Almost one year after a devastating ransomware attack on Scripps Health, patients have received a letter advising additional personal information may have been compromised.
NBC 7 obtained a copy of the letter dated March 15. It references the cyberattack that occurred between April 26, 2021, and May 1, 2021.
“During the investigation, we identified all documents involved and immediately started working to determine which documents contained personal information. When our review recently concluded, we determined that some of the documents contained one or more of the following: your name, address, date of birth, health insurance information, medical record number, patient account number, and/or clinical information such as diagnosis or treatment information. We have no indication that any of your information has been used to commit fraud," reads the letter.
The letter doesn’t offer any specifics on who may have been impacted.
The patient who provided NBC 7 with a copy of the Scripps Health letter asked for anonymity but says it was the first time she’d been notified that she was a victim of the original cyberattack.
A spokesperson for Scripps Health would not say how many additional patients have been impacted beyond those previously notified.
“Scripps Health has continued to conduct an extensive and time-intensive investigation of the cybersecurity incident that occurred in early May 2021, which has included a manual review of documents involved in the incident. The recently concluded review determined that additional patient information was contained in those documents, and we are mailing notification letters to those newly identified individuals so they can take steps to protect their information. At this point, we have no indication that any of this data has been used to commit fraud,” said public information officer Keith Darce in a statement to NBC 7.
The letter was sent at the same time the American Hospital Association warned its nearly 5,000 members to increase their defenses against potential Russian cyberattacks, advising hospitals to block internet traffic to and from Ukraine.
A cyber security expert at the University of San Diego said hospitals, their suppliers, and vendors that maintain records are especially vulnerable to attacks.
“Cyberattacks on hospitals is something that’s not going to go away anytime soon. It’s going to take a culture change and it’s going to take an investment in technology, both culturally and financially at hospitals across the country in order to change that,” said Nikolas Behar.
“Maintaining the confidentiality and security of our patients’ information is something we take very seriously, and we sincerely regret the concern this has caused our patients and community. We have continued to implement enhancements to our information security, systems, and monitoring capabilities, and are continuing to actively work with federal law enforcement to support their ongoing effort to investigate those responsible,” said Darce.