Scripps Health EHR, Patient Portal Still Down After Ransomware Attack

After a ransomware attack on May 1, some technical services remain down at Scripps Health, including the EHR, website, and patient portal; more ransomware, vendor incidents, and an email hack complete this week’s breach roundup.

Scripps Health is continuing to operate under EHR downtime procedures and its website and patient portal remain offline, nine days after a ransomware attack struck its servers. The California Department of Health (CDPH) has since confirmed the outages were caused by ransomware.

“The ransomware attacks were reported to the department. As required by state and federal law, hospitals are required to provide proper patient care at all times, including in any emergency situation,” a CDPH spokesperson said in a statement.

“CDPH is actively monitoring the hospitals impacted. These hospitals are operational and caring for patients using appropriate emergency protocols in inpatient areas of the hospital,” they added. “The department has authority to involuntarily suspend facility licenses in extreme circumstances that pose immediate risk to patient safety.”

However, CDPH confirmed the situation at Scripps Health does not currently warrant such intervention.

The attack was first reported on May 1, which officials said resulted in a shift to EHR downtime procedures. Over that weekend, critical care patients were diverted to nearby hospitals, and the patient portal was taken offline. Monday appointments were also postponed.

At the time, reports showed that operations were disrupted at two out of the four main Scripps hospitals and the backup servers that reside in Arizona. Telemetry data was impacted at the majority of Scripps sites and medical imaging access was down.

Further, all four main hospitals in Encinitas, La Jolla, San Diego, and Chula Vista were placed on emergency care diversion for stroke and heart attack patients, as well as all trauma patients. Outpatient urgent care centers, Scripps HealthExpress locations, and emergency departments remained open.

Providers, clinicians, and other care team members are continuing to employ paper records, while Scripps continues to investigate and works to recover its offline systems. 

A Scripps spokesperson confirmed on Friday that the investigation determined the outage was caused by a malware infection on the computer networks. However, no details were provided on the projected timeline for recovery or just what systems were impacted.

“While this incident has resulted in operational disruptions at our hospitals and facilities, our clinical staff is trained to provide care in these types of situations, and are committed to doing so,” a spokesperson said on May 5.

“Scripps Health physicians, nurses and staff are implementing workarounds to mitigate any disruptions and provide uninterrupted care to our patients,” they added. “As a result of this incident, we need to reschedule some patients’ appointments and are reaching out to them to do so.”

Local news outlet NBC 7, shared multiple patient, nurse, and local provider accounts that detail delays to much-needed surgeries and a spike in patient visits to local care sites, allegedly diverted from Scripps.

For now, Scripps remains primarily offline and is working closely with law enforcement and a third-party cybersecurity team on its investigation and recovery efforts. The website is still down, as of the time of publication.

The incident bears hallmark to the ransomware attack and subsequent outage at Universal Health Services in the fall. The impact of the attack lasted for several weeks across 400 care sites and cost the health system more than $67 million in recovery costs and lost revenue.

Orthopedic Associates of Dutchess County Ransomware Attack

More than 330,000 patients of Orthopedic Associates of Dutchess County (OADC) were recently notified that their personal and medical information was compromised and acquired after a ransomware attack, data exfiltration, and extortion attempt in March.

On March 5, OADC discovered suspicious activity on its systems and launched an investigation. Officials found that a hacker gained access to several systems four days earlier, encrypted some systems, and removed or viewed certain files.

The investigation has not been able to successfully confirm just what data was exfiltrated. Instead, OADC notified all patients whose data was contained on the impacted systems.

The potentially breached data includes names, contact information, emergency contacts, SSNs, treatments, guarantors, patient identifiers, medical records numbers, payment details, dates of birth, health insurance information and numbers, and diagnoses.

OADC is currently reviewing and bolstering its policies and procedures. The FBI was also contacted.

141K Patients Impacted in Health Aid System Hack

Just over 141,000 patients were recently notified by Health Aid of Ohio that their data was compromised and possibly acquired during a hack of its systems. Health Aid is a home medical equipment provider.

First discovered on February 19, an unauthorized actor gained access to the systems at or just before the day it was discovered. The attacker viewed and took certain files during the incident.

However, the investigation could not confirm the exact files impacted by the hack. Instead, the business associate notified all individuals whose information was present in the servers at the time of the unauthorized access.

The affected individuals were patients who received services through their VA plan, including names, contact details, and the type of equipment delivered to or repaired in their home.

For individuals who received services through other insurance carriers or healthcare providers, the compromised data could include names, contact information, Social Security numbers, dates of birth, diagnoses, insurance details, and the type of provided or repaired medical equipment.

Health Aid has since reviewed and enhanced its existing security policies and procedures and notified the FBI and the Department of Health and Human Services.

Vendor CaptureRx Ransomware Attack Breaches Client PHI

A ransomware attack on HIPAA business associate CaptureRX in February impacted the data of multiple healthcare clients.

The notice does not explain when CaptureRX detected unusual activity within some of its electronic files, just that its investigation concluded on February 19. Officials said they determined some files were accessed and taken by an attacker on February 6.

CaptureRX launched a review of the files’ contents to determine just what sensitive information was present at the time of the attack. The review ended on March 19, and impacted providers were notified between March 30 and April 7.

The review concluded that the hacked data included patient names, dates of birth, and prescription information.

So far, reports show the impacted healthcare providers include 17,655 patients of Faxton St. Luke’s Healthcare in New York, 6,777 individuals from Gifford Health Care in Vermont, and an undisclosed number of patients from Thrifty Drug Stores, based in Pennsylvania.

CaptureRX is reviewing its security policies and procedures, enhancing elements where needed. Additional workforce training will also be conducted to reduce the likelihood of a recurrence.

Employee Email Hack of RX Pharmacy and LTC and RX Pharmacy

Washington-based RX Pharmacy and LTC and RX Pharmacy, owned by RXLTC and Prescription Pharmacy, recently began notifying an undisclosed number of patients that their data was compromised after the hack of multiple employee email accounts.

Interestingly, officials disclosed that the suspicious activity within its email network environment was first detected months ago around October 15, 2020. Under HIPAA, covered entities are required to report breaches of patient data within 60 days of discovery, not at the close of an investigation.

A subsequent review of the incident found a business email account was compromised around October 6, 10 days before it was discovered. RXLTC engaged a third-party forensic specialist to assist with the incident analysis, which found several workforce accounts were compromised by an attacker.

The analysis into the impacted email files concluded on March 5, 2021, which found protected health information and patients’ personal data was present in the compromised accounts.

The affected information varied by patient but could include names, contact details, medical conditions, diagnoses, prescriptions, treatments, biometric data, driver’s licenses, and or state ID numbers.

For some patients, financial account numbers, payment card numbers, and or SSNs were also exposed. The review did not find evidence of specific access to the data.

RXLTC is taking steps to enhance its systems’ security and have since reviewed and updated its security policies and procedures.

Next Steps

Dig Deeper on Healthcare data breaches