More than 147,000 patients, staff and physicians may have had their personal and financial information compromised during last month's devastating cyberattack on Scripps Health's internal systems, the health care group confirmed Tuesday.
Scripps Health announced they were notifying patients by email that an "unauthorized person" gained access to their network and acquired copies of documents before deploying ransomware that took their systems offline on May 1. While Scripps' medical records system was not compromised, some health information and personal financial information was, the agency said.
"We are beginning to mail notification letters to approximately 147,267 individuals so they can take steps to protect their information," Scripps wrote in a statement. "For the less than 2.5% of individuals whose Social Security number and/or driver’s license number were involved, we will be providing complimentary credit monitoring and identity protection support services. At this point, we have no indication that any of this data has been used to commit fraud."
Scripps also said there are other documents involved and that they do not yet know the content in those.
"We have kicked off an extensive manual review of those documents. This is a time intensive process that will likely take several months, but we will notify affected individuals and entities as quickly as possible in accordance with applicable regulatory requirements," Scripps said.
The health group reiterated that they were making changes to their information security and technology systems to prevent an incident like the ransomware attack in the future.
The investigation into the attack is ongoing and Scripps did not release any information on who they believe may be involved.
One month after the outage first began, Scripps said their electronic health record was back online and patients were once again able to log into the MyScripps account and schedule appointments online.
The first sign the systems were coming back online came last week when Scripps Health employees were able to access some internal systems like patient records, their email, payroll and an internal emergency response communication tool.
Despite the compromised systems, Scripps has affirmed that doctors were still able to provide patient care through back-up processes like physical charts, though some patients told NBC 7 their critical care was being postponed and they were having trouble getting answers from Scripps.
Patient appointments that were postponed due to the security breach -- which the California Department of Public Health has called a ransomware attack -- were being rescheduled as of May 18.
Anyone with questions can call a dedicated call center at 855-535-1822. The call center is open Monday through Friday between 6 a.m. and 6 p.m.
The local health care provider operates five hospitals in San Diego, along with a series of clinics.