The ransomware attack on CommonSpirit Health reported last October has resulted in $150 million in losses, according to the health system’s unaudited quarterly report. The losses are lost revenue from business disruption, remediation costs, and other business expenses attributed to the ransomware incident.
CommonSpirit is the largest Catholic health system and the second-largest nonprofit hospital chain in the United States, operating 138 hospitals in 21 states. It also operates community health organizations, nursing colleges, home health agencies, and other facilities and services. In all, CommonSpirit Health operates approximately 2,200 care sites. Its annual revenue for the fiscal year ending June 30, 2022 was $33.9 billion.
The report notes that the company is unable to predict the timing or amount of insurance recoveries, so the total amount of out-of-pocket losses is not yet known. In addition, the report discloses that CommonSpirit cannot assure investors that proposed class action lawsuits filed over the attack will not affect its financial condition or operations as a whole.
In October, CommonSpirit reported IT outages, EHR downtime, and appointment cancellations, and later confirmed that these disruptions were caused by a ransomware attack. Some facilities remained untouched, while others experienced weeks of disruptions to patient portals and payroll platforms. CommonSpirit reported to the U.S. Department of Health and Human Services (HHS) that the breach affected 623,774 individuals.
Class Action Lawsuit Adds to Costs
CommonSpirit is defending a proposed federal class action lawsuit filed in January in Illinois. The lawsuit alleges that CommonSpirit “lost control” of highly sensitive information as a result of the breach and suggests that the health system “has not been forthcoming” about the breach. It goes on to say “the number of actual victims of the Data Breach may be much higher – potentially as high as twenty million individuals.” The plaintiffs are asking for reimbursement for out-of-pocket costs, credit monitoring services, and improvements to CommonSpirit’s data security systems.
Lawsuits resulting from healthcare data breaches are becoming more common, although the outcome is far from certain. Whether the lawsuit ultimately prevails doesn’t change the fact that these cases are expensive to defend. Legal fees, public relations costs, reputation management costs all have to be added to the total fallout from the breach.
Prevention is Less Expensive
Preventing breaches is far less expensive. A strong cybersecurity program, HIPAA compliance, including an annual HIPAA Risk Analysis, together cost a fraction of the mountain of costs created by an avoidable, preventable breach affecting hundreds of thousands of patients.