US hospital chain Universal Health Services, Inc. (UHS) has revealed that the Information Technology Incident it suffered in September last year cost it $67 million in remediation efforts, loss of acute care services, and other associated expenses until the end of the year.
On September 29 last year, Universal Health Services announced in a press release that due to an IT security incident that took place two days earlier, it had to suspend user access to its IT applications related to operations located in the United States.
UHS said that it immediately implemented extensive IT security protocols and was working with security partners to restore the affected IT services as soon as possible. The incident caused temporary disruption to some clinical and financial operations, forcing acute care and behavioural health facilities to rely on offline documentation efforts to deliver round-the-clock patient care.
After UHS released its statement, Chris Hauk, Consumer privacy champion at Pixel Privacy, told TEISS that UHS suffered a ransomware attack, and the ransomware used in this attack was the Ryuk ransomware which infiltrated UHS systems via phishing emails.
The disruption caused by the ransomware attack was immense, considering UHS is among the largest providers of hospital and healthcare services in the US, featuring among Fortune 500 companies in 2019 with annual revenue of $11.4 billion and also ranking #330 in Forbes list of U.S.' Largest Public Companies.
The company employs around 90,000 people across 26 acute care hospitals, 330 behavioral health facilities, 41 outpatient facilities, and a number of ambulatory care access points and a network of physicians. Aside from the US, Universal Health Services also operates in Puerto Rico and the United Kingdom.
UHS revealed the true impact of the ransomware attack
When announcing its financial results for the fourth-quarter which ended December 31, UHS revealed that the Information Technology Incident, which severely disrupted IT operations and acute care services in September and October, cost it approximately $67 million in lost revenue and remediation expenses.
While it refrained from terming the incident as a ransomware attack, UHS said the security incident forced it to divert elective/scheduled procedures at acute care hospitals, ambulance traffic, and certain patient activity to competitor facilities. The company was also forced to bear significant labour expenses in remediation efforts and was forced to postpone certain administrative functions such as coding and billing until December.
"As a result of these factors, we estimate that this incident had an aggregate unfavorable pre-tax impact of approximately $67 million during the year ended December 31, 2020. We estimate that approximately $12 million of the unfavorable pre-tax impact was experienced during the third quarter of 2020, and approximately $55 million was experienced during the fourth quarter of 2020.
"The substantial majority of the unfavorable impact was attributable to our acute care services and consisted primarily of lost operating income resulting from the related decrease in patient activity as well as increased revenue reserves recorded in connection with the associated billing delays. Also included were certain labor expenses, professional fees and other operating expenses incurred as a direct result of this incident and the related disruption to our operations.
"Our information technology applications were substantially restored at our acute care and behavioral health hospitals at various times in October, 2020, on a rolling/staggered basis, and our facilities generally resumed standard operating procedures at that time," UHS added.
Commenting on the considerable expenses that Universal Health Services had to bear in the aftermath of the cyber attack, Stephen Kapp, CTO of Cortex Insight, told TEISS that these figures show just how serious ransomware attacks can be for organisations and just how much they can end up costing.
"After getting hit by Ryuk, UHS had the mammoth task of getting systems back up online and recovering data, but this can take months and result in the loss of business and revenue. Prevention is therefore better than cure when it comes to ransomware.
"Businesses need to take steps to prevent ransomware attacks from causing significant damage, which includes running continuous backups making sure all operating systems and third-party applications are up-to-date with the latest security patches and educating employees on the techniques attackers use to get ransomware into corporate networks," he added.