CommonSpirit, a nonprofit Catholic hospital chain with 143 hospitals and 2,300 care facilities across 22 states, has revised its estimate of the financial impact caused by a ransomware incident last fall. The updated figure now stands at an estimated $160 million, higher than the previous projection.
The costs include lost revenues from business interruption, expenses related to remediation efforts, and other associated business costs, with the company expecting insurance coverage to alleviate a significant portion of the financial burden. CommonSpirit is also facing potential class action lawsuits resulting from the breach.
CommonSpirit reported the ransomware attack, which affected nearly 624,000 individuals, to the Department of Health and Human Services on December 1, 2022. In an unaudited report sent to investors on May 15, the hospital chain disclosed the higher cyberattack costs.
During a call with investors, CommonSpirit’s senior vice president of finance stated that underwriters are expected to bear the majority of the costs, although the process may take some time. The company’s financial report indicates potential challenges from insurers regarding aspects of the loss, such as the amount of business interruption.
When dealing with cyber incidents, healthcare organizations are advised to collaborate with external professionals, including insurance brokers, to assess cyber risks and evaluate insurance options that provide suitable protection.
The breach, which occurred between September 16 and October 3, 2022, involved unauthorized access to CommonSpirit’s IT network. While the hackers did not directly access electronic medical records, they obtained copies of data from file-sharing servers, including patient demographic information, medical records, billing details, and health insurance information.
CommonSpirit emphasized the need to ensure insurance coverage aligns with an organization’s specific needs and to have appropriate legal, financial, operational, IT, and risk management measures in place to mitigate cyber risks.