Scripps Health agreed to pay more than $3.57 million to the 1.2 million people impacted by a 2021 data breach as of Dec. 27. The settlement is awaiting a judge’s approval.
If approved, Scripps’ will be required to pay a minimum cash settlement of $100 to each plaintiff with $7,500 given to those whose identities were stolen and qualified for suffering “extraordinary out-of-pocket expenses," according to information provided on the Scripps' settlement website.
“We are pleased to have reached a settlement that Scripps believes is beneficial to those who may have been affected,” wrote a Scripps spokesperson in a statement, according to Fierce Healthcare. “The parties have not yet received final approval from the court, but preliminary approval has been granted and the parties will complete mailing notification postcards within 30 days of the approval order to the settlement class members.”
In April of 2021, Scripps’ computer system was crippled for nearly a month during a ransomware attack. Plaintiffs alleged, in multiple lawsuits, that the health system failed to secure and safeguard sensitive patient information adequately and violated several laws including violations of the Confidentiality of Medical Information Act and the right to privacy.
It's believed that hackers accessed medical history, Social Security numbers, and driver’s license numbers of less than 2.5% of individuals that were stored on Scripps Health's computer network in a "non-encrypted form."
"Maintaining the confidentiality and security of our patients' information is something we take very seriously, and we sincerely regret the concern this has caused our patients and community," Scripps' wrote in a 2022 press release. "It is unfortunate that many healthcare organizations are confronting the impacts of an evolving cyber threat landscape. For our part, Scripps is continuing to implement enhancements to our information security, systems and monitoring capabilities. We also continue to work closely with federal law enforcement to assist their ongoing investigation."
Letters were sent to the 147,267 affected patients in June 2021, while a second round of letters went out in March 2022, according to the health system. The lawsuit claims that a total of 1.2 million patients had their sensitive information placed at risk of identity theft.