article featured image


Scripps Health is a healthcare provider that has five hospitals and 19 outpost facilities with over 3,000 affiliate physicians and manages to treat every year more than 700,000 patients, and had recently become the victim of a ransomware attack.

In April Scripps Health suffered a cyberattack in which the threat actors have deployed ransomware on their network and encrypted their devices, forcing the healthcare provider to suspend its IT systems, including public-facing portals, including MyScripps and scripps.org.

The attack led to hospitals in Encinitas, La Jolla, San Diego, and Chula Vista to no longer receive stroke or heart attack patients, as these patients got diverted to other medical facilities.

Recently Scripps Health released an updated report regarding the attack in which discloses the fact that threat actors stole patient data during the attack.

The investigation is ongoing, but we determined that an unauthorized person did gain access to our network, deployed malware, and, on April 29, 2021, acquired copies of some of the documents on our systems. By May 10, 2021, we were able to access a limited number of documents involved in the incident and, after a thorough review, determined that some of those documents contained certain patient information. As the investigation is ongoing, we do not yet know the content of the remainder of the documents we believe are involved, though we are working with third-party experts to determine those facts as quickly as possible.

For certain patients, this information included one or more of their names, addresses, dates of birth, health insurance information, medical record numbers, patient account numbers, and/or clinical information, such as physician name, date(s) of service, and/or treatment information. For less than 2.5% of patients, Social Security numbers and drivers’ license numbers were also affected. Importantly, this incident did not result in unauthorized access to Scripps’ electronic medical record application, Epic. However, health information and personal financial information were acquired through other documents stored on our network.


When ransomware operations are attacking an organization, they will begin by silently spreading throughout the network, and in this way, they will manage to steal files and data and when they manage to gain access to the Windows admin account and the domain controller, they will be able to deploy the ransomware in order to encrypt devices.

After investigating the stolen data, Scripps Health has determined that the attackers stole personal information for certain patients, therefore Scripps Health is mailing notification letters since June 1st, 2021.

Heimdal Official Logo
Neutralize ransomware before it can hit.

Heimdal™ Ransomware Encryption Protection

Specifically engineered to counter the number one security risk to any business – ransomware.
  • Blocks any unauthorized encryption attempts;
  • Detects ransomware regardless of signature;
  • Universal compatibility with any cybersecurity solution;
  • Full audit trail with stunning graphics;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

It is still unknown which ransomware operation has conducted the attack, as none of the stolen data was publicly released by this time.

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.