Ransomware attacks on hospitals can result in massive financial deficits, just like what the Ryuk ransomware attack did on Universal Health Services. UHS is one of the biggest healthcare companies in America and runs 26 acute care hospitals, 41 outpatient facilities, and 330 behavioral health centers. UHS stated in March 2021 that the ransomware attack in September 2020 generated $67 million in pre-tax deficits because of the cost of remediation, non-availability of acute care services, and other expenditures sustained because of the attack.
Though the deficits sustained by UHS were sizeable, the Scripps Health ransomware attack has shown to be a lot more costly. Scripps Health in California is a nonprofit manager of 5 hospitals and 19 outpatient centers within the state. During the ransomware attack in May 2021, Scripps Health was unable to access data systems at two hospitals, employees could not access the electronic medical record system. The provider’s offsite backup servers were additionally impacted.
Because Scripps Health could not access critical IT systems, it was compelled to transfer heart attack and stroke patients from four main hospitals in La Jolla, Encinitas, Chula Vista, and San Diego. Scripps Mercy Hospital San Diego in Hillcrest and Scripps Memorial Hospital La Jolla could not accept trauma patients as well. Scripps Health stated that its recovery from the attack had taken 4 weeks.
Losses suffered because of the attack are predicted to go over $113 million, with its third-quarter revenue report estimating the expense to date to have attained $112.7 million. The bulk of that number, which is $91.6 million, is lost income for the duration of the 4-week recovery time. $21.1 million was used up for response and recovery. Scripps Health had reclaimed $5.9 million from its cyber insurance plan thus far. An additional $14.1 million is estimated to be reclaimed from its insurance provider at the end of the financial year.
The expenses will probably increase even more still. During the attack, the protected health information (PHI) of 147,267 patients was exposed, and Scripps Health is facing a number of class-action lawsuits filed over the theft of patient information. The estimated losses don’t include yet the litigation expenses.