IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

San Diego Health System Struggles Nine Days After Hack

Patients in San Diego, Calif., are facing substantial roadblocks to their health care as Scripps Health, the second-largest health system in the region, remains relatively silent about a recovery plan.

Cyber attack on Scripps Health
Exterior of Scripps Mercy Hospital Chula Vista on June 24th, 2020 in National City. Speaking to doctors, nurses and healthcare staff helping patients with COVID-19 at three South Bay hospitals.
Alejandro Tamayo/TNS
(TNS) — Scripps Health remained significantly impacted by a ransomware attack Monday, the ninth-straight day since hackers sent the region's second-largest health system reeling May 1.

The system's website, scripps.org, continued to host only a one-paragraph message with a notice of a network outage, an apology and a phone number for patients to call under the headline "Scripps.org will be back soon."

The attack sidelined the organization's electronic medical record and other electronic systems used to deliver care in hospitals and medical office buildings, leading to ambulance diversions, canceled procedures and patient surges at other local facilities. The outage also shut down the "My Scripps" smartphone application that so many have grown accustomed to using for messaging their doctors, making appointments and tracking prescriptions.

As was the case last week, Scripps had little to say about the situation Monday. A single-paragraph statement repeated previous assertions that an internal investigation "is ongoing."

"So as not to compromise the integrity of the ongoing investigation and to maintain our focus on providing the highest level of patient care, we are not able to provide additional details at this time," the statement said.

The silence, both through public channels and privately, is starting to chafe some Scripps patients, including Gary Miner of Carmel Valley.

An information technology director for a local law firm, Miner said he spent 45 minutes trying to reach his doctor through the Scripps telephone system Monday before giving up. The lack of communication on how patients should carry on during the attack, he said, has been frustrating.

A company as large as Scripps, he said, should have a business continuity and disaster recovery plan capable of keeping information flowing even in a situation where bedrock systems are compromised.

"What do I do and who do I trust?" Miner said. "I don't think that I would be well served going into a Scripps emergency room today after being well served for 20 or 30 years."

It is disconcerting, he said, not to hear from Scripps Chief Executive Officer Chris Van Gorder, a local leader known for his willingness to speak out, especially during the COVID-19 pandemic.

Generally, he said, the current situation forces him to re-evaluate the trust he has placed in the organization.

"I love my doctors, they're all phenomenal, but this is a failure of leadership," Miner said. "Not responding is not an acceptable option at all, ever."

Because the attack is an actual crime, one under investigation by the Federal Bureau of Investigation, Van Gorder said in an email Monday, there are significant limits on what can be said.

"It's not business as usual, and I'm limited with what I can say under the circumstances," Van Gorder said. "We are a very ethical and legal organization, and my focus now is caring for patients."

Scripps is not the only large organization in San Diego currently dealing with the fallout from a cyber attack.

On Monday, the University of California posted an update to its previous statements on an infiltration that allowed hackers to download identifying information from its servers in late 2020. The breach included full names, addresses, driver's license information, passport information, financial information, birthdates and other private details for current and former employees, students and others who participated in programs throughout the UC system.

First shared with the public on March 31, the attack occurred on Dec. 24, 2020, and some data was subsequently posted on the Internet. The university has directly notified those it knows were affected, offering each free credit monitoring and identity theft protection services.

UC was one of hundreds of organizations breached through a known vulnerability in the Accellion File Transfer Appliance. Some organizations have subsequently reported that personal information has been used to attempt to extort money directly from individual victims.

The university has so far declined to say how many people are affected either in the aggregate across all of its campuses or at UCSD in particular. A UCSD official said in an email Monday that UC San Diego Health and its patients were not affected.

©2021 The San Diego Union-Tribune, Distributed by Tribune Content Agency, LLC.