fbpx

Scripps Health Inadequate Information Security Class Action

Around April 29, 2021, Scripps Health suffered a ransomware attack that the complaint for this class action calls “massive and preventable[.]” The breach exposed the personal and medical information of around 147,000 people. The complaint holds that Scripps is responsible because it did not provide adequate security for its network servers where the information was kept unprotected.

The class for this action is all persons living in the US whose personal and medical information was compromised in the data breach that took place in April 2021. A California Subclass has also been defined, for those in the above class who live in California.

The complaint calls Scripps “the second largest healthcare provider in San Diego.” It quotes the Scripps website as saying that the company “takes great care to ensure [its patients’] health information is kept private and secure.”

In accepting the private personal and medical information of its patients, the complaint alleges, Scripps “assumed a duty to securely store and protect” that information. The information Scripps stores includes names, dates of birth, health insurance information, medical record numbers, patient account numbers, clinical information, treatment information, Social Security numbers, and driver’s license numbers.

The complaint sets forth what it claims is Scripps’s “misconduct,” including “failing to timely implement adequate and reasonable measures to protect [the information], failing to timely detect the Data Breach, failing to take adequate steps to prevent and stop the Data Breach, failing to disclose the material facts that [it] did not have adequate security practices in place to safeguard [the information], and failing to honor their promises and representations to protect [the information]…”

The complaint alleges, “It is apparent from the various notices and sample notices of the Data Breach sent to [the plaintiff in this case and the other class members], and state Attorneys General that the Personal and Medical Information contained on [Scripps’s] servers was not encrypted.”

The complaint claims that, in some ransomware attacks, the cybercriminals gain control of the company’s computer system without gaining access to personal information. In the Scripps attack, the complaint alleges that the cybercriminals did gain access personal and medical information.

It is not clear whether Scripps paid the ransom for the ransomware attack.

Since the attack, the complaint alleges, Scripps “has done very little to protect” the victims. For example, Scripps has only offered a year of identity theft and credit monitoring to “a select few Data Breach victims.”

The complaint alleges that Scripps is “shirking” its responsibilities, and that the data breach took place because the company “fail[ed] to spend sufficient resources on cybersecurity training and adequate data security measures and protocols.” It claims that Scripps could have prevented the data breach.

The counts include negligence, negligence per se, and violations of the California Confidentiality of Medical Information Act (CMIA) and of California’s unfair competition law, among other things.

Article Type: Lawsuit
Topic: Privacy

Most Recent Case Event

Scripps Health Inadequate Information Security Complaint

June 21, 2021

Around April 29, 2021, Scripps Health suffered a ransomware attack that the complaint for this class action calls “massive and preventable[.]” The breach exposed the personal and medical information of around 147,000 people. The complaint holds that Scripps is responsible because it did not provide adequate security for its network servers where the information was kept unprotected.

Scripps Health Inadequate Information Security Complaint

Case Event History

Scripps Health Inadequate Information Security Complaint

June 21, 2021

Around April 29, 2021, Scripps Health suffered a ransomware attack that the complaint for this class action calls “massive and preventable[.]” The breach exposed the personal and medical information of around 147,000 people. The complaint holds that Scripps is responsible because it did not provide adequate security for its network servers where the information was kept unprotected.

Scripps Health Inadequate Information Security Complaint
Tags: Exposing Private Information, Exposure to cyber crime, Inadequate Cybersecurity, Your Privacy