The Sept. 29 malware attack caused King of Prussia, Pa.-based UHS to temporarily take all of its U.S. information technology networks offline, including systems for medical records, laboratories and pharmacies. Servers weren't completely restored until October.
That caused some ambulance traffic and elective procedures at UHS' acute-care hospitals to be sent to competitors, the company said. UHS also incurred labor costs to restore its IT operations quickly and had to delay some administrative functions like billing and coding until December, which affected fourth quarter cash flows.
UHS estimates that it lost $12 million during the third quarter of 2020 and $55 million during the fourth quarter. Most of those losses were tied to the company's acute-care segment and were tied to lost operating income from lower patient activity.
"Although we can provide no assurance or estimation related to the receipt timing, or amount, of the proceeds that we may receive pursuant to commercial insurance coverage we have in connection with this incident, we believe we are entitled to recovery of the majority of the ultimate financial impact resulting from the cyberattack," the company said.
The company said it worked with third-party IT and forensic vendors to investigate the attack and hasn't found any "evidence of unauthorized access, copying or misuse of any patient or employee data has been identified to date."
UHS shared information about the cyberattack with its fourth quarter earnings report. During the last quarter of 2020, UHS had net income of $308.7 million, compared to $245.2 million during the final quarter of 2019. The company attributed the increase largely to $200 million in grants, namely the CARES Act. For 2020, UHS reported $944 million in net income, up from $814.9 million in 2019.