Scripps begins notifying more than 147,000 people of ransomware records breach

Scripps Health announced Tuesday that it has begun notifying nearly 150,000 individuals that their personal information was stolen by hackers during the ransomware attack that hit the local health care giant on May 1.

In a statement, San Diego’s second-largest medical provider says that it is “beginning to mail notification letters to approximately 147,267 individuals so they can take steps to protect their information.” About 2.5 percent of those — nearly 3,700 — are said to have had their Social Security and/or driver’s license numbers taken. For those, the company said, it will provide “complementary credit monitoring and identity protection support services.”

“At this point, we have no indication that any of this data has been used to commit fraud,” the Scripps statement said.

Fallout from the incursion took nearly a full month to resolve, forcing medical professionals at all levels of care, from medical offices to hospitals, to document their work on paper charts. Access to important information, such as previous test results, was unavailable for weeks, and Scripps facilities did not begin regaining the ability to create new digital records until late last week when the organization’s MyScripps patient portal also returned to service.

The provider added that the hacker who penetrated its network and “managed to acquire copies of some of our documents before deploying ransomware” was unable to access Epic, its main electronic health care records repository.

Scripps patient Steve Bernitz was glad to learn Tuesday that Epic did not appear to have been infiltrated. He said he continues to await authorization for back surgery, a process that slowed to a glacial pace during the ransomware shutdown.

“The individual doctors and staff people are trying very hard. I just think everything is taking them longer to do and leadership isn’t telling them any more than they’re telling patients,” Bernitz said.

Information that was taken, Scripps said, came from systems other than Epic that had a range of information including: addresses, dates of birth, health insurance information, medical record numbers, patient account numbers and clinical information such as physicians’ names, dates of service and/or treatment.

Scripps declined to say exactly which systems the information was taken from. Officials also would not disclose how they know that Epic was not compromised. The medical records system contains a much more comprehensive trove of highly sensitive data, from doctor progress notes documenting care delivered to test results.

Bernitz said he has been scratching his head about Scripps’ high level of secrecy on the ransomware attack over the previous four weeks.

“I don’t know why they are so secretive,” Bernitz said. “The hackers already know what they took!”

There could, however, be another shoe yet to drop.

Scripps said that its investigation into the monthlong attack is ongoing and some information was taken that Scripps has not yet been able to identify.

“We do not yet know the content of the remainder of documents we believe are involved,” Scripps said. “We have kicked off an extensive manual review of those documents.

“This is a time-intensive process that will likely take several months, but we will notify affected individuals and entities as quickly as possible in accordance with applicable regulatory requirements.”