Universal Health Services, one of the largest healthcare providers in the United States, was attacked with Ryuk ransomware in September 2020 and it was initially claimed, in March 2021, that the financial damage caused by the attack equated to $67m in pre-tax losses, with the bulk of the costs due to the initial breach response, remediation, loss of acute care services, and a range of other expenses.
The healthcare system manages 26 acute care hospitals, 330 behavioral health clinics, and 41 outpatient centers. A separate ransomware attack, on Scripps Health, was even more debilitating from a financial point of view. The California-based nonprofit healthcare system manages five hospitals and 19 outpatient clinics. Its network was breached and ransomware was deployed in May 2021. This forced the shutdown of IT systems two of its hospitals, which meant staff couldn’t access the electronic medical record system. Its offsite backup servers were also impacted.
Without access to essential IT systems, Scripps Health took the decision to send stroke and heart attack patients from four of its main hospitals in Encinitas, La Jolla, San Diego and Chula Vista to alternative health centers and hospitals for treatment. Additionally, the group could not treat trauma patients at Scripps Mercy Hospital San Diego in Hillcrest and Scripps Memorial Hospital La Jolla. It took Scripps Health a month to fully recover from the attack.
The financial damage inflicted due to the ransomware attack is estimated to be $112.7m, according to its third-quarter earnings report. Most of that amount, some $91.6m, was incurred due to lost revenue during the month-long recovery period. $21.1 million was spent on response and recovery, and Scripps Health was only able to recoup $5.9 million from its cyber insurance policy to date. An additional $14.1m – the final insurance payment – is expected to be handed over by the insurer before the end of the current fiscal year.
The costs are likely to grow even more as the PHI of 147,267 individuals was impacted in the ransomware attack, and there are a number of class action lawsuits that are pending. The cost of litigation will be in addition to the $112.7 million already spent.