A California healthcare provider is informing more than 147,000 people that their personal data may have been exposed in a recent cyber-attack.
The San Diego–based nonprofit system suspended access to several applications, including MyScripps and scripps.org.
While the majority of Scripps’ network has now been restored, the attack caused four weeks of disruption, with patient appointments’ having to be canceled or rescheduled. Employees were forced to rely on offline documentation methods, and ambulances had to be diverted, causing a surge of patients at other local facilities.
After learning that Personal Identifiable Information (PII) was exposed in the attack, Scripps has begun the process of notifying 147,267 individuals that their information may have been compromised.
Data exposed includes health information, Social Security numbers, driver’s license numbers, and financial information.
In a letter mailed to patients Tuesday, Scripps stated that an investigation into the security incident had determined that an unauthorized person had gained access to the healthcare provider’s network and exfiltrated copies of some documents before deploying ransomware.
The company said: “Importantly, this incident did not result in unauthorized access to Scripps’ electronic medical record application, Epic. However, health information and personal financial information was acquired through other documents stored on our network.”
Scripps said that while it had not found evidence that any of the exposed data had been used to commit fraud, it would be offering credit monitoring to some individuals affected by the attack.
“For the less than 2.5% of individuals whose Social Security number and/or driver’s license number were involved, we will be providing complimentary credit monitoring and identity protection support services,” said the company.
The investigation into what documents were exposed is ongoing, and Scripps said the number of individuals whose data was breached could rise.
“We have kicked off an extensive manual review of those documents. This is a time-intensive process that will likely take several months, but we will notify affected individuals and entities as quickly as possible in accordance with applicable regulatory requirements,” the company said.