Today we have another installment of “Another Week, Another Hack,” and this time, the world-renowned Scripps Institute was the one who got hit.
Based in lovely San Diego, California, the Scripps Institute holds over 1000 patents, 9 FDA approved therapeutic drugs, and in May of 2021, one nasty ransomware attack. Somewhere in the ballpark of 147,000 patient records including personal medical and financial data were compromised. A good chunk of Scripps’ IT Systems were forced to go offline for several weeks and staff had to go back to paper records for the time being.
Scripps is estimating over 90 million in lost revenues due to the breach and another 20-million-plus in expenses in righting the ship. No small chunk of change.
To further complicate matters, the compromised patients and their attorneys in this case are bringing no less than four class-action lawsuit against Scripps. Some early asks are about $4,000 per leaked record. Now I’m no math wizard, but a quick calculation tells me that adds up to almost $600 million and that’s before the inevitable punitive damage claims come around.
So just in case you didn’t catch that first time around, they’ve already been impacted over $110 million and are looking at lawsuits in excess of half a billion.
That. Hurts. Bad.
So what happened exactly? This is tough to say definitively because there’s been little released from Scripps, quite possibly due to the pending litigation. They did release a letter sounding like your typical word salad of corporate double-talk, but the damage was done, and they’re doing their best to minimize the impact. If you care to read the corporate statement, it’s in the notes below. https://www.nbcsandiego.com/news/local/what-we-know-about-scripps-health-cyberattack/2598969/
Now Scripps being a Medical Institution and bound under HIPAA compliance laws, a breach of this nature is particularly troublesome. It’s tough to speculate as we have no idea what actually went down since Scripps ain’t talking, but clearly some of the guidelines were at the very least, loosely abided by. Full HIPAA compliance is a fairly robust standard to adhere to, and there’s almost no way to get breached if a provider sticks to all those guidelines.
We’ve definitely interacted with Medical providers of all sizes who didn’t believe the Compliance police are coming after them, and truth be told they’re probably right. Enforcement of these rules are fairly lax, and the typical small provider isn’t likely to face a lot of scrutiny. When it’s a big institution, and it’s public like this, those fines are right around the corner. Plus if they claimed they were in compliance but the investigation shows they were not, those Cyber Insurance policies are not going to pay out either.
This is definitely a case where it would have paid to have been diligent ahead of time. Once it’s all said and done, Scripps could be looking at upwards of a billion dollars in losses. I can see a much stronger cyber security position in their future. If something like this doesn’t get people to take action, I’m really not sure what will.
Well that wraps up this edition of Another Week, Another Hack. Does this event get you to take cyber security a bit more seriously? Let’s face it folks, it’s only a matter of when the next big breach happens, and now that you’re aware of what could be at stake, I’m sure you’ll take action to make sure it doesn’t happen to you! I’d love to hear your thoughts in the comments below, please like and subscribe, and I’ll catch you on the next one!
STG IT Consulting Group proudly serves Greater Los Angeles and surrounding areas for all of your IT needs.
We look forward to meeting with you!