Universal Health Services faces $67 million loss after cyberattack
Universal Health Services reported an estimated pre-tax "unfavorable impact" of $67 million as a result of a cyberattack in 2020 that led to a network shutdown throughout its U.S. facilities.
According to a report released this past week, the health system attributes most of the unfavorable impact to lost operating income related to decreased patient activity.
"Given the disruption to the standard operating procedures at our facilities ... certain patient activity, including ambulance traffic and elective/scheduled procedures at our acute care hospitals, were diverted to competitor facilities," noted UHS in the report.
In total, the system's reported net income was $308.7 million during the fourth quarter of 2020 – a $63.5 million increase from the previous year.
WHY IT MATTERS
UHS, which operates about 400 facilities throughout the country and overseas, was hit with a massive cyberattack this past September that extended through the following month. The company reported an unfavorable estimated impact of $55 million pre-tax during the three-month period ending on December 31, 2020.
As outlined in the quarterly report, the health system suspended IT operations and delivered patient care using backup processes, including "offline documentation methods" (such as pen and paper).
UHS then worked with its security partners and engaged third-party IT and forensic vendors to assist, with no evidence of data misuse being identified thus far. In addition to the costs from decreased patient activity, UHS notes that it incurred "significant incremental labor expense, both internal and external, to restore information technology operations as expeditiously as possible."
"Additionally, certain administrative functions such as coding and billing were delayed into December 2020, which had a negative impact on our operating cash flows during the fourth quarter of 2020," company representatives added.
THE LARGER TREND
As CynergisTek CEO Caleb Barlow told us recently, investing in cybersecurity can be pricey, but it's often worth it to avoid the potential financial fallout of victimization.
"No matter how much you're spending on defense, it's a whole lot cheaper than paying for the expense after the boom," said Barlow.
Although the UHS attack was one of the most highly publicized cyber incidents last year, that health system certainly wasn't alone. In October, an attack disrupted services at the University of Vermont Health Network, lead the state governor to deploy the National Guard in response.
And this past summer, UC San Francisco paid hackers $1.14 million to decrypt data that, it said, was important to its academic work as a "university serving the public good."
ON THE RECORD
"Although we can provide no assurance or estimation related to the receipt, timing or amount of the proceeds that we may receive pursuant to commercial insurance coverage we have in connection with this incident, we believe we are entitled to recovery of the majority of the ultimate financial impact resulting from the cyberattack," said UHS representatives in the statement.
Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.