An April cyberattack at Tenet Healthcare (Tenet) resulted in an “unfavorable impact” of $100 million, according to Tenet’s Q2 earnings report. Tenet is a multi-state healthcare company based in Dallas, Texas operating hospitals, urgent care centers, ambulatory surgery centers, outpatient centers and imaging centers in 35 states.
Tenet published a cybersecurity notice on April 26 describing the attack. At the time Tenet reported that it “immediately suspended user access to impacted information technology applications, executed extensive cybersecurity protection protocols, and quickly took steps to restrict further unauthorized activity.”
An investigation revealed that an unauthorized party potentially infected the hospital network with malicious code and was able to exfiltrate data between March 3 and April 24. The protected health information (PHI) potentially exposed during the incident included names, Social Security numbers, health insurance information, medical record numbers, dates of service, provider and facility names, addresses, birth dates, reason for visit, procedure information, account or claim status, and billing and diagnostic codes.
Although today Tenet has recovered from the April attack, its earnings report revealed more information about what happened. During the incident, the company’s hospitals remained operational and continued to deliver patient care, “utilizing well-established back-up processes.”
Along with an unfavorable impact of approximately $100 million to adjusted EBITDA (earnings before interest, taxes, depreciation, and amortization), the company’s net operating revenues declined 11 percent compared to last year’s Q2. Some of the decline was attributed to the sale of Tenet’s Miami-area hospitals, but as the report stated:
“Same-hospital net patient service revenue per adjusted admission decreased 0.2 percent year-over-year for Q2’22 primarily due to the unfavorable impact of the cybersecurity incident, partially offset by improved pricing yield.” (italics added for emphasis)
Recovery costs for Tenet are comparable to those of other cyberattacks experienced by large healthcare organizations. For example, Scripps Health incurred approximately $112.7 million in losses after a May 2021 cyberattack disrupted its operations.
We’ve previously written about how Data Breaches are Expensive. The costs range from the investigation, to downtime, legal fees and lost revenue. All of this happens before a lawsuit.
Costs Multiply with Class Action Lawsuit
In addition to the $100 million loss, Tenet Healthcare and its affiliate, Baptist Health System, are facing a proposed class-action data breach lawsuit due to the April incident.
Similar to other healthcare data breach lawsuits, it alleges that Tenet was negligent and failed to implement proper technical safeguards to prevent a security incident. The plaintiff also claims that he spent and will continue to spend a significant amount of time protecting his personal data and preventing it from being misused. So far however, the lawsuit does not describe any actual misuse of the plaintiff’s protected health information. The lawsuit may or may not succeed, depending on whether the plaintiff can show actual concrete harm, as opposed to speculative future harm.
Whether it ultimately succeeds or not, the class action lawsuit is expensive and time consuming to defend, adding to the nightmare started by the cybersecurity attack in April.