Getty Images/iStockphoto
CommonSpirit Health Ransomware Attack Leads to $150M in Losses To Date
As previously reported, CommonSpirit Health suffered a ransomware attack in October 2022 that impacted facilities across its network.
CommonSpirit Health has incurred $150 million in losses as a result of an October 2022 ransomware attack, the health system’s unaudited quarterly report stated.
“The Cybersecurity Incident has had an estimated adverse financial impact of approximately $150 million to date, which includes lost revenues from the associated business interruption, the costs incurred to remediate the issues and other business expenses, and is exclusive of any potential insurance related recoveries,” the quarterly report stated.
“We have notified and continue to consult with our insurance carriers, but are unable to predict the timing or amount of insurance recoveries at this time.”
As previously reported, CommonSpirit began reporting IT outages, EHR downtime, and appointment cancellations in early October, later confirming that these disruptions were caused by a ransomware attack.
“Upon discovering the attack, CommonSpirit took immediate steps to protect its IT systems, contain the incident, begin an investigation, and maintain continuity of care,” the report continued.
“CommonSpirit has engaged leading cybersecurity specialists and notified law enforcement, the United States Department of Health and Human Services, and individuals whose data was potentially impacted. The investigation of the incident is ongoing.”
Some facilities remained untouched, while others experienced weeks of disruptions to patient portals and payroll platforms. CommonSpirit reported the breach to HHS as having impacted 623,774 individuals.
It is not uncommon for healthcare data breaches to cost organizations millions in recovery costs. IBM Security’s 2022 “Cost of a Data Breach Report” found that healthcare data breaches cost an average of $10.1 million per incident in 2021, signifying a 9.4 percent increase from the previous year.
The report noted that the healthcare sector is highly regulated, which could mean that additional costs relating to a data breach may formulate in the months or years following the incident.
“The difference between low and high regulatory environments showed up in a pronounced way two years or more after the data breach — the ‘longtail’ costs,” the report stated.
“In highly regulated industries, an average of 24 [percent] of data breach costs were accrued more than two years after the breach occurred.”
By comparison, low regulatory environments accrued just 8 percent of costs two years after experiencing a breach.