A ransomware attack on Universal Health Services (UHS) last autumn cost the company an estimated $67 million in downtime and related expenses, it has revealed.
The Fortune 500 healthcare organization has tens of thousands of employees in the US and UK and annual revenues exceeding $10 billion.
However, it fell victim to a Ryuk attack at the end of September 2020 which forced the firm to pull the plug on key systems in the US.
“While our information technology applications were offline, patient care was delivered safely and effectively at our facilities across the country utilizing established back-up processes, including offline documentation methods,” it explained in a new financial filing.
“Our information technology applications were substantially restored at our acute care and behavioral health hospitals at various times in October 2020, on a rolling/staggered basis, and our facilities generally resumed standard operating procedures at that time.”
However, during this downtime some acute care and other patient services including ambulance traffic had to be diverted to facilities run by competitors, which cost UHS dear.
“We also incurred significant incremental labor expense, both internal and external, to restore information technology operations as expeditiously as possible,” it added. “Additionally, certain administrative functions such as coding and billing were delayed into December 2020, which had a negative impact on our operating cash flows during the fourth quarter of 2020.”
As a result, UHS estimates an “unfavorable pre-tax impact” of around $67 million for 2020, with $12 million experienced in the third quarter and $55 million in the final three months of the year.
“The substantial majority of the unfavorable impact was attributable to our acute care services and consisted primarily of lost operating income resulting from the related decrease in patient activity as well as increased revenue reserves recorded in connection with the associated billing delays,” the firm noted.
“Also included were certain labor expenses, professional fees and other operating expenses incurred as a direct result of this incident and the related disruption to our operations.”
The good news for UHS is that it expects the majority of these losses to be reimbursed by its insurer.
The news highlights the potentially severe financial cost of ransomware, and the reason why many organizations continue to choose to pay-up rather than suffer downtime, lost revenue and additional IT overtime expense — even though experts and law enforcers usually advise them not to.
Other ransomware victims to have suffered major losses include Cognizant ($70m), Sopra Steria ($60m) and Norsk Hydro ($41m).