The October 2022 ransomware attack on CommonSpirit Health has cost the health system more than $150 million to date according to its recent quarterly filing, and the costs are continuing to increase as the investigation into the attack and data breach are ongoing. CommonSpirit Health is also being sued over the ransomware attack. Multiple class action lawsuits have been proposed that seek damages for the individuals whose protected health information was exposed in the breach, which could affect the company’s financial position.
Healthcare data breaches are the costliest data breaches to resolve. The IBM Security Annual Cost of a Data Breach Report for 2022 suggests healthcare data breaches cost an average of $10.1 million, and across all industries cost an average of $164 per record. The ransomware attack on CommonSpirit Health exposed a considerable amount of patient information – 623,700 individuals were affected by the breach – but it could have been far worse. More than 20 million patients are served across CommonSpirit Health, Catholic Health Initiatives, and Dignity Health. The cost of the CommonSpirit Health ransomware attack and data breach is far higher than IBM Security’s figures suggest because of the continued disruption caused by the attack. CommonSpirit Health suffered a month-long outage due to the attack, and that extended disruption to operations is why the costs have spiraled. The average data breach costs do not account for extended disruption to business operations, which is the costliest element of a cyberattack. Large health systems can incur losses of between $1 million and $2 million per day due to business disruption.
The Catholic health system suffered operating losses of $1.3 billion in the full fiscal year ending June 30, 2022, and $1.85 billion in net losses, with $474 million of reported operating losses for Q4, 2022, which is almost six times the operating losses for the corresponding quarter in 2021 ($81 million). The health system says its cash reserves have fallen $741 million from the previous fiscal year to $1.85 billion as of December 31, 2022, giving it 160 days of cash left to fund its operations.
While the health system is operating at a loss, CommonSpirit Health enjoyed volume growth in the final quarter of the year, although the quarterly report stated operating revenues were down from $8.88 billion in 2021 to $8.30 billion this year. The health system says it is continuing to be affected by the pandemic, labor shortages, and inflation, as well as having to cover the cost of the ransomware attack and data breach.
CommonSpirit said it is taking a number of steps to bolster its financial sustainability, including focusing on reducing costs, operating more efficiently, and scaling programs across the organization to create a better experience for patients and consumers. The health system has also implemented initiatives to help promote staff and clinician wellness and improve employee retention.
The post CommonSpirit Health Reports $150 Million Loss Due to Ransomware Attack appeared first on HIPAA Journal.