Scripps Health Proposes $3.5M Settlement to Resolve Class Action Ransomware Lawsuit

By | December 30, 2022

A settlement has been proposed by Scripps Health to resolve a consolidated class action lawsuit – In Re: Scripps Health Data Incident Litigation – to resolve all claims related to its 2021 ransomware attack.

In April 2021, Scripps Health suffered a ransomware attack that was reported to the Department of Health and Human Services as affecting 147,267 patients. The attack caused major disruption at Scripps Health hospitals. Scripps Health had to redirect ambulances and cancel scheduled appointments, and the staff was forced to record patient information on paper while the San Diego-based health system restored its IT systems – a process that around a month.

The investigation revealed the hackers stole files from its network on April 29, 2021, which contained protected health information such as names, Social Security numbers, driver’s license numbers, and healthcare information, including information stored in medical records. The ransomware attack has proven to be incredibly costly for Scripps Health. Its financial statements show the attack cost at least $113 million in lost revenue.

Multiple lawsuits were filed against Scripps Health in the San Diego County Superior Court in the wake of the data breach on behalf of individuals affected by the ransomware attack. The lawsuits allege Scripps Health failed to implement and maintain adequate security measures to protect patient information and had inadequate policies and procedures for detecting and remediating cyberattacks, despite being aware of the high risk of an attack.

The plaintiffs allege they have suffered lost time, annoyance, interference, and inconvenience as a result of the data breach, including being prevented from accessing the MyScripps patient portal, which is used by patients to access their healthcare information, request prescription refills, manage appointments, and communicate with doctors. The lawsuits sought damages, reimbursement of out-of-pocket expenses, and injunctive relief, requiring Scripps Health to implement adequate security measures to better protect patient data in the future.

Scripps Health has not admitted any wrongdoing and does not accept liability for the ransomware attack and data breach. The decision was taken to settle the lawsuit to prevent further legal costs, avoid the uncertainty of trial, and resolve all claims related to the data breach. Under the terms of the settlement, class members are entitled to submit a claim for a cash payment of up to $100 which is subject to a pro rata increase based on the number of claims received. In addition, class members are entitled to submit claims for documented ordinary and extraordinary losses. The settlement amount is expected to exceed $3.5 million.

Claims for reimbursement of ordinary out-of-pocket are permitted up to a maximum of $1,000 per class member. Ordinary losses include unreimbursed bank fees, card re-issuance fees, overdraft fees, over-limit fees, telephone charges, costs of credit reports, and similar losses that can be reasonably traced to the ransomware attack.

Extraordinary losses are those related to identity theft that are fairly traceable to the ransomware attack and were suffered between April 29, 2021, and March 23, 2023. To qualify for reimbursement for extraordinary losses, class members must have made reasonable efforts to avoid suffering losses and to have exhausted available avenues for recovering losses related to identity theft.

Class members wishing to exclude themselves from or object to the settlement have until March 8, 2023, to do so. The deadline for submitting claims is March 23, 2023. The final approval hearing is scheduled for April 7, 2023.

The post Scripps Health Proposes $3.5M Settlement to Resolve Class Action Ransomware Lawsuit appeared first on HIPAA Journal.