patient account numbers, health insurance details and clinical information, including physician names, dates of services, progress notes, lab test results and treatment specifics, the cases say. 

According to one suit, the ransomware attack also disrupted Scripps’ IT systems for a month, preventing patients from logging into their MyScripps accounts and scheduling appointments. During that time, hospitals in Encinitas, La Jolla, San Diego and Chula Vista were unable to receive certain patients, including stroke and heart attack victims, due to the breach, the case says. Moreover, some Scripps employees were unsure of whether they would be paid while the systems were offline, with many instructed to use paid time off or work without pay during May, per the lawsuit.

“Due to Defendant’s negligence and data security failures, cyber criminals obtained and now possess everything they need to commit personal and medical identity theft and wreak havoc on the financial and personal lives of hundreds of thousands of individuals for decades to come,” one suit alleges. 

According to the litigation, cyber criminals on or around April 29, 2021 infiltrated Scripps’ “inadequately protected network servers” on which highly sensitive information was kept, forcing the defendant to suspend its public-facing portals. The cases allege Scripps should have foreseen the possibility of a cyberattack given the nature of the information it stored and the prevalence of data breaches against entities in possession of health and medical information.

Although the incident took place in late April, many affected by the attack were not notified by Scripps until June 1, the litigation says. Despite the severity of the data breach, Scripps has done little to protect those affected, offering only 12 months of identity theft and credit monitoring protection to “a select few” victims, one suit charges, claiming the defendant is “shirking its responsibility” and instead shifting the burden of the attack onto victims.

The complaints can be read below. 

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.