Ransomware Attack's Economic Impact: $67 MillionUniversal Health Services' Financial Statement Spells Out the Effects
In an eye-opening look at the cost burden of a ransomware attack, Universal Health Services reports that an incident last September had a $67 million economic impact - citing, for example, the need to divert patients to competing facilities for urgent care.
See Also: Threat Briefing: Ransomware
Although UHS, which reported net revenue of nearly $11.6 billion in 2020, expects insurance to cover much of the cost, some security experts caution other organizations to carefully check the coverage terms of their policies.
King of Prussia, Pennsylvania-based UHS, a publicly traded company, disclosed Thursday in its 2020 fourth quarter and year-end financial statement that an "IT incident" last fall resulted in “an aggregate unfavorable pre-tax impact of approximately $67 million" for the year that ended Dec. 31, 2020.
While UHS has not publicly confirmed the exact nature of the incident, the outage previously has been widely reported as a ransomware attack, likely involving the Ryuk variant (see: Universal Health Services' IT Network Crippled).
UHS operates 26 acute care hospitals, 334 behavioral health facilities, 39 outpatient facilities and ambulatory care access points, an insurance offering, a physician network and various related services in 38 U.S. states; Washington, D.C.; Puerto Rico and the United Kingdom. UHS has said previously that the company's U.K. operations were not affected by the incident.
Coping With Security Incident
The healthcare corporation says the incident was discovered early in the morning on Sept. 27, 2020, resulting in the organization suspending user access to its information technology applications related to operations located in the U.S.
"While our information technology applications were offline, patient care was delivered safely and effectively at our facilities across the country utilizing established back-up processes, including offline documentation methods," UHS says in its financial statement.
UHS says its IT applications were "substantially restored" at its acute care and behavioral health hospitals in October 2020 on a rolling/staggered basis, enabling restoration of operations.
"Given the disruption to the standard operating procedures at our facilities during the period of Sept. 27, 2020, into October 2020, certain patient activity, including ambulance traffic and elective/scheduled procedures at our acute care hospitals, were diverted to competitor facilities," UHS acknowledges.
"We also incurred significant incremental labor expense, both internal and external, to restore information technology operations as expeditiously as possible."
Certain administrative functions such as coding and billing were delayed into December 2020, which had a negative impact on UHS' operating cash flow during the fourth quarter, the company said.
UHS estimates that approximately $12 million of the "unfavorable pre-tax impact" was experienced during the third quarter of 2020, and approximately $55 million was experienced during the fourth quarter.
"The substantial majority of the unfavorable impact was attributable to our acute care services and consisted primarily of lost operating income resulting from the related decrease in patient activity as well as increased revenue reserves recorded in connection with the associated billing delays," the company says.
Also included were certain labor expenses, professional fees and other operating expenses incurred as a direct result of the incident and the related disruption of operations, UHS says.
UHS, however, expects its insurance to cover much of the cost.
"Although we can provide no assurance or estimation related to the receipt timing, or amount, of the proceeds that we may receive pursuant to commercial insurance coverage we have in connection with this incident, we believe we are entitled to recovery of the majority of the ultimate financial impact resulting from the cyberattack."
No Breach Report
UHS says it has found no evidence of unauthorized access, copying or misuse of any patient or employee data.
Also, the Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals as of Tuesday did not show any data breach reports tied to the incident.
UHS did not immediately respond to Information Security Media Group's request for additional information.
A Rare Look at Impact
While ransomware and other disruptive cyber incidents have been surging in the healthcare sector, especially during the COVID-19 pandemic, a public view into the financial impact is relatively rare because so many healthcare provider organizations in the U.S. are not-for-profit entities that don't file financial statements with the Securities and Exchange Commission.
"Senior leaders need to ... be aware of the potential disruption of the overall operations of the organization and be prepared to address them."
—Marti Arvin, CynergisTek
"The type of losses suffered and reported by UHS are not unique to for-profit, public healthcare entities," says regulatory attorney Marti Arvin of the privacy and security consultancy CynergisTek.
"The not-for-profit entities suffer very similar financial impacts from a ransomware attack. However, the not-for-profit entities do not have the same reporting obligations as a public entity like UHS, thus hearing about the loss is less common."
Other organizations hit by ransomware have also reported that they expect insurance to cover much of the resulting expenses.
For example, last fall, executives at cloud-based fundraising software vendor Blackbaud, which suffered a ransomware attack in May, told Wall Street analysts that they expected cyber insurance to cover the bulk of the costs of the incident, which affected hundreds of Blackbaud's clients worldwide.
Arvin warns, however: "Organizations must carefully review the coverage criteria for any cyber insurance policy to determine the amount of coverage, whether it has limitations tied to the number of events, an overall dollar limitation regardless of the number of events, the exact nature of the costs that will be covered or reimbursed by the insurance and/or whether any limitations on coverage make the cost of the insurance worth it.
"As with most types of insurance, the more an organization is willing to pay in premiums the better the coverage."
Impact on Safety
The potential safety impact of cyberattacks on healthcare entities should not be overlooked, security experts say.
"The UHS attack created a horrible scenario in which critical patient response was interrupted, re-routed, etc.," says Jim Van Dyke, founder and CEO of security firm Breach Clarity.
"Patient safety issues stemming from cyber incidents deserve a paramount level of attention from healthcare entities."
—Jim Van Dyke, Breach Clarity
"We’ve talked about the potential for this for years, and with the medical industry relying on automated methods for provider and patient service delivery, there is no reason to believe that this impact or fallout was unique to UHS. The more we rely on technology, the higher the risk to all providers and patients."
"Patient safety issues stemming from cyber incidents deserve a paramount level of attention from healthcare entities," Van Dyke says. "As providers and patients increasingly rely on timely and accurate provision of information, the potential disruption of such IT methods runs the risk of becoming all the more crippling when systems fail.
"Taking that a step further, the risks from such plausible scenarios like delayed patient response, inaccuracies stemming from chaos - as a hypothetical example, a potential inaccurate blood type reading - and more could have devastating consequences."
Although enterprises that have suffered a ransomware attack often state that no personal data was accessed or exposed, it's always important "to monitor this situation over the longer term to see if this position is confirmed by security forensics experts," Van Dyke says.
"The main takeaway is to separate the immediate and known costs from any potential longer-term fallout, because identity crimes represent a well-known payoff to cybercriminals."
The bottom line is that to avoid the financial impact of ransomware attacks, healthcare organizations need to step up their cyber defenses.
"Having a strong cybersecurity infrastructure in place and having a strong incident response process in place are key factors," Arvin says.
"A good incident response exercise will take into account the impact of the incident across the entire enterprise and not simply look at the impact on the information technology team. It should involve all the key stakeholders. Senior leaders need to participate and be aware of the potential disruption of the overall operations of the organization and be prepared to address them."