SAN DIEGO (KGTV) — Nearly a year after the Scripps Health ransomware attack, the health care system is notifying 'newly identified' patients that may have been impacted.
"There are millions of lines of data logs that a company has to go through with a cyber security breach," said James Linlor, a cyber security expert.
Last May, a cyberattack crippled Scripps' IT systems. Shortly after the attack, the hospital notified more than 140,000 people that their personal information was stolen by hackers.
Patients have since filed class-action lawsuits against the health care system, alleging it did not properly safeguard medical records and other sensitive information.
In a statement to 10news, Scripps' said it continues to conduct an extensive and time-intensive investigation, which included a manual review of documents involved in the incident.
The review determined that "additional patient information" was affected, requiring a second round of data breach letters.
"Companies have to provide this data under discovery... so they [Scripps] are required to do this or there are huge penalties," Linlor said.
Scripps did not say how many additional patients were impacted nor did it specify what personal information was stolen.
"Because it is in the middle of litigation they're [Scripps] not going to want to disclose that because it opens them up to more litigation," Linlor said.
The health care system said it's providing complimentary credit monitoring and identity protection support services to those involved.
However, Linlor said it's important hospitals thoroughly test their security systems and be better prepared to respond to cyberattacks.
"No one's system is that secure. It's how does it respond to its attack and how do you protect the patients. That needs to be the end goal," Linlor said.
Scripps said so far there is no indication that any of the data has been used to commit fraud.
Scripps' full statement:
Scripps Health has continued to conduct an extensive and time-intensive investigation of the cybersecurity incident that occurred in early May 2021, which has included a manual review of documents involved in the incident. The recently concluded review determined that additional patient information was contained in those documents, and we are mailing notification letters to those newly identified individuals so they can take steps to protect their information. At this point, we have no indication that any of this data has been used to commit fraud.
Maintaining the confidentiality and security of our patients’ information is something we take very seriously, and we sincerely regret the concern this has caused our patients and community. We have continued to implement enhancements to our information security, systems, and monitoring capabilities, and are continuing to actively work with federal law enforcement to support their ongoing effort to investigate those responsible.