2022 Cyberattack Has Cost CommonSpirit $150 Million So FarHospital Chain Discloses Impact of Ransomware Attack in Financial Report
The ransomware incident that disrupted hospital chain CommonSpirit's operations for at least a month last fall has cost the organization $150 million in lost revenue, remediation and other expenses so far.
How much of that is covered by insurance as opposed to being an out-of-pocket expense is uncertain, the company disclosed in a financial a report to investors.
The chain, which operates about 138 hospitals in 21 states, cannot assure investors that proposed class action litigation filed over the attack will not affect its financial condition or operations as a whole.
The ransomware attack, discovered on Oct. 2, disrupted patient care services at various facilities for more than a month, in part due to the organization taking certain systems offline, including its electronic health records systems and patient portals, during its incident response and recovery process.
Overall for the quarter, CommonSpirit reported operating revenues of $8.30 billion and operating expenses of $8.77 billion, compared to $8.88 billion in revenues and $8.96 billion in expenses for the same period in 2022.
In addition to affecting services at some of CommonSpirit's facilities, the incident also affected the IT operations - and patient care delivery - of some of its former hospitals, for which it was still providing IT services at the time. They include MercyOne in Iowa, which CommonSpirit sold to Trinity Health last year (see: CommonSpirit IT Systems Still Offline One Month Post-Attack).
As of Thursday, Trinity Health had not yet issued an earnings report for the quarter in which CommonSpirit experienced the ransomware incident affecting MercyOne.
CommonSpirit in December also reported to federal regulators that the ransomware incident had compromised the protected health information of about 624,000 individuals. That includes patients of seven hospitals in Washington state that are collectively part of Virginia Mason Franciscan Health, an affiliated entity of CommonSpirit, as well as those patients' family members or caregivers (see: CommonSpirit Ransomware Breach Affects About 624,000 So Far).
At least one of the proposed class action lawsuits filed against CommonSpirit so far involving the attack alleges that a far larger number of individuals had their data exposed in the incident (see: CommonSpirit Facing 2 Proposed Class Acton Post-Breach).
Financial Toll of Attacks
CommonSpirit also likely faces additional expenses involving its cleanup of legal fallout from the ransomware incident, some experts say.
"Even if the lawsuits are dismissed early on, CommonSpirit will incur significant legal fees to bring the cases to such a point. And if the cases are not dismissed early on, legal fees will mount," says attorney Peter Halprin of the law firm Pasich LLP, which is not involved in the CommonSpirit litigation.
As for how soon CommonSpirit might see any financial recovery from its insurers - and how much that recovery might be, time will tell, says Halprin, who represents commercial policyholders in complex insurance coverage cases.
"With large losses, it can take a lot of time for large organizations to quantify their losses. And, in tandem, the insurers may utilize their own accountants to determine what they view as the amount of loss," Halprin says.
"Cyber business interruption calculations are an emerging area of dispute," he adds.
Therefore, Halprin suggests that healthcare entities suffering cybersecurity incidents work closely, and early on, with forensic accountants to determine their losses. "Insurance policies can include coverage for the professional fees incurred by such accountants," he adds.
"Insurance coverage can provide valuable bottom-line protection, but it is not automatic," Halprin says. Healthcare entities should collaborate with their in-house professional and outside risk experts to obtain responsive coverage, both when seeking to procure a policy as well as when an incident arises, he recommends.
In the meantime, the magnitude of the financial impact felt by some organizations experiencing cyberattacks suggests that healthcare entities should "invest heavily in cybersecurity," Halprin says.