Did hackers steal records before ransomware attack? Scripps Health still not saying

Scripps Green Hospital in Torrey Pines on March 9. 2020.
(Nelvin C. Cepeda/The San Diego Union-Tribune)

Patients demand to know whether their personal information was compromised


Did hackers make off with private medical or financial information when they attacked Scripps Health on May 1, or did they just encrypt server contents and demand a ransom?

Eleven days later, Chris Van Gorder, Scripps’ chief executive officer, said in an email that he still could not share any answers.

“The investigation is ongoing,” Van Gorder said.

The dearth of details from the region’s second-largest health care system, one that employed more than than 13,000 people and handled more than 1.3 million clinic visits in fiscal 2020, is trying the patience of patients who say they feel like they should at least know the extent of the damage by now.

Bonnie Russell of Del Mar, who said she has been a Scripps patient since 2017, said Wednesday, May 12, that the lack of direct communication on the cybersecurity incident has been infuriating.

“I think it is causing patient harm by not telling us whether our records are compromised,” Russell said. “They have an obligation to tell us; they owe us that.”

The situation, she added, confirms her distrust of Scripps’ EPIC medical records system, which she said mistakenly delivered her another patient’s test results nearly four years ago, just after the technology platform went live.

Bruce, a San Diego resident who said he preferred not to have his full name published because “there are a lot of wackos out there,” said his parents are Scripps patients, and it has been difficult knowing what to do with no information on just how deep this hack went.

“Since we don’t know what the status of their personal information is, I’m going to talk to our bank and take steps to protect them from this hack,” he said. “Unfortunately, that may also mean changing health care providers, which would be a huge pain.”

Such precautions, said Mike Hamilton, co-founder of Seattle-based CI Security, are definitely warranted.

“You need to do the standard things, put a fraud watch on bank accounts, make sure that you’ve got credit monitoring set up,” Hamilton said.

Former chief information security officer for the City of Seattle, Hamilton said that he finds the lack of clear communication in the Scripps hack puzzling.

Eleven days after an attack, he noted, it is usually clear whether records have been stolen.

The increasing use of “double extortion” ransomware attacks means that records often appear online. The term refers to the practice of downloading sensitive records to hacker servers before victims are aware they have been breached. Cyber gangs then threaten to publish those records on their own “news” sites if companies opt to rebuild their systems from backups rather than paying ransoms.

Scripps has not said whether double extortion is in play in its incident. Though independent sources have confirmed that ransomware is involved, Scripps has said only that it found “malware” on its network. Ransomware is a type of malware, which refers to malicious software.

So far, there are no signs of double extortion floating around on the dark web, the unindexed region of the Internet where many illegal goods and services can be found. As of Wednesday afternoon, May 12, the company’s name did not appear on any of 27 such sites tracked by a website that monitors ransomware news sites.

By now, Hamilton added, Scripps should know whether or not patient records are in the hands of hackers. Federal health law, he noted, requires companies with electronic health records to log all activity, including network traffic, meaning that data should exist that would allow forensic analysts to spot large amounts of information being transferred to Internet addresses outside those controlled by Scripps.

It seems clear that Scripps has invested in serious security capabilities. In an email sent Tuesday, May 11, Van Gorder said his organization has “spent millions on cyber security” and has “a dedicated cyber security team.”

When such attacks happen, Hamilton said, companies are generally under strict orders from their insurance companies to report the incident immediately. Insurers generally scramble their own teams to take charge of investigations, and logging systems are generally able to determine, through forensic analysis, what was likely lost and when.

Such analysis, Hamilton said, generally takes three or four days, not 11.

“Certainly they know by this time exactly how this thing went down and what went out the door, if anything,” Hamilton said. “Some public statements about what they found and what they know are late at this point.”

Scripps also has not shared much about the goings-on in its four main hospitals, which have been operating without access to digital patient charts since the attack started.

A nurse at one of those hospitals who asked not to be identified by name for fear of losing their job, said that ambulance and trauma traffic in emergency departments has resumed to some extent even as front-line workers continue to document their care using pens and paper.

The main concern, the nurse said, is when the number of patients in the ER increases rapidly, taxing employees’ ability to keep up. Paper charting presents a significant learning curve for younger workers whose training was often on digital systems.

Pleas for additional staffing to help get through busy moments, the nurse said, are not always being heeded.

“There are times of calm, and there are times of pure chaos and hell where we feel that we are putting our patients and our license at risk and we know/feel that if something were to happen such as a sentinel event, we would not be supported by administration,” the nurse said.

Sentinel events are those outside the normal course of care that result in the serious injury or death of patients.

Thus far, the California Department of Public Health has allowed the hospitals to continue operating through the attack, saying in an emailed statement one week ago that it is monitoring the situation but has determined that its “hospitals are operational and caring for patients using appropriate emergency protocols in inpatient areas.” An update was not immediately available Wednesday afternoon, May 12.

In a brief email Wednesday evening, May 12, the San Diego Field Office of the Federal Bureau of Investigation confirmed that it is aware of the “cyber incident” at Scripps Health but provided no information other than that it “routinely advises the public and private sectors before, during and after cyber threats.”

— Paul Sisson is a reporter for The San Diego Union-Tribune