What to Know
- Scripps Health CEO Chris Van Gorder releases a memorandum on Monday
- The California Department of Public health calls the cyberattack "ransomware attacks"
- The cyberattack caused rescheduled appointments, affected Scripps email servers, and suspended access to patient portals and other tech applications
Find the latest coverage of the Scripps Health Cyberattack here.
For the past week, as a cyberattack silenced Scripps Health's technology systems, the health care provider's leadership team has itself largely been silent, with its communications staff sending out few updates on the situation, the early ones coming from what appeared to be employees' personal Gmail accounts.
On Monday, though, Scripps Health CEO and president Chris Van Gorder distributed a memorandum to staff about the outage, an incident which the California Department of Public Health described as ransomware, which was not a term used by Van Gorder. Despite being out of the spotlight for the past week, Van Gorder said his "philosophy and Scripps’ philosophy is to be as open and transparent as possible" but insisted that his hands were somewhat tied regarding what he could divulge about the outage.
Get San Diego local news, weather forecasts, sports and lifestyle stories to your inbox. Sign up for NBC San Diego newsletters.
"… I want you to know this is a different kind of situation which limits what and when I can say things," Van Gorder said in the memo. "We need to let our investigation proceed and work with our consultants and outside governmental agencies, and when I can share, I will. I do want you to know that this malware attack targeted our information systems. At this time, we have no reason to believe individual data incidents affecting employees, physicians or patients are related to our current incident."
Elsewhere in the memo, Van Gorder discussed patient care and resuming normal operations during what can only be described as a difficult time at the health care provider.
"… patient care decisions are being made locally between our physicians and clinical team – not at the corporate level," Van Gorder said in the memorandum. "Centrally, we are working to get our systems back up as soon and safely as we can and supporting decisions being made at the patient care level. Thank you for the extraordinary way in which you are caring for our patients and helping me bring Scripps back to normal operations …"
Van Gorder also said Scripps Health had planned for such a situation and was working both internally and with the government to prevent a recurrence of the outage.
..We plan for all emergencies – as we did for this type of situation – even though we had a number of safeguards in place to prevent this happening," Van Gorder also said. "As you know, there are many other hospitals, governmental organizations and businesses that have had to go through this type of situation - some are going through this at the same time across our country and around the world. We are committed to continuing to evolve and enhance our security measures, and look to our government to help private enterprises combat this significant threat to health care.”
Missing from Van Gorder's statement was confirmation that the attack was ransomware, who the cyber suspects are, how much is being demanded to return the systems to Scripps Health's control, and if, and when, that might happen.
The full statement is below:
Office of the President
10140 Campus Point Drive
San Diego, CA 92121
MEMORANDUM
Date: May 10, 2021
To: All Employees & Physicians
From: Chris Van Gorder, President & CEO
Re: CEO Update
After more than a year caring for our patients, community, and each other during the worst pandemic in more than 100 years, I was looking forward to the numbers dropping with our new widespread vaccination program and getting back to our new normal – whatever that was going to look like going forward. I suspect that like all of you, I was hoping for a bit of a break – not that we ever get much downtime in health care. But unfortunately, we are facing another challenge on top of everything else we are doing.
As you know, on May 1st Scripps was hit with a cyber security incident with malware placed on our information system. Our team prepares for this type of situation and immediately took steps to contain the malware by taking a significant portion of our network offline. We – and you – implemented our downtime protocols and initiated our command centers once again. We also
immediately engaged outside consultants and experts to assist us in our investigation and other experts to help us restore our systems and get back online as soon as possible. They are all working 24/7 as I write this note to you.
I want to thank you all for the manner in which you have taken on one more major challenge on top of everything else. I’ve been asked how much more you can all take on top of what you have already done over the past 15 months and more. My answer is Scripps will always do what is necessary to care for our patients first so that means we will do whatever it takes to do so – and you are. Using our manual systems for a couple of hours is one thing – it’s another altogether to do it for days – but you are. I’ve been sent wonderful photos and notes of teams using manual
techniques to make sure the patients are getting the care and support they need.
I should point out that patient care decisions are being made locally between our physicians and clinical team – not at the corporate level. Centrally, we are working to get our systems back up as soon and safely as we can and supporting decisions being made at the patient care level. Thank you for the extraordinary way in which you are caring for our patients and helping me bring Scripps back to normal operations. I’m no longer surprised by your focus, dedication, support and innovation.
You have proven yourselves over and over again. I do want to speak briefly about communication and transparency. My philosophy and Scripps’ philosophy is to be as open and transparent as possible. I will continue to do that but I want you to know this is a different kind of situation which limits what and when I can say things. We need to let our investigation proceed and work with our consultants and outside governmental agencies, and when I can share, I will. I do want you to know that this malware attack targeted our information systems. At this time, we have no reason to believe individual data incidents affecting employees, physicians or patients are related to our current incident. However, if you have any concerns,
please address them to Gerry Soderstrom, our Chief Audit, Compliance and Risk Executive. We plan for all emergencies – as we did for this type of situation – even though we had a number of safeguards in place to prevent this happening. As you know, there are many other hospitals, governmental organizations and businesses that have had to go through this type of situation - some are going through this at the same time across our country and around the world. We are committed to continuing to evolve and enhance our security measures, and look to our government to help private enterprises combat this significant threat to health care.
For our part we are in this battle, but our patients come first. Because of you, our patients are being cared for safely. If you ever have concerns about patient safety, please talk to your managers, physician leaders and location administration right away so we can address immediately. To our physicians, nurses, clinical staff, support staff, information services and all of you who have shifted jobs to act as runners or support the front line – thank you. Once again, we will get through
this together and become a resource for those organizations that will be impacted by situations like this in the future, because as we contain one virus in our country, it appears we have another to confront as a society.
One of San Diego's main health care systems, Scripps Health, had its technology servers hacked on May 1 in what has been deemed a ransomware attack by the California Department of Public Health (CDPH).
And, although the incident has disrupted access to patient information, affected the ability of health care workers to do their jobs and led to a lack of communication with patients, Scripps Health has provided few details about the cyberattack.
Patients who have appointments scheduled in the coming days can call 1-800-SCRIPPS for more information about their appointment status.
The local health-care provider, operates five hospitals in San Diego, along with a series of clinics.
Here's what happened the last week, what we know and what we don't know:
May 7
On Friday, the California Department of Public Health (CDPH) described the ongoing situation at Scripps Heath as a case of "ransomware attacks."
Ransomware typically works by introducing software that encrypts a user's data and holds the decryption key until the ransom is paid. Once that happens, a typical recourse is to reformat and restore the system from backups, an SDSU cyber warfare and cyber terrorism expert Steven Andrés told NBC 7 in 2018.
Scripps described what was happening as "a network outage that resulted in a disruption to our IT systems." On Friday, however, an official with the California Department of Public Health sent NBC 7 the following statement:
"The ransomware attacks were reported to the department. As required by state and federal law, hospitals are required to provide proper patient care at all times, including in any emergency situation. CDPH is actively monitoring the hospitals impacted. These hospitals are operational and caring for patients using appropriate emergency protocols in inpatient areas of the hospital. The department has authority to involuntarily suspend facility licenses in extreme circumstances that pose immediate risk to patient safety. Facilities reliance on emergency protocols does not automatically warrant such action."
It's unknown at this time who is behind the ransomware attack or how much money they are seeking in the ransom. The CDPH referred NBC 7 to Scripps for more details. Later on Friday afternoon, NBC 7 received the following statement from a Scripps Health spokesman:
"... the investigation is ongoing. To date, our investigation has determined that the outage was due to a security incident that involved malware on our computer networks. So as not to compromise the integrity of the ongoing investigation and to maintain our focus on providing the highest level of patient care, we are not able to provide additional details at this time."
At least three Scripps employees tell NBC 7, not only have their hours have been cut because of postponed procedures, but now they’ve been told they’ll have to use their vacation time, or not get paid at all for the cut hours.
Many of the health care workers, who are non-union employees are still reeling from long hours working with COVID-19 patients.
“Scripps should cover our lost wages during this time. They should be covering it and not expect nurses to dip into their PTO (personal time off) when we’ve just come out of Covid and we need our vacation time,” said one health care worker who requested anonymity for fear of repercussion.
Scripps Health did not respond to this specific issue, only referring NBC 7 to a statement issued earlier this week that acknowledges the cyber-attack.
May 6, 2021
Two of San Diego County's biggest health care providers say they're seeing an increase in patients because of a cyberattack that sent the Scripps Health network offline.
Scripps has not confirmed whether or not the cyberattack has slowed patient intake, but both UC San Diego Health and Sharp Healthcare say they're now seeing an increase in patients as a result of the attack.
"As recent events at Scripps Health illustrate, health care systems continue to be prime targets for cyberattacks," read a statement by Jeanna Vazquez of UC San Diego Health sent to NBC 7. That statement continued, "while Scripps Health continues to assess and remedy the situation, ramifications are being experienced across the region."
"UC San Diego Health has seen an increase in patients coming to our facilities, especially to the emergency departments at UC San Diego Health Medical Center in Hillcrest and Jacobs Medical Center in La Jolla," Vazquez's statement added. "In response, we have increased staff where needed and have coordinated patient overflow areas as necessary to accommodate the additional volume — all while ensuring patients are cared for safely and at the highest standards."
A spokesman for Sharp Healthcare also said emergency department patient volume at Sharp's hospitals has increased in recent days.
"Since emergency rooms have been on bypass, we are seeing increased volumes at our [Emergency Department]s over the past few days." spokesperson John Cihomsky said.
Neither UC San Diego Health or Sharp Healthcare were able to provide specific numbers related to their respective patient increases.
A spokesperson for both Alvarado and Paradise Valley hospitals said while neither of the hospitals have seen a "sizable increase in patients at either hospital," it was still too soon for any trend to become apparent.
Representatives for both Kaiser Permanente in San Diego as well as Palomar Health said their respective healthcare systems have not seen an increase in patients since the cyberattack on Scripps Health.
NBC 7 spoke with a nurse who asked to remain anonymous. She said it was frantic inside her Scripps Health facility. She said nurses were crying and feeling uncomfortable, and that some believed Scripps was downplaying the impacts of the outage.
The nurse added that doctors can cancel elective procedures, especially when they don’t have a patient’s history. She said doing so would be for the patient’s own safety. She’s more concerned, though -- because nurses can’t look information up online -- about people having heart attacks or strokes, and those who can’t speak for themselves and don’t know their medical history.
NBC 7 asked a Scripps Health spokesman again on Thursday to provide more info about the malware that had infected their technology systems and when the health system expects to be back online. The spokesman declined to comment.
May 5, 2021
NBC 7 learned the Scripps Health cyberattack is prolonging care for patients, including a much-needed surgery for a woman with a rare disease.
Two months ago, Jonaliza Monforte, 21, was diagnosed with moyamoya disease -- a rare condition that restricts blood flow to the brain because of narrowed vessels. It can put people at risk for a stroke.
“Nobody can really tell how fast my progression is,” Monforte said. “I was told that I’m needing the surgery soon.”
Monforte is a Scripps patient but needs surgery from a specialist at Stanford University.
But here’s the problem: Saturday’s cyberattack forced Scripps Health offline and Monforte said she can’t get her medical records and images sent to Stanford, which is prolonging her surgery.
She said she can’t get answers from Scripps when she calls.
“Every time I would call they would just tell me that their system is still down and to keep calling every day.”
Scripps Health sent out the following statement via what appeared to be an employee's personal Gmail account:
On May 1, Scripps Health began experiencing a network outage that resulted in a disruption to our IT systems at our hospitals and facilities. Upon discovering the outage, we immediately initiated an investigation and took steps to contain the outage, including by taking a significant portion of our network offline as a proactive security measure. An independent cybersecurity firm was engaged to assist in our investigation and restoration efforts. While the investigation is ongoing and in the early stages, we have determined that the outage was due to a security incident involving malware on our computer networks. Scripps technical teams are working 24/7 to restore our systems as quickly and safely as possible, and in a manner that prioritizes our ability to provide patient care.
While this incident has resulted in operational disruptions at our hospitals and facilities, our clinical staff is trained to provide care in these types of situations, and are committed to doing so. Scripps Health physicians, nurses and staff are implementing workarounds to mitigate any disruptions and provide uninterrupted care to our patients.
As a result of this incident, we need to reschedule some patients’ appointments and are reaching out to them to do so. Patients who have appointments scheduled during the next several days and are unsure about their status may call 1-800-SCRIPPS for more information.
May 4, 2021
On Tuesday, NBC 7 asked a spokesman from Scripps about the impact to patients and their personal information, but he declined to comment. On Monday, though, the healthcare provider said the cyberattack had prompted some patients to reschedule appointments and would be contacting them to do so. At the time, it was not clear how providers would be making contact with patients.
Poway patient Chris Sheridan told NBC 7 on Tuesday that he -- like many others -- learned they still had appointments by using Scripps Facebook account.
Sheridan was recovering at home after a two-hour shoulder surgery Monday at Scripps Carmel Valley. He went in with some concerns but said he got the same level of care he expected before the cyberattack.
“I was worried going in that something was going to be different,” Sheridan said. “I was very happy to have my shoulder surgery go on as planned.”
Sheridan contacted his healthcare providers via Facebook's Instant Messenger app.
"They got back to me saying to keep my scheduled time unless I was otherwise told,” Sheridan said.
May 3, 2021
A spokesman for Scripps declined to comment Monday when asked whether the incident was a case of ransomware, in which malicious code is introduced to a computer system, rendering it inoperable until a ransom is paid.
On Monday afternoon, the heath-care provider had one of its media representatives send out the following statement from what appeared to be a personal Gmail account:
"As Scripps Health continues to address the cyberattack from this past weekend, our facilities remain open for patient care, including our hospitals, emergency departments, urgent care centers, Scripps HealthExpress locations, and other outpatient facilities. Our technical teams and vendor partners are working tirelessly to resolve issues related to the cyberattack as quickly as possible."
Scripps also said the cyberattack had prompted some patients to reschedule appointments and would be contacting them to do so. It's not clear how that contact would be made, since it appeared Scripps' email servers were affected by the outage. Patients who had appointments in "the next several days" can call 800-SCRIPPS for more information.
May 2, 2021
Scripps Health first confirmed on Sunday that their technology servers were hacked overnight forcing the health care system to switch to offline chart systems and causing a disruption to their patient portals.
Scripps did not provide any information on how the cyberattack occurred or state exactly what systems were affected by the breach.
The health care system said they suspended access to their patient portals and other "technology applications related to our operations at our health care facilities," but stressed that patient care continues using "established back-up processes, including offline documentation methods."
The San Diego County Office of Emergency Services (OES) said ambulances were being diverted from Scripps' facilities to other hospitals in the area but that it was a precautionary measure.
As of May 5, the county had stopped adjusting its routing of ambulances to hospitals, according to a county spokesperson.
OES officials said Sunday that its cybersecurity professionals were investigating the cyber attack.
Scripps said that outpatient urgent care centers, Scripps HealthExpress locations and their emergency departments remain open for care.
Scripps Health is not the first major entity in San Diego to be hit by a ransomware attack. In September 2018, cyber-crooks hit the Port of San Diego. Hackers breached the Port’s information technology systems and demanded payment in Bitcoin, the agency said, though the amount was not disclosed.
