Scripps Health Notifies Patients of Data Breach After Ransomware Attack

Nonprofit healthcare provider, Scripps Health in San Diego, has disclosed a data breach exposing patient information after suffering a ransomware attack last month.

The healthcare provider has five hospitals and 19 outpost facilities with over 3,000 affiliate physicians. Every year, Scripps Health treats more than 700,000 patients.

On April 29th, Scripps Health suffered a cyberattack where threat actors deployed ransomware on their network and encrypt devices.

The attack caused the healthcare provider to suspend their IT systems, including public-facing portals, including MyScripps and scripps.org.

Due to the attack, hospitals in Encinitas, La Jolla, San Diego, and Chula Vista no longer received stroke or heart attack patients, which were diverted to other medical facilities.

Also Read: The DNC Registry Singapore: 5 Things You Must Know

Hackers stole patient data during the attack

On Tuesday, Scripps Health released an updated report on the attack and says that threat actors stole patient data during the attack.

“The investigation is ongoing, but we determined that an unauthorized person did gain access to our network, deployed malware, and, on April 29, 2021, acquired copies of some of the documents on our systems,” said an updated Scripps Health security incident notice.

“By May 10, 2021, we were able to access a limited number of documents involved in the incident and, after a thorough review, determined that some of those documents contained certain patient information.”

“As the investigation is ongoing, we do not yet know the content of the remainder of documents we believe are involved, though we are working with third party experts to determine those facts as quickly as possible.”

When ransomware operations breach an organization, they will first silently spread throughout the network while stealing files and data. Once they gain access to a Windows admin account and the domain controller, they deploy the ransomware to encrypt devices.

The ransomware gangs then use the stolen data as leverage by saying they will release the stolen data on data leak sites if the victim does not pay the ransom.

After investigating the stolen data, Scripps Health determined that the attackers stole personal information for certain patients.

“For certain patients, this information included one or more of their names, addresses, dates of birth, health insurance information, medical record numbers, patient account numbers, and/or clinical information, such as physician name, date(s) of service, and/or treatment information,” warns Scripps Health.

“For less than 2.5% of patients, Social Security numbers and drivers’ license numbers were also affected.”

“Importantly, this incident did not result in unauthorized access to Scripps’ electronic medical record application, Epic. However, health information and personal financial information was acquired through other documents stored on our network.”

For those patients whose data was exposed, Scripps Health has begun mailing notification letters on June 1st, 2021.

If the attack exposed a patient’s Social Security or driver’s license numbers, the healthcare provider also provides a free one-year subscription to credit monitoring and identity protection services.

Also Read: How to Comply with PDPA: A Checklist for Businesses

It is unknown which ransomware operation conducted the attack, and none of the stolen data has been publicly released at this time.