Scripps Health announced Tuesday that some patient information was acquired during last month's ransomware attack, with the investigation ongoing into the full scope of the data breach.
In a statement, the San Diego-based healthcare system said an "unauthorized person" gained access to Scripps' network and while the individual did not access Epic, Scripps' electronic medical record application, "health information and personal financial information was acquired through other documents stored on our network."
Scripps said it was working to notify 147,267 people so they can take steps to protect their information, though there's no indication at present that any data has been used to commit fraud.
Scripps Health also said it would be providing complimentary credit monitoring and identity protection support services "for the less than 2.5% of individuals whose Social Security number and/or driver's license number were involved."
A review is ongoing into the content of the remainder of the documents involved. Scripps described the ensuing investigation as "a time-intensive process that will likely take several months, but we will notify affected individuals and entities as quickly as possible in accordance with applicable regulatory requirements."
Anyone with questions can contact a dedicated call center at 855-535-1822 on weekdays, between 6 a.m. and 6 p.m.
"Maintaining the confidentiality and security of our patients' information is something we take very seriously, and we sincerely regret the concern this has caused our patients and community," Scripps' statement read. "It is unfortunate that many health care organizations are confronting the impacts of an evolving cyber threat landscape. For our part, Scripps is continuing to implement enhancements to our information security, systems, and monitoring capabilities. We also continue to work closely with federal law enforcement to assist their ongoing investigation."
