[BreachExchange] San Diego Health System Struggles Nine Days After Hack

Thu May 13 10:31:58 EDT 2021

https://www.govtech.com/security/san-diego-health-system-struggles-nine-days-after-hack

(TNS) — Scripps Health remained significantly impacted by a ransomware
attack Monday, the ninth-straight day since hackers sent the region's
second-largest health system reeling May 1.

The system's website, scripps.org, continued to host only a one-paragraph
message with a notice of a network outage, an apology and a phone number
for patients to call under the headline "Scripps.org will be back soon."

The attack sidelined the organization's electronic medical record and other
electronic systems used to deliver care in hospitals and medical office
buildings, leading to ambulance diversions, canceled procedures and patient
surges at other local facilities. The outage also shut down the "My
Scripps" smartphone application that so many have grown accustomed to using
for messaging their doctors, making appointments and tracking prescriptions.

As was the case last week, Scripps had little to say about the situation
Monday. A single-paragraph statement repeated previous assertions that an
internal investigation "is ongoing."

"So as not to compromise the integrity of the ongoing investigation and to
maintain our focus on providing the highest level of patient care, we are
not able to provide additional details at this time," the statement said.

The silence, both through public channels and privately, is starting to
chafe some Scripps patients, including Gary Miner of Carmel Valley.

An information technology director for a local law firm, Miner said he
spent 45 minutes trying to reach his doctor through the Scripps telephone
system Monday before giving up. The lack of communication on how patients
should carry on during the attack, he said, has been frustrating.

A company as large as Scripps, he said, should have a business continuity
and disaster recovery plan capable of keeping information flowing even in a
situation where bedrock systems are compromised.

"What do I do and who do I trust?" Miner said. "I don't think that I would
be well served going into a Scripps emergency room today after being well
served for 20 or 30 years."

It is disconcerting, he said, not to hear from Scripps Chief Executive
Officer Chris Van Gorder, a local leader known for his willingness to speak
out, especially during the COVID-19 pandemic.

Generally, he said, the current situation forces him to re-evaluate the
trust he has placed in the organization.

"I love my doctors, they're all phenomenal, but this is a failure of
leadership," Miner said. "Not responding is not an acceptable option at
all, ever."

Because the attack is an actual crime, one under investigation by the
Federal Bureau of Investigation, Van Gorder said in an email Monday, there
are significant limits on what can be said.

"It's not business as usual, and I'm limited with what I can say under the
circumstances," Van Gorder said. "We are a very ethical and legal
organization, and my focus now is caring for patients."

Scripps is not the only large organization in San Diego currently dealing
with the fallout from a cyber attack.

On Monday, the University of California posted an update to its previous
statements on an infiltration that allowed hackers to download identifying
information from its servers in late 2020. The breach included full names,
addresses, driver's license information, passport information, financial
information, birthdates and other private details for current and former
employees, students and others who participated in programs throughout the
UC system.

First shared with the public on March 31, the attack occurred on Dec. 24,
2020, and some data was subsequently posted on the Internet. The university
has directly notified those it knows were affected, offering each free
credit monitoring and identity theft protection services.

UC was one of hundreds of organizations breached through a known
vulnerability in the Accellion File Transfer Appliance. Some organizations
have subsequently reported that personal information has been used to
attempt to extort money directly from individual victims.

The university has so far declined to say how many people are affected
either in the aggregate across all of its campuses or at UCSD in
particular. A UCSD official said in an email Monday that UC San Diego
Health and its patients were not affected.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210513/d9d6d34e/attachment.html>