CommonSpirit Health Cyberattack, Month-Long Network Outage Cost $150M

The ransomware attack and subsequent month-long network outage at CommonSpirit Health in October cost the major health system at least $150 million to date, according to its unaudited quarterly financial report.

The “adverse financial impact” of the cyber incident is tied to the associated business interruption, remediation costs, and other related business expenses.

The health system posted $925 million in operating losses for the second half of 2022, of which the cyber incident was just a small portion. However, those losses were significantly larger than the year prior during the same period: just $128 million.

“Normalized for the California provider fee program,” the total losses were $701 million compared with $47 million in losses for the same period in 2021. The cybersecurity incident was a driving factor in those losses, but officials say its operating losses continue to be impacted by labor shortages, inflation, and the pandemic.

CommonSpirit also posted a decrease in EBITDA, or earnings before interest, taxes, depreciation and amortization, to $23 million, which was also partially attributed to the cyber incident. Other factors included “an unfavorable shift in payor mix” and staffing challenges.

The health system also posted losses in normalized net patient and premium revenues, as well as a 4.7% and 3.5% decrease in adjusted admissions during the third-and six-month period of the second half of 2022, which again, were partially attributed to the cyberattack.

As extensively reported, a cyberattack was deployed against CommonSpirit during the first weekend in October that prompted outages and service disruptions at hospitals across the country. Despite being one of the largest health system’s in the U.S. with over 700 care sites and 142 hospitals in 21 states, only a small portion of those hospitals went down in the attack.

The disruptions, however limited in scope, were noticeable for the impacted hospitals. Clinicians leveraged protocols for handling system outages, but CHI Memorial was forced to reschedule some patient procedures. Virginia Mason Franciscan Health, another CommonSpirit affiliate, was also hard hit by the disruptions and saw its data stolen amid the hack.

The financial report shows CommonSpirit engaged with an outside cybersecurity firm on both recovery efforts and its investigation, along with notifying law enforcement and the Department of Health and Human Services on the impact.

“We’ve notified and continue to consult with our insurance carriers, but are unable to predict the timing or amount of insurance recoveries at this time,” according to the report. The ongoing lawsuits filed against CommonSpirit may also have further financial impacts.

The cost of the incident is one of the costliest seen in healthcare, which is already the most expensive in terms of the fallout of breaches and security incidents. Breaches cost an average of $10.1 million in healthcare, according to the IBM Cost of a Data Breach Report. But security incidents that lead long periods of network downtime cost an average of $1 to $2 million per each day of an outage.

For example, the cyberattack and monthlong outage at Universal Health Services in 2021 cost the health system $67 million. UHS is nearly as large as CommonSpirit. A similar attack and outage at Vermont Health Network in cost more than $63 million. On the other end of the spectrum, the attack on Scripps Health in May 2021 cost nearly $113 million.