UPDATED February 15, 2022 — As Scripps previously announced in June of 2021, on May 1, 2021, we identified unusual network activity that affected some of our IT systems. Immediately upon learning of this incident, we initiated our incident response protocols which included isolating potentially affected devices and shutting off select systems. We also initiated an investigation, and independent computer consulting and forensic firms were engaged to assist with the ongoing investigation.
The investigation determined that between April 26 and May 1, 2021, an unauthorized person gained access to our network, deployed ransomware, and acquired copies of some of the documents on our systems. By May 10, 2021, we were able to obtain a limited number of documents involved in the incident and, after a thorough review, provided notification to those individuals whose information was contained in those documents. We continued to review documents over the last several months and recently concluded the review. On February 15, we began mailing notification letters to additional individuals whose information was contained in the documents reviewed that were involved in the incident.
For certain patients, this information included one or more of the following for impacted patients: name, address, date of birth, Social Security number and/or driver’s license number, health insurance information, medical record number, patient account number, financial account information, and/or clinical information, such as diagnosis or treatment information. Importantly, this incident did not result in unauthorized access to Scripps’ electronic medical record application, or MyScripps (MyChart).
While there is no indication that this data has been used to commit fraud, we are providing individuals whose Social Security number and/or driver’s license number were found in documents involved in the incident with complimentary credit monitoring and identity protection support services. We also recommend that affected individuals review any statements they receive from their health care providers or health insurers. If you see any medical services that you did not receive, please call the provider or insurer immediately.
Maintaining the confidentiality and security of our patients’ information is something Scripps takes very seriously. We deeply regret that this incident occurred and any concern this may cause. To help prevent something like this from happening again, we are continuing to implement enhancements to our information security, systems, and monitoring capabilities. We also continue to work closely with federal law enforcement to assist their ongoing investigation.
We have also established a separate, dedicated call center dedicated to answering questions about this incident. This call center is available at 855-535-1822, and available Monday through Friday, between 6 am and 6 pm, Pacific Time.