June 1, 2021 — Scripps Health is notifying individuals whose information may have been involved in a recent cybersecurity incident.
On May 1, 2021, we identified unusual network activity that affected some of our IT systems. Immediately upon learning of this incident, we initiated our incident response protocols which included isolating potentially affected devices and shutting off select systems. We also initiated an investigation, and independent computer consulting and forensic firms were engaged to assist with the ongoing investigation. Federal law enforcement was also notified, and we are assisting with their investigation.
The investigation is ongoing, but we determined that an unauthorized person did gain access to our network, deployed malware, and, on April 29, 2021, acquired copies of some of the documents on our systems. By May 10, 2021, we were able to access a limited number of documents involved in the incident and, after a thorough review, determined that some of those documents contained certain patient information. As the investigation is ongoing, we do not yet know the content of the remainder of documents we believe are involved, though we are working with third party experts to determine those facts as quickly as possible.
For certain patients, this information included one or more of their names, addresses, dates of birth, health insurance information, medical record numbers, patient account numbers, and/or clinical information, such as physician name, date(s) of service, and/or treatment information. For less than 2.5% of patients, Social Security numbers and drivers’ license numbers were also affected. Importantly, this incident did not result in unauthorized access to Scripps’ electronic medical record application, Epic. However, health information and personal financial information was acquired through other documents stored on our network.
We began mailing notification letters to affected individuals for whom we have an address on June 1, 2021, which provided guidance on how they can help protect their information. While there is no indication that any data has been used to commit fraud, we are also providing patients whose Social Security number and/or driver’s license number were involved with complimentary credit monitoring and identity protection support services. We also recommend that affected individuals review any statements they receive from their health care providers or health insurers. If you see any medical services that you did not receive, please call the provider or insurer immediately.
Maintaining the confidentiality and security of our patients’ information is something Scripps takes very seriously. We deeply regret that this incident occurred and any concern this may cause.
To help prevent something like this from happening again, we are continuing to implement enhancements to our information security, systems, and monitoring capabilities. We also continue to work closely with federal law enforcement to assist their ongoing investigation.
We have also established a separate, dedicated call center dedicated to answering questions about this incident. This call center is available at 855-535-1822, and is available Monday through Friday, between 6 am and 6 pm, Pacific Time.