An attack back in May on Scripps Health sent patients scrambling to two other large academic emergency departments, which became overcrowded with the amount of people seeking help from their providers.

The two EDs at the University of California saw average daily emergency medical services arrivals rise by nearly 60% year-to-year during the first week of the attack. The number of patients they saw was unprecedented, even during the pandemic, according to Dr. Gary Vike, of UCSD Health. "Usually it ramps up, like in flu seasons when the census will go up 15%-20%, instead of seeing an extra 100 patients a day overnight. I've been with UCSD for 30 years, and it's not something I've seen before," he told MedPage Today.

Hackers in late April gained access to Scripps’ network and deployed malware to exfiltrate copies of data. The attack was severe to the point where the healthcare provider, which serves about a third of patient care in the San Diego area, had to suspend access to its patient portals, email servers and other healthcare-related technology applications, including its EHR system. Providers instead had to rely on offline, paper charts to document patient information and could not view imaging results.
As a result, critical patients were diverted to other nearby providers, including UCSD. Prior to the attack, a mean of 69-71 patients were transported to UCSD’s EDs each day. That number rose to 116 in the days that followed the attack, May 2 to 8 to be exact. During this time, UCSD implemented emergency procedures to bring in extra staff to help, according to MedPage Today.

Dr. Christian Dameff, of UCSD, evaluated this rise in a study where the average daily census grew to 281 over the cyberattack period compared to 174-229 patients during the same week over the last five years. The average daily census for that week in 2020 was 179, and differences were statistically significant for each year compared to 2021. He presented these findings in presentations at the American College of Emergency Physicians annual meeting. "We should be discussing cyberattack impacts on regions and developing regional preparedness plans," he said.

Scripps restored its network systems by May 26 but disclosed very little to the public at the time of the attack. It began notifying patients whose information may have been compromised in late May. Revenue lost from the attack and incremental expenses to address it led the health system to suffer a $112.7 million loss. The loss was also the result of system shutdowns and the investigation into the matter.

In response, a group of patients filed a class action suit against Scripps in June, alleging negligence, invasion of privacy and other issues related to the incident. They said in their filing that the provider had inadequate security measures that prevented it from detecting the attack sooner and has potentially created "a lifetime risk of identity theft” for nearly 150,000 patients.

Health IT Homepage