CommonSpirit Ups Cost Estimate on Its 2022 Ransomware BreachCompany Executive Hopes Insurance Will Help Cover Most Costs
Hospital chain CommonSpirit upped its estimate of the financial toll incurred by a ransomware incident last fall that disrupted patient services at some of its facilities for weeks, saying the incident cost it an estimated $160 million.
Company officials reportedly expect many of the costs to be covered by the company's insurance.
The updated figure piles on another $10 million from the last estimate made in February to come from the nonprofit Catholic hospital chain, which has 143 hospitals and 2,300 other care facilities in 22 states. In an unaudited report dated May 15 and sent to investors, the company said the cyberattack costs were higher than earlier projected.
The new total figure includes "lost revenues from the associated business interruption, the costs incurred to remediate the issues and other related business expenses, and is exclusive of any potential insurance-related recoveries," CommonSpirit wrote.
In a May 22 call with investors to discuss quarterly results, a company official predicted that underwriters will ultimately shoulder the bulk of the costs. "Most of this will be recoverable, but we expect it to take some time," said Benjie Loanzon, CommonSpirit senior vice president of finance, reported Becker's Hospital Review on Tuesday.
CommonSpirit also acknowledged in its quarterly report that it is facing potential class action lawsuits involving the ransomware incident (see: CommonSpirit Facing 2 Proposed Class Actions Post-Breach).
"There can be no assurance that the resolution of this matter will not affect the financial condition or operations of CommonSpirit, taken as a whole," the company's report said.
CommonSpirit reported the ransomware attack on Dec. 1, 2022, to the Department of Health and Human Services as a hacking incident affecting nearly 624,000 individuals (see: CommonSpirit Ransomware Breach Affects About 624,000 So Far).
The hospital chain did not immediately respond to Information Security Media Group's request for comment on its most recent financial results.
Assuming that underwriters honor CommonSpirit's insurance claims - and that all parties agree on the loss amounts - "it is possible that CommonSpirit might only be responsible for satisfying a single deductible or self-insured retention," said insurance attorney Peter Halprin of the law firm Pasich, who is not involved in the CommonSpirit case.
The company's more cautious comments in its financial report "may also indicate that CommonSpirit’s insurers are challenging some aspect of the loss, such as the amount of business interruption," Halprin said.
"This is not atypical in cyber claims involving large business interruption losses as accountants hired by the carriers may contest the insured's calculation of its losses and suggest that they should be reduced."
When seeking insurance coverage for potential cyber incidents, it is critical for healthcare organizations to marshal the different aspects of their business - including legal, finance, operations, IT and risk - with outside professionals such as insurance brokers to assess cyber risks and their potential financial impact to the business, Halprin said.
"From there, working together, this group should assess whether their potential insurance options offers provides this protection. But needs vary widely from organization to organization so it's important to have an insurance broker in place who can carefully scrutinize what is being offered to ensure that it is fit for purpose."
CommonSpirit said that on Oct. 2, 2022, it detected a ransomware attack on its IT network and immediately took steps to secure the network, including taking some systems offline.
The forensics investigation into the incident determined that an unauthorized third party had gained access to the network between Sept. 16, 2022, and Oct. 3, 2022, the company said.
While hackers did not retrieve data directly from CommonSpirit's electronic medical records systems, the unauthorized party did obtain copies of some data on the company's systems, including files from two file-sharing servers that contained some individuals' information dating back several years, the company said.
CommonSpirit uses the data on the file-sharing servers to perform various operational functions. It included patient demographic information, such as name, address, birthdate, phone number and email address, as well as medical information such as dates of service, healthcare provider's name, diagnosis and treatment information, billing and claims information and health insurance information, the company said.
For "a small number" of individuals, Social Security numbers were also affected, CommonSpirit said.