Post-Cyberattack, Universal Health Services Faces $67M in Losses

universal health services cyberattack

The Fortune-500 hospital network owner is facing steep costs in damages after a cyberattack impacted patient care and billing in September and October.

The cyberattack that hit Universal Health Services (UHS) in September has cost the healthcare service provider a whopping $67 million in damages, according to financial statements.

A fourth-quarter earnings report last week from UHS highlighted the “significant incremental labor expense” needed to restore IT operations after the incident. UHS said that administrative functions – like billing – were also delayed, which had a “negative impact” on its operating cash flows in the fourth quarter.

“As a result of these factors, we estimate that this incident had an aggregate unfavorable pre-tax impact of approximately $67 million during the year ended December 31, 2020,” according to the UHS earnings report.

When it first occurred, the cyberattack disrupted various IT applications utilized by the Fortune-500 company, which is one of the nation’s largest hospital management firms. Throughout October, UHS said it worked to “substantially restore” these applications and its facilities “generally” resumed eventually.

“We estimate that approximately $12 million of the unfavorable pre-tax impact was experienced during the third quarter of 2020, and approximately $55 million was experienced during the fourth quarter of 2020,” the report said.

UHS Cyberattack: Breaking Down the Financial Damages

While UHS didn’t mention what kind of attack it suffered, reports pointed to the Ryuk ransomware as the culprit. However, there was no mention of ransomware – or losses incurred from a paid ransom – in the earnings report.

With UHS subsidiaries encompassing 26 acute care hospitals, 328 behavioral health inpatient facilities, and 42 outpatient facilities and ambulatory care centers in 38 states across the U.S., the impact of the cyberattack was far reaching. UHS said that a “substantial majority” of the financial damages stemmed from its acute care services, which lost operating income due to decreased patient activity.

That’s because the cyberattack forced UHS to both divert ambulance traffic and send patients with elective procedures to “competitor facilities.” The damages also stemmed in part from the associated billing delays for postponed or rescheduled appointments during the timeframe of the attack.

“Also included were certain labor expenses, professional fees and other operating expenses incurred as a direct result of this incident and the related disruption to our operations,” according to the earnings statement.

UHS mentioned that it has insurance and “although we can provide no assurance or estimation related to the receipt timing, or amount, of the proceeds that we may receive” it believes it is entitled to “recovery of the majority of the ultimate financial impact resulting from the cyberattack.”

In its initial statement on the attack, UHS did not disclose how it occurred other than to say it was “due to an IT security issue.” The cyberattack left the network scrambling to implement extensive IT security protocols and working to establish back-up processes such as offline documentation methods.

UHS said, no patient or employee data appears to have been accessed, copied or otherwise compromised.

Financial Damages Cripple Cyberattack Victims

The UHS earnings report gives a rare glimpse into the wide-ranging financial damages facing victims of cyberattacks.

In 2019, Oslo, Norway-based aluminum giant Norsk Hydro revealed that it incurred between $60 million to $71 million in damages from a ransomware attack, which forced it to shut down or isolate several plants and send several more into manual mode.

In 2020, Travelex paid out $2.3 million in Bitcoin to hackers to regain access to its global network after a malware attack at the new year knocked the global currency exchange offline and crippled its business – and that figure doesn’t include additional costs like brand damage, losses from operations disrupted by the attack and more.

Hospitals: A Dangerous Cyberattack Victim

Hospitals in particular face damages from cyberattacks that can go beyond financial challenges. Such cyberattacks can lead to hospitals diverting patients in need of critical care away to other locations at a further distance.

In November, for instance, a cyberattack left University of Vermont (UVM) health network scrambling to recover its systems. The attack caused widespread delays in patient appointments – including chemotherapy appointments, as well as mammograms and biopsies.

This can have dire consequences. In September, a ransomware attack at a Dusseldorf University hospital in Germany resulted in emergency-room diversions to other hospitals. According to a report by the Ministry of Justice of the State North Rhine-Westphalia, a patient died who had to be taken to a more distant hospital in Wuppertal because of the attack on the clinic’s servers.

At the same time, January report from Check Point Software found that healthcare organizations have seen a 45-percent increase in cyberattacks since November, as COVID-19 ravages international healthcare systems.

Threatpost has reached out to UHS for further comment.

Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!

Suggested articles