[BreachExchange] Lawsuits: Patients 'Harmed' by Scripps Health Cyberattack

[Sophia Kingsbury]

https://www.govinfosecurity.com/lawsuits-patients-harmed-by-scripps-health-cyberattack-a-16953

Several proposed class action lawsuits filed against Scripps Health in the
wake of a recent ransomware attack that compromised data for nearly 150,000
individuals allege the incident put personal and health information at risk
for identity theft and fraud. But at least one of the lawsuits also claims
that the network disruption resulted in delayed treatment for some
patients, causing emotional distress and other effects.

As of Monday, four class action lawsuits related to the ransomware incident
had been filed - all in California - against San Diego-based Scripps
Health. Two of the lawsuits were filed in state court and two in federal
court.

Among the claims, the lawsuits allege Scripps Health failed to comply with
a variety of state and federal laws and regulations related to protecting
personal and medical privacy, including the California Confidentiality of
Medical Information Act, Federal Trade Commission unfair trade practice
regulations and the HIPAA privacy and security rules.

"[Scripps Health's] misconduct - failing to timely implement adequate and
reasonable measures to protect Plaintiff’s Personal and Medical
Information, failing to timely detect the Data Breach, failing to take
adequate steps to prevent and stop the Data Breach, failing to disclose the
material facts that they did not have adequate security practices in place
to safeguard the Personal and Medical Information, and failing to honor
their promises and representations to protect Plaintiff’s and Class
members’ Personal and Medical Information – caused substantial harm and
injuries to Plaintiff and Class members across the U.S.," alleges a
proposed class action lawsuit filed June 21 in a California federal court
by Scripps Health patient Kate Rasmuzzen.

In a proposed class action lawsuit complaint also filed on June 21 in
federal court, another Scripps Health patient, Michael Rubinstein, who is
described as having a blood disorder, makes similar claims.

But Rubinstein's lawsuit also alleges that the ransomware incident, which
prevented clinicians from accessing patients' electronic medical records
and patients from accessing their portal health records, including
laboratory results, resulted in delays of critical patient care.

"Rubenstein altogether missed a regularly scheduled bone marrow biopsy in
May 2021 due to the Data Breach and its resultant online network failure,"
the lawsuit alleges.

"Rubenstein receives a bone marrow biopsy every four to five years in order
to accurately assess his current health condition. Reviewing the results of
these biopsies is critical for his doctors to determine and advise in favor
or against different treatment options," court papers allege.

"Rubenstein experienced emotional distress in the form of anxiety and lost
sleep due to missing this critical appointment."

Medical Records Outage

The outage of Scripps Health systems in the wake of the ransomware incident
lasted several weeks in May to early June.

Scripps Health in previous statements said that on May 1, it identified
"unusual network activity" that affected some of its IT systems. Scripps
said it immediately initiated its incident response protocols, which
included shutting off select systems. Its investigation determined that an
"unauthorized person" had gained access to Scripps' network, deployed
malware, and, on April 29, acquired copies of "some of the documents" on
its systems.

In early June, Scripps Health began notifying more than 147,000 individuals
that their financial and health information was contained in documents that
had been stolen by attackers who deployed ransomware on the healthcare
organization's network in May.

"Due to Defendant’s negligence and data security failures, cyber criminals
obtained and now possess everything they need to commit personal and
medical identity theft and wreak havoc on the financial and personal lives
of hundreds of thousands of individuals for decades to come," alleges the
lawsuit filed by Rasmuzzen.

"Additionally, Plaintiff and Class members have already lost time and money
responding to and mitigating the impact of the Data Breach, which efforts
are continuous and ongoing."

The lawsuits seek damages, as well as "significant Improvements" to Scripps
Health's data security systems and protocols.

Scripps Health declined Information Security Media Group's request for
comment on the lawsuits.

Injury to Patients

Technology attorney Steven Teppler of the law firm Mandelbaum Salsburg
P.C., who is not involved in the Scripps Health lawsuits, says two things
stand out about the class action lawsuits against the organization,
especially compared with similar legal disputes involving entities in other
sectors that also suffer large data breaches.

"First, healthcare has been and remains a low-hanging fruit in a
target-rich environment for identity thieves. The abundance of highly
exploitable sensitive information as well as the diversity of exploits -
health, healthcare, financial and familial - makes healthcare providers an
especially tempting target," he says.

"Second, healthcare providers are bound by HIPAA requirements to maintain
confidentiality, availability and integrity - and while there exists no
private right of action, lying in wait is a wide range of potential civil
and regulatory liability lawsuits stemming from unauthorized acquisition,
exfiltration and misuse."

Referring to implications of a June 25 U. S. Supreme Court ruling in a
privacy case involving credit reporting firm TransUnion, and a previous
Supreme Court ruling regarding "Article III injury standing" in a lawsuit
against search engine provider Spokeo, Teppler says that in the healthcare
arena, "concrete harm may clearly arise in a variety of ways from a
ransomware or a hybrid ransomware/extortion incident involving personal
health information."

That harm may include health identity fraud, financial fraud - including
theft of medical services, hospitalization or tax return fraud, he notes.

"Additional similar liability may arise from the failure to maintain the
availability of PHI – which, again in my opinion, likely also meets
TransUnion’s clarification of the Spokeo concreteness test," he says.

A key question that remain unanswered after the Supreme Court decision is
whether, in the case of a health services provider, the exfiltration of
highly and immediately usable information constitutes “concrete” injury for
Article III standing, or if some compromise first needs to be demonstrated,
he says.

Also unanswered is whether the encryption by ransomware of personal health
information, which prevents the delivery of health care services,
constitutes “concrete” injury for Article III standing, or if a plaintiff
must allege that he was denied either treatment or prescribed medication,
Teppler notes.

He asks, "Taken to its extreme, will a potential plaintiff in this instance
be required to show physical injury?" and adds that that question has not
been answered by the Supreme Court.

"In the end, one answer is to find ways to keep this in state court, where
Article III standing may not play any part in determining injury."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210629/fc9f4743/attachment.html>