The ransomware attack against Scripps Health that led to more than four weeks of electronic health record (EHR) downtime procedures and the theft of some patient data, resulted in $112.7 million in estimated revenue loss and incremental expenses, according to an Aug. 10 financial report form the San Diego-based health system.
The report shows operating revenues and expenses for the quarter that ended on June 30 “were significantly impacted by lost revenues and incremental expense incurred during the cyber security incident that occurred in May 2021.”
In total, the estimated lost revenues were $91.6 million and incremental costs totaled an estimated $21.1 million, which were tied to addressing the incident and recovery costs. Scripps also noted that a “$5.9 million insurance recovery was accrued in other operating revenues in June 2021."
“The remaining balance of $14.1 million of insurance recoveries are anticipated to be accrued by the end of this fiscal year once accounting requirements for recognition have been met,” according to the report. Compared to the same quarter in 2020, the excess margin was $217.47 lower due to “$94 million lower investment earnings in FY21 and the estimated net impact of $107 million relating to the cyber security incident.”
Further, the operating revenue was $78.39 million, or 3.2% higher than the previous year, which Scripps attributed to higher patient volumes in 2021 than the COVID-19-related volume reductions in 2020. However, those were offset by lost revenues caused by the ransomware attack and related emergency room diversions and elective surgery postponement, which led to reductions in patient admissions.
Both the cyberattack and COVID-19 also caused a $217.89 million, or 9.1% increase, in operating expenses.
Outages and diverted care
First reported on May 1, the cyberattack impacted the network, website, and patient portal, which were all taken offline in response to the attack. The health system launched emergency care diversion for trauma, stroke, and heart-attack patients who were diverted to nearby hospitals, and some previously scheduled appointments were cancelled.
Notably, the impact on local hospitals was detailed in a July House Energy & Commerce hearing on the growing ransomware threat by emergency room physician and the medical director of cybersecurity for the University of California San Diego Health. Area hospitals were overcrowded during Scripps’ outages and struggled to keep pace with the influx of patients.
All four of Scripps’ hospitals and its backup servers that resided in Arizona were impacted by the event, as well as access to medical images and telemetry data. Clinicians and providers relied on previously established downtime procedures that included the use of pen and paper processes for patient care.
In total, the outages lasted for longer than four weeks. In the weeks that follow, the California Department of Health (CDPH) confirmed the outages were caused by ransomware and cautioned the public that Scripps’ hospitals remained “operational and caring for patients using appropriate emergency protocols in inpatient areas of the hospital.”
Patient data stolen from network
A June 1 update on the attack revealed that an investigation confirmed that attackers gained access to the network on April 21, a few weeks before the ransomware was deployed, and exfiltrated copies of data. Scripps’ EHR was not effected during the incident. Instead, the actors stole the data from other documents stored on the network.
Some of the stolen data was patient information, such as clinical data, medical record numbers, treatments, dates of birth, health insurance details, and other sensitive information. About 2.5% of the 147,267 impacted patients also had their Social Security numbers and driver’s license numbers compromised during the incident.
The patients impacted by the incident recently filed several lawsuits against Scripps, accusing the health system of negligence, invasion of privacy, and other security violations.
The cyberattack bore similarities to both the Universal Health Services and University of Vermont Health Network, both driven offline for more than a month during the ransomware wave that targeted the health care sector in late 2020. The incidents cost UHS $67 million in lost revenue and recovery efforts and UVM Health more than $63 million, or about $1.5 million each day of network outage.
The incidents should serve as a warning for other health care systems of the overall impact of ransomware within the sector, including financial harm and risk to patient safety. Previous ransomware insights from the Department of Homeland Security and NIST can provide much needed guidance for better defending against the critical risk.