Critical Infrastructure Security , Cybercrime , Cybercrime as-a-service
Lawsuits: Patients 'Harmed' by Scripps Health CyberattackComplaints Allege Patient Care Was Delayed, Data at Risk
Several proposed class action lawsuits filed against Scripps Health in the wake of a recent ransomware attack that compromised data for nearly 150,000 individuals allege the incident put personal and health information at risk for identity theft and fraud. But at least one of the lawsuits also claims that the network disruption resulted in delayed treatment for some patients, causing emotional distress and other effects.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
As of Monday, four class action lawsuits related to the ransomware incident had been filed - all in California - against San Diego-based Scripps Health. Two of the lawsuits were filed in state court and two in federal court.
Among the claims, the lawsuits allege Scripps Health failed to comply with a variety of state and federal laws and regulations related to protecting personal and medical privacy, including the California Confidentiality of Medical Information Act, Federal Trade Commission unfair trade practice regulations and the HIPAA privacy and security rules.
"[Scripps Health's] misconduct - failing to timely implement adequate and reasonable measures to protect Plaintiff’s Personal and Medical Information, failing to timely detect the Data Breach, failing to take adequate steps to prevent and stop the Data Breach, failing to disclose the material facts that they did not have adequate security practices in place to safeguard the Personal and Medical Information, and failing to honor their promises and representations to protect Plaintiff’s and Class members’ Personal and Medical Information – caused substantial harm and injuries to Plaintiff and Class members across the U.S.," alleges a proposed class action lawsuit filed June 21 in a California federal court by Scripps Health patient Kate Rasmuzzen.
In a proposed class action lawsuit complaint also filed on June 21 in federal court, another Scripps Health patient, Michael Rubinstein, who is described as having a blood disorder, makes similar claims.
But Rubinstein's lawsuit also alleges that the ransomware incident, which prevented clinicians from accessing patients' electronic medical records and patients from accessing their portal health records, including laboratory results, resulted in delays of critical patient care.
"Rubenstein altogether missed a regularly scheduled bone marrow biopsy in May 2021 due to the Data Breach and its resultant online network failure," the lawsuit alleges.
"Rubenstein receives a bone marrow biopsy every four to five years in order to accurately assess his current health condition. Reviewing the results of these biopsies is critical for his doctors to determine and advise in favor or against different treatment options," court papers allege.
"Rubenstein experienced emotional distress in the form of anxiety and lost sleep due to missing this critical appointment."
Medical Records Outage
The outage of Scripps Health systems in the wake of the ransomware incident lasted several weeks in May to early June.
Scripps Health in previous statements said that on May 1, it identified "unusual network activity" that affected some of its IT systems. Scripps said it immediately initiated its incident response protocols, which included shutting off select systems. Its investigation determined that an "unauthorized person" had gained access to Scripps' network, deployed malware, and, on April 29, acquired copies of "some of the documents" on its systems.
In early June, Scripps Health began notifying more than 147,000 individuals that their financial and health information was contained in documents that had been stolen by attackers who deployed ransomware on the healthcare organization's network in May.
"Due to Defendant’s negligence and data security failures, cyber criminals obtained and now possess everything they need to commit personal and medical identity theft and wreak havoc on the financial and personal lives of hundreds of thousands of individuals for decades to come," alleges the lawsuit filed by Rasmuzzen.
"Additionally, Plaintiff and Class members have already lost time and money responding to and mitigating the impact of the Data Breach, which efforts are continuous and ongoing."
The lawsuits seek damages, as well as "significant Improvements" to Scripps Health's data security systems and protocols.
Scripps Health declined Information Security Media Group's request for comment on the lawsuits.
Injury to Patients
Technology attorney Steven Teppler of the law firm Mandelbaum Salsburg P.C., who is not involved in the Scripps Health lawsuits, says two things stand out about the class action lawsuits against the organization, especially compared with similar legal disputes involving entities in other sectors that also suffer large data breaches.
"First, healthcare has been and remains a low-hanging fruit in a target-rich environment for identity thieves. The abundance of highly exploitable sensitive information as well as the diversity of exploits - health, healthcare, financial and familial - makes healthcare providers an especially tempting target," he says.
"Second, healthcare providers are bound by HIPAA requirements to maintain confidentiality, availability and integrity - and while there exists no private right of action, lying in wait is a wide range of potential civil and regulatory liability lawsuits stemming from unauthorized acquisition, exfiltration and misuse."
Referring to implications of a June 25 U. S. Supreme Court ruling in a privacy case involving credit reporting firm TransUnion, and a previous Supreme Court ruling regarding "Article III injury standing" in a lawsuit against search engine provider Spokeo, Teppler says that in the healthcare arena, "concrete harm may clearly arise in a variety of ways from a ransomware or a hybrid ransomware/extortion incident involving personal health information."
That harm may include health identity fraud, financial fraud - including theft of medical services, hospitalization or tax return fraud, he notes.
"Additional similar liability may arise from the failure to maintain the availability of PHI – which, again in my opinion, likely also meets TransUnion’s clarification of the Spokeo concreteness test," he says.
A key question that remain unanswered after the Supreme Court decision is whether, in the case of a health services provider, the exfiltration of highly and immediately usable information constitutes “concrete” injury for Article III standing, or if some compromise first needs to be demonstrated, he says.
Also unanswered is whether the encryption by ransomware of personal health information, which prevents the delivery of health care services, constitutes “concrete” injury for Article III standing, or if a plaintiff must allege that he was denied either treatment or prescribed medication, Teppler notes.
He asks, "Taken to its extreme, will a potential plaintiff in this instance be required to show physical injury?" and adds that that question has not been answered by the Supreme Court.
Privacy attorney David Holtzman of the consulting firm HITprivacy, says the recent Supreme Court ruling in the Transunion case could make it even more difficult for plaintiffs and class members involved in lawsuits against breached organizations.
The Supreme Court's ruling in the case involving the TransUnion credit bureau breach "in effect states you must show actual harm in order to get into the court house door. Merely complaining your data was exposed does not comprise an injury that entitles to damages," he notes.
"In the end, one answer is to find ways to keep this in state court, where Article III standing may not play any part in determining injury," Teppler says.