Scripps Health Offers to Pay $3.5M to Settle Class Action Lawsuit Over Ransomware Attack

Scripps Health based in San Diego proposed to settle a combined class action lawsuit regarding Scripps Health Data Incident Litigation – to take care of all claims associated with its ransomware attack in 2021.

In April 2021, Scripps Health experienced a ransomware attack and reported it to the Department of Health and Human Services indicating that 147,267 patients were affected. The attack resulted in a big trouble at Scripps Health hospitals. Ambulances were redirected and booked appointments were cancelled. The employees used pen and paper to record patient data for about a month while the health system repaired its IT systems.

The investigation confirmed that the attackers stole patient records from its system on April 29, 2021, which held PHI like names, driver’s license numbers, Social Security numbers, and medical data, such as data kept in health records. The ransomware attack was extremely expensive for Scripps Health. Based on its financial statements, the attack resulted in roughly $113 million in lost income.

Scripps Health faced multiple lawsuits filed in the San Diego County Superior Court on behalf of the ransomware attack victims after the data breach. The lawsuits assert Scripps Health did not employ and retain enough security procedures to secure patient data and lacked guidelines and procedures for discovering and remediating cyberattacks, in spite of knowing the high threat of an attack.

The plaintiffs claim they endured lost time, irritation, interference, and difficulty because of the data breach, which include being kept from logging into the MyScripps patient website, which is employed by patients to view their healthcare data, ask for prescription refills, take care of appointments, and connect with doctors. The lawsuits wanted damages, repayment of out-of-pocket expenditures, and injunctive relief, demanding Scripps Health employ enough security procedures to better secure patient information later on.

Scripps Health did not admit to any wrongdoing and doesn’t take responsibility for the cyberattack and data breach. It was decided to negotiate the lawsuit to avoid more legal costs, prevent the uncertainty of trial, and take care of all claims associated with the data breach. Based on the conditions of the settlement, class members may submit a claim of around $100 which is governed by a pro-rata increase based on the number of claims acquired. Additionally, class members may submit claims for recorded common and extraordinary deficits. The settlement amount is likely to go over and above $3.5 million.

Claims for repayment of common out-of-pocket are allowed up to $1,000 max for each class member. Ordinary losses consist of card re-issuance fees, unreimbursed bank fees, overdraft fees, over-limit fees, phone charges, expenses of credit reports, and related losses that may be fairly tracked to the ransomware attack.

Extraordinary losses pertain to those whose identity theft is quite traceable to the ransomware attack and was experienced from April 29, 2021, to March 23, 2023. To be eligible for compensation for extraordinary losses, class members should have made sensible efforts to prevent experiencing losses and to have worn out particular paths for recuperating ruin associated with identity theft.

Class members wanting to leave themselves out of the negotiation or refute it can do up to March 8, 2023. The final day for submitting claims is March 23, 2023. The last approval exercise is on April 7, 2023.