Scripps Health estimates the spring malware attack that temporarily took a portion of its network offline has cost the company almost $113 million so far.
The San Diego-based health system said the $113 million loss through mid-year covers revenue lost and incremental expenses from responding to the crisis, which included shutting down many of its systems, launching an investigation, instituting emergency downtime procedures and notifying federal law enforcement agencies.
Not-for-profit Scripps Health disclosed the loss in its quarterly financial statement for the period that ended June 30. The company did not immediately return a request for comment.
The incident took place on May 1 and Scripps Health's systems were not fully restored until May 26. On top of direct costs and foregone revenue, Scripps faces proposed class-action lawsuits from almost 150,000 affected patients. Attorneys representing the patients claim the the plaintiffs face a lifetime risk of identity theft.
The hackers stole copies of documents containing patients' health and financial information, although they did not access its electronic health record system. Scripps Health estimates the attackers stole Social Security or driver's license numbers from about 3,700 patients.
Scripps Health suffered a sizable loss for a company with $3.6 billion in annual revenue. By comparison, for-profit Universal Health Services has $11.6 billion in annual revenue, and lost an estimated $67 million in a September cyberattack.
Healthcare companies incurred the highest average costs for cyberattacks of any industry between August 2019 and August 2020: $7.1 million, according to IBM Security's 2020 Cost of a Data Breach Report. The average cost in 2020 was 10% higher than in 2019.
The American Hospital Association has called on the federal government to take a more active role in responding to ransomware attacks against healthcare entitites.