Four class-action lawsuits have been filed against San Diego-based Scripps Health after an April 29 malware attack that exposed more than 147,000 patients' health information, according to a June 22 San Diego Union-Tribune report.
Scripps began notifying more than 147,000 individuals in early June that their protected health information was exposed during the malware attack. For certain patients, exposed information included names, addresses, birthdates, health insurance data, medical record numbers, patient account numbers and treatment details. Less than 2.5 percent of individuals' Social Security numbers and/or driver's license numbers were involved, according to the health system.
Seven notes:
1. Two of the lawsuits were filed in federal court June 21 and two had already been filed in California state court earlier this month.
2. All four class actions were filed on behalf of different Scripps patients, but all reference the same set of events that Scripps began sending notification letters to more than 147,000 individuals on June 1 to alert them that their personal information was exposed during the malware attack.
3. San Diego County residents Michael Rubenstein and Richard Machado filed one of the federal suits, while local resident Kate Rasmuzzen filed the other federal suit. San Diego Superior Court records listed Scripps patients Kenneth Garcia and Johnny Corning as the filers of the June 1 and June 7 cases in state court.
4. It's not uncommon for multiple cases to come up in federal and state courts following an incident such as the Scripps breach that affects thousands of people, Jocelyn Larkin, executive director of the Impact Fund, a UC Berkeley legal foundation, told the publication.
5. The four cases on file have varying levels of specificity where harm is concerned; Mr. Rubenstein's suit is in reference to how his specific health status suffered when he was unable to access his patient portal while Scripps' system was offline during the attack. He claimed he "was forced to visit a Scripps Health hematology clinic and beg a nurse to provide for him his lab orders" and that he "was unable to confirm whether the timing of particular doses was correct."
6. Mr. Machado claimed in the Rubenstein suit that he was concerned his medical record contained records of a "very personal surgery" he underwent that identified his status as a Type 2 diabetes patient.
7. Rather than focusing on the healthcare consequences resulting from the breach, the Rasmuzzen, Corning and Garcia cases highlighted the costs associated with personal data protection and the potential damage that may be done if cybercriminals got hold of and used their information.
Scripps denied to comment on the lawsuits since they are pending.