Scripps Health Reports Financial Toll of Ransomware AttackCosts So Far Total Nearly $113 Million, Including $91.6 Million in Lost Revenue
The recent ransomware attack that disrupted Scripps Health's IT systems and patient care for nearly a month has so far cost the San Diego-based organization nearly $113 million, including $91.6 million in lost revenue, according to a financial report the nonprofit entity filed Tuesday with a municipal securities regulator.
Scripps Health notes in its third-quarter earnings report that upon detecting the cybersecurity incident on May 1, it took "immediate action" to contain the threat and help reduce disruption to patient care.
That action included shutting down many of its systems, initiating emergency manual down-time procedures, starting an investigation and notifying federal law enforcement authorities, the organization says.
All systems were restored by May 26, Scripps Health reports.
Nonetheless, expenses incurred due to the cyber incident are approximately $112.7 million through June 30, including lost revenues of $91.6 million and incremental costs to address the cybersecurity incident and recovery estimated at $21.1 million, the report says.
Scripps Health says that $5.9 million in insurance recovery was accrued in other operating revenues in June 2021, and that the remaining balance of $14.1 million in insurance recoveries is anticipated to be accrued by the end of this fiscal year, once accounting requirements for recognition have been met.
"Operating revenues and operating expenses for the quarter ended June 30 were significantly impacted by lost revenues and incremental expense incurred during the cyber security incident," Scripps Health says in the report.
Lost revenue included lower patient volumes during the month of May due to emergency room diversions and postponement of elective surgeries, the report notes.
Besides the financial hit on Scripps Health, the organization is also dealing with other fallout related to the cyberattack.
For instance, several proposed class action lawsuits have been filed against Scripps Health in recent weeks (see: Lawsuits: Patients 'Harmed' by Scripps Health Cyberattack).
The organization also reported to regulators that the incident compromised the personal and health information of nearly 150,000 individuals (see: Scripps Health Attackers Stole PHI of 147,000 Patients).
Scripps Health in a statement tells Information Security Media Group: "We can confirm the figures you cite are accurate, but are unable to discuss any further due to the ongoing investigation and pending litigation."
"The ransomware attack already has caused Scripps to incur losses greatly exceeding its cyber insurance coverage," says regulatory attorney Paul Hales of the Hales Law Group, who is not involved in the Scripps Health lawsuits.
"Scripps faces still more losses, including - at a minimum - the substantial expenses required to defend against class action lawsuits stemming from the breach. Resolution of the lawsuits might involve costly settlements," he says.
The Scripps Health incident "is a great example of the severe financial toll of ransomware attacks and, in particular, highlights the costs associated with an interruption of business operations," says insurance attorney Peter Halprin of the law firm Pasich LLP.
"Given the prevalence of ransomware attacks, this is yet another reminder to take ransomware seriously and to do everything possible to protect against these vulnerabilities," he notes. "It is a clear reminder of the importance of protection against the financial impacts of these attacks and the value of insurance against such risks."
Cyber Insurance Protection
Halprin notes that there are not "uniform cyber policies" offered by insurers, but most of the policies that he sees include business interruption coverage. "This coverage should be obtained by healthcare entities, given the potential financial impact of a cyberattack on business income," he advises.
Additionally, cyber policies, like liability insurance coverage, generally provide protection against third parties, he notes.
"Cyber policies, more so than other policies, tend to have specific coverages relating to liability - regulatory or civil - arising from data breaches. The costs associated with breaches are on the rise and so it is important to have financial protection against their impact."
In the meantime, the healthcare industry "must be exceptionally vigilant" in defending against the growing cyberthreats facing the sector, Hales says.
"Healthcare is under siege because cybercriminals know information is the lifeblood of any medical institution. They demand ransom for its release and also sell it on the dark web. Cybercriminals probe for soft targets in the U.S.," he says.
There are about 700,000 healthcare providers and millions of business associates maintaining PHI in the U.S., Hales adds.
"All must heed the national call for improved cybersecurity. We have to do better. For healthcare providers, it is literally a matter of life and death."