CommonSpirit Raises Estimated Losses From Ransomware Attack to $160M

May 25, 2023 - CommonSpirit Health’s latest unaudited quarterly report showed that the large-scale October 2022 ransomware attack on the health system may have incurred approximately $160 million in losses. The figure marks a $10 million increase from its last quarterly report, issued in February 2023.

As previously reported, CommonSpirit suffered a ransomware attack in October, leading to IT outages, EHR downtime, and appointment cancellations. CommonSpirit reported the breach to HHS as having impacted 623,774 individuals.

CommonSpirit was formed in 2019 as the result of the merger between CHI Health and Dignity Health, making it one of the largest nonprofit healthcare systems in the US. With more than 1,000 care sites and 140 hospitals in 21 states, the ransomware attack impacted its facilities in varying ways. Some facilities remained unaffected, while others experienced weeks of disruptions to patient portals and payroll platforms.

“The Cybersecurity Incident has had an estimated adverse financial impact of approximately $160 million to date, which includes lost revenues from the associated business interruption, the costs incurred to remediate the issues and other related business expenses, and is exclusive of any potential insurance related recoveries,” the latest report stated.

IBM Security’s 2022 “Cost of a Data Breach Report” found that healthcare data breaches cost an average of $10.1 million per incident in 2021, signifying a 9.4 percent increase from the previous year. The IBM report highlighted that the healthcare sector is highly regulated, which could mean additional data breach costs may formulate in the months or years following the incident.

In addition, CommonSpirit’s quarterly report indicated that this figure is not yet final as CommonSpirit continues to iron out the details with its insurance carriers.

“The incident did not have a material impact on the current quarter operating results,” the report continued. “We have notified and continue to consult with our insurance carriers, but are unable to predict the timing or amount of insurance recoveries at this time.”

As organizations continue to grapple with cyber insurance challenges and lengthy recovery processes, these costs will likely remain high.

What’s more, a 2021 US Government Accountability Office (GAO) report found that the increased demand for cyber insurance and the uptick in cyber incidents has led to higher overall insurance costs.

"The extent to which cyber insurance will continue to be generally available and affordable remains uncertain," GAO noted.

"Despite the upward trend in take-up rates to date, insurer appetite and capacity for underwriting cyber risk has contracted more recently, especially in certain high-risk industry sectors such as health care and education and for public-sector entities."