Multiple Class Action Lawsuits Filed Against Scripps Health over Ransomware Attack

Scripps Health based in San Diego is dealing with multiple class action lawsuits due to a ransomware attack in April 29, 2021 that affected 147,267 individuals. Because of the attack, the 5-hospital healthcare system had to take down online systems as it remediates the attack, including its patient website. Although Scripps Health continued to provide patient care, a number of patients were referred to other facilities as a safety measure.

The breach investigation confirmed that prior to the ransomware deployment the attacker exfiltrated files that have patients’ protected health information (PHI). Information breached in the attack contained names, dates of birth, addresses, health insurance data, patient account numbers, medical record numbers, and/or clinical details, like name of physician, dates of service, and/or treatment details.

On June 1, a lawsuit naming Kenneth Garcia as plaintiff was filed in the San Diego County Superior Court. The lawsuit, which demands class-action status, claims Scripps Health was negligent for being unable to prevent the theft of protected health information, which was unencrypted while stored on Scripps Health systems. The legal case states the plaintiff sustained damages because of the unauthorized access of his individually identifiable medical information. Besides monetary damages, the lawsuit demands Scripps Health to enforce necessary security practices to safeguard patient information in the future.

A second legal action naming Johnny Corning as plaintiff was submitted on June 7 in the San Diego County Superior Court. The lawsuit also seeks class action status and claims Scripps Health was at fault for not taking the correct steps to keep the PHI of patients safe. The lawsuit states Scripps Health must have known the possibility of an attack given the number of reported attacks during the past 2 years. Scripps Health should additionally have known the high risk of an attack since there have been alerts from the Federal Bureau of Investigation about the current ransomware attacks on hospitals.

For legal cases of this nature to be successful, it is required to demonstrate that harm was suffered. Conning claims harm was brought about because he was unable to access the MyScripps website, which contained essential information needed for his treatment. He states he sustained anxiety restarting his medical services and online health classes and expended a significant amount of time confirming the legitimacy of the security breach, checking his medical records for identity theft, and monitoring his financial accounts for misuse of his information. Both legal actions claim financial losses were experienced and the plaintiffs are facing a higher risk of identity theft and fraud. The legal cases want monetary compensation of a minimum of $1,000 for each victim and the Conning legal action seeking actual damages of as much as $3,000 for each victim, plus payment for legal fees.

On June 21, another two class-action legal actions were submitted in federal court. The plaintiffs of one legal case are patients Michael Rubenstein and Richard Machado and the plaintiff of the other legal case is Kate Rasmuzzen. Michael Rubenstein claims his health sustained because of not being able to access the patient site. Without portal access, he explained he had to go to a Scripps Health hematology clinic to ask a nurse to access for him his laboratory orders. He also cannot confirm if he was taking the right doses of his medication on schedule. Richard Machado said that his highly sensitive data regarding a very personal surgical procedure was exposed and this brought him great worries. Like the legal cases with Corning and Garcia as plaintiffs, the Rasmuzzen case is seeking damages for the expenses sustained because of the attack and the likelihood of misuse of their personal records.

The lawsuits differ when it comes to specificity, but they make a similar basic claim, that Scripps Health was at fault for failing to stop the attack and avert the stealing of sensitive records and for the violation of privacy. Though evidence of harm should be provided in all four legal actions for standing, the bar is set lower in Californian court compared to in federal court.

Although the data breach impacted 147,267 people, Scripps Health stated fewer than 3,700 persons had either their Social Security number or driver’s license number exposed, and that highly sensitive information found in electronic medical records was not exposed. Persons whose Social Security number or driver’s license number was breached have been given complimentary credit monitoring services for one year.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at