Wed | Jun 30, 2021 | 10:50 AM PDT

It is not very often that a ransomware attack can actually cause physical harm to a person.

We have seen it a few times during the pandemic, with cybercriminals targeting the healthcare sector to steal information on anything related to COVID-19.

Now, we are seeing it again with a ransomware attack that targeted Scripps Health.

Scripps Health patients affected by ransomware

Michael Rubenstein, who lives in California, is suing Scripps Health following a ransomware attack he says threatened his health.

Rubenstein has been diagnosed with Myelofibrosis, a blood disorder that results in a higher red blood cell count than the average person. It is an incurable disease, but can be managed through medication.

According to court documents, here is how Rubenstein must manage his health and why he couldn't do so:

"Because of Rubenstein's condition, he must constantly monitor his disease state through lab results accessible through Defendant's patient portal and Epic EMR in order to determine the proper administration of his ongoing prescribed medications. 

However, as a result of the Data Breach, both the past lab results and future lab orders that Rubenstein had through July 2021 were inaccessible to him. Additionally, there were no alternative or backup systems in place for Rubenstein to access his laboratory information since all of the Defendant's lab results and lab orders are electronically stored and accessible."

Rubenstein was thrown into a panic after this, not knowing how he would manage his condition.

He claims he tried to call his doctors, left voicemails, and even visited the office in person. But according to court documents, he couldn't get the information he needed.

As a result, his only option was to take his medication without knowing his lab results, which he claims was potentially dangerous to his health as he did not know if he was getting the timing and dosages correct.

And there was more Rubenstein had to deal with.

"Rubenstein altogether missed a regularly scheduled bone marrow biopsy in May 2021 due to the Data Breach and its resultant online network failure. Rubenstein receives a bone marrow biopsy every four to five years in order to accurately assess his current health condition.

Reviewing the results of these biopsies is critical for his doctors to determine and advise in favor or against different treatment options. Similar to his reactions to the other events described above, Rubenstein experienced emotional distress in the form of anxiety and lost sleep due to missing this critical appointment."

These are the kind of allegations popping up against Scripps Health.

Class action lawsuits against Scripps Health

In total, four class action lawsuits have been brought against the healthcare organization for the 2021 ransomware attack that resulted in compromised data of almost 150,000 individuals.

The personally identifiable information (PII) compromised Social Security numbers, driver license numbers, health insurance information, and medical records, among others.

Court documents allege that representative plaintiffs and class members have suffered injuries as a result of the Scripps Health's conduct. These injuries include:

  • "lost or diminished value of PII/PHI"
  • "out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft, tax fraud, and/or unauthorized use of their PII/PHI"
  • "lost opportunity costs associated with attempting to mitigate the actual consequences of the Data Breach, including but not limited to lost time, and significantly the continued increased risk to their PII/PHI"

It also mentions that victims' PII/PHI remains unencrypted and available for unauthorized third parties to access.

The lawsuit alleges that Scripps failed to comply with a variety of laws and regulations, including the California Confidentiality of Medical Information Act, Federal Trade Commission unfair trade practice regulations, and the HIPAA privacy and security rules.

These lawsuits prove again that cyber risk is business risk and the consequences can drag on for years in court.