The Scripps Health ransomware attack of May 2021 represents one of the largest healthcare data breaches in recent history, affecting 147,267 patients whose personal and medical information was compromised when threat actors deployed malware across Scripps Health’s network. The resulting class action settlement offers affected patients compensation of at least $100 per person, along with 36 months of free identity theft protection services. This settlement emerged from allegations that Scripps Health failed to maintain adequate cybersecurity measures and lacked sufficient protocols to detect and respond to the cyberattack that ultimately crippled the San Diego health system’s operations.
The breach caused severe operational disruption to Scripps Health facilities throughout San Diego County. For approximately four weeks, the healthcare system struggled to restore its IT infrastructure while ambulances were diverted to other hospitals and thousands of scheduled patient appointments were canceled. During this crisis period, medical staff resorted to recording patient information on paper—a dramatic reversal to pre-digital healthcare practices that illustrated the extent of the system failure.
Table of Contents
- What Happened During the Scripps Health Ransomware Attack?
- How Much Did Patients Receive in the Settlement?
- What Were the Allegations Against Scripps Health?
- Who Was Eligible to File a Claim?
- What Limitations Existed in the Settlement Coverage?
- How Does This Settlement Compare to Other Healthcare Breach Settlements?
- What Do Healthcare Organizations Need to Learn from the Scripps Health Incident?
- Conclusion
What Happened During the Scripps Health Ransomware Attack?
On May 1, 2021, threat actors successfully breached Scripps health‘s network and deployed ransomware designed to encrypt systems and acquire copies of sensitive documents. The attack was neither a targeted assault on Scripps specifically nor an isolated incident; ransomware attacks against healthcare providers had been escalating for years, but this incident became one of the largest in scope and financial impact. The attackers gained the access they needed to install malware that gave them copies of documents containing patient names, dates of birth, Social Security numbers, insurance information, and medical records. The recovery period lasted approximately four weeks—an eternity in hospital operations. During this time, Scripps Health’s electronic health record systems, laboratory information systems, and patient scheduling systems remained offline or severely compromised.
The organization had to make critical decisions about which systems to restore first, how to coordinate patient care across multiple facilities, and how to communicate the breach to tens of thousands of affected individuals. Unlike retail companies that can pause operations during a cyberattack, hospitals cannot simply shut down. Staff had to maintain patient care while operating with severely limited digital tools. The financial toll on Scripps Health was staggering: the total cost reached $112.7 million, with $91.6 million attributed to lost revenue during the recovery period alone. This figure reflects not just the cost of IT restoration and forensic investigation, but also the loss of elective procedures, emergency department diversions, operational inefficiencies, and additional staffing expenses required to manage the crisis. For comparison, most organizations never experience a single incident costing anywhere near this amount—it placed Scripps among the most expensive breach incidents on record.
How Much Did Patients Receive in the Settlement?
The $3.5 million settlement was divided among class members, with each affected patient guaranteed a minimum payment of at least $100. For those who experienced out-of-pocket expenses directly related to the breach—such as credit monitoring services they paid for themselves, credit reports obtained to check for fraud, bank fees from fraudulent charges, telephone charges from fraud investigation calls, or identity theft recovery costs—reimbursement was available up to a maximum of $1,000 per person. This created a tiered compensation approach: everyone received at least $100, but those who documented qualifying expenses could receive more. A significant limitation of this settlement structure is that $1,000 maximum reimbursement may not cover all expenses for individuals who experienced identity theft or credit issues as a result of the breach. Someone whose identity was used to open multiple fraudulent accounts could incur thousands of dollars in recovery costs, legal fees, and credit repair services.
The settlement provides a baseline protection, but substantial expenses beyond this cap would not be recovered through this legal action. Additionally, claimants needed to submit documentation of their out-of-pocket expenses by the May 22, 2024 deadline; those who failed to file claims or who lost receipts would receive only the minimum $100 payment. All settlement class members received an additional benefit: 36 months of prepaid identity theft protection and fraud resolution services. This meant that for three years after the settlement, affected patients could access monitoring services, fraud alerts, credit freezing assistance, and identity theft recovery support at no cost. While valuable, this protection has a defined end date—after 36 months, individuals would need to pay for monitoring services if they wished to continue them.
What Were the Allegations Against Scripps Health?
The lawsuit, filed in San Diego County Superior Court under the case name “In Re: Scripps Health data Incident Litigation,” alleged that Scripps Health failed to implement adequate security measures and lacked sufficient policies and procedures for detecting and remediating cyberattacks. The plaintiffs’ legal arguments centered on the premise that a modern healthcare organization of Scripps Health’s size and resources should have possessed more robust cybersecurity defenses that would have either prevented the breach or detected the intrusion much earlier than it was discovered. These allegations reflect a broader pattern of litigation against healthcare organizations in the years following major breaches. When a breach occurs, attorneys evaluate whether the organization’s security posture fell below the standard of care expected for similar institutions. For Scripps Health, questions arose about network segmentation, access controls, backup systems, threat monitoring, and incident response planning.
The fact that attackers were able to install malware and exfiltrate data copies across a healthcare system serving hundreds of thousands of patients suggested security gaps that might have been identified and remediated through more rigorous security audits and penetration testing. Importantly, Scripps Health admitted no wrongdoing in the settlement agreement. This is a standard feature of most class action settlements in the healthcare breach context. By settling, the organization avoids the expense and uncertainty of prolonged litigation without conceding that it violated any legal duties. From a plaintiff’s perspective, the $3.5 million settlement represented compensation for the breach and the time patients spent monitoring for fraud and identity theft; from Scripps Health’s perspective, the settlement was a defined cost for resolving litigation.
Who Was Eligible to File a Claim?
The settlement class included all individuals whose personal information was compromised in the Scripps Health ransomware attack. This broad definition meant that anyone who received a breach notification letter from Scripps Health was eligible to submit a claim and receive at least the $100 baseline payment. Patients did not need to prove that their information was actually misused or that they suffered identity theft; exposure to the breach was the qualifying factor. However, one practical challenge facing potential claimants was the requirement to submit claims by the May 22, 2024 deadline. This date marked the end of the claims period, after which no new claims would be accepted unless they involved extraordinary circumstances.
For individuals who received breach notification letters years earlier and filed them away, or who were unaware of the settlement opportunity, the deadline came and went without compensation being available. This is a common limitation in class action settlements—there is always an endpoint after which claims can no longer be filed, even if someone discovers the settlement opportunity later. Class members who wanted to claim reimbursement for out-of-pocket expenses needed to submit documentation along with their claim forms. Acceptable documentation included receipts for credit monitoring services, credit reports, fraud investigation expenses, and identity theft recovery services. Those whose expenses were primarily time and inconvenience—hours spent on hold with creditors, stress from dealing with fraudulent accounts, lost wages from time spent on fraud resolution—could not be reimbursed, as the settlement was structured to cover documented monetary expenses only.
What Limitations Existed in the Settlement Coverage?
The $3.5 million total settlement fund meant that the per-person payment would be reduced if claim rates were exceptionally high or if many claimants submitted expensive out-of-pocket reimbursement requests. This is a fundamental constraint of class action settlements: the total fund is fixed, but the number of eligible claimants and their claim amounts can vary. If 100,000 claimants each submitted claims with maximum $1,000 reimbursement requests, the fund would be insufficient to cover all amounts at the maximum level. Settlement administrators would then apply a proportional reduction to bring claims within the available fund. Another significant limitation is that the settlement does not cover ongoing identity theft monitoring beyond the initial 36 months. After the identity theft protection services expire, class members would need to pay out of pocket if they wanted to continue monitoring.
For individuals who experienced identity theft during the 36-month protection period, ongoing monitoring might be advisable—but the settlement does not address how it should be funded thereafter. This is a particular concern for younger claimants whose information could potentially be misused for decades. Additionally, the settlement does not address potential future misuse of the exfiltrated information. Data breaches often go undetected for months or years before being exploited, and sometimes stolen data is sold on the dark web and used in waves of identity theft stretching across years. The settlement was finalized based on identity theft incidents known as of the settlement date, but it does not provide additional compensation if new fraud episodes emerge years later from the same stolen data. Claimants who experience identity theft in 2027 or 2028 related to information stolen in the 2021 breach would not have a direct remedy through this settlement.
How Does This Settlement Compare to Other Healthcare Breach Settlements?
Healthcare data breach settlements vary widely in their terms and compensation levels. Some settlements provide only identity theft protection services with minimal cash compensation; others offer substantially higher per-person payments but smaller identity theft protection periods. The Scripps Health settlement’s combination of a $100 minimum payment plus reimbursement up to $1,000 plus 36 months of protection services places it in the moderate-to-generous range compared to similar breaches affecting comparable patient populations.
For context, larger healthcare breaches affecting millions of patients have sometimes resulted in smaller per-person payments due to the massive number of claimants diluting the settlement fund. The Anthem BCBS breach, which affected nearly 79 million individuals, resulted in a $115 million settlement—far larger in absolute terms than Scripps Health’s $3.5 million, but distributed across a vastly larger population, yielding substantially lower per-person compensation. The Scripps Health settlement’s focus on a more defined affected population (147,267 individuals) allowed for more meaningful payments and more substantial identity theft protection services per person.
What Do Healthcare Organizations Need to Learn from the Scripps Health Incident?
The Scripps Health ransomware attack and the resulting litigation have become a case study for healthcare cybersecurity. The incident revealed that even large, well-established health systems with sophisticated operations can fall victim to ransomware attacks that disable critical infrastructure and force difficult operational decisions. In the years since the attack, healthcare organizations have invested substantially more in backup systems, network segmentation, threat detection, and incident response planning—changes driven partly by the realization that the cost of a major breach extends far beyond the initial technical remediation.
Looking forward, healthcare organizations recognize that ransomware attacks will likely continue and that patient data breaches will remain a reality in the digital healthcare landscape. The larger trend suggests that individual settlements and class actions will continue to emerge, and that healthcare organizations will need to balance cybersecurity investment against other operational costs. For patients and consumers, the Scripps Health settlement demonstrates that breaches have legal consequences for organizations and that affected individuals have a right to pursue claims and compensation, even when the organization settles without admitting wrongdoing.
Conclusion
The Scripps Health ransomware settlement provides $3.5 million in compensation to patients whose personal and medical information was compromised in the May 2021 attack that crippled the San Diego health system for weeks. Eligible class members receive a minimum of $100, reimbursement up to $1,000 for documented out-of-pocket expenses, and 36 months of free identity theft protection services. The settlement emerged from allegations that Scripps Health failed to implement adequate cybersecurity measures, though the organization admitted no wrongdoing.
If you were a patient of Scripps Health during or around the time of the May 2021 breach and received a breach notification letter, you may be eligible for compensation. The May 22, 2024 deadline for claims has already passed, but individuals who submitted valid claims before that date should track their claim status and ensure they receive the compensation they are owed. For those interested in reviewing settlement details or checking claim status, consulting the official settlement administrator’s information and original court documents provides the most authoritative information about your specific eligibility and payment status.