UHS Ransomware Attack Cost $67M in Lost Revenue, Recovery Efforts

March 01, 2021 - The ransomware attack that resulted in EHR outages at all 400 Universal Healthcare Services’ care sites for about three weeks last year, resulted in about $67 million in lost operating income, labor expenses, and overall recovery costs, according to a recent UHS earnings report.

UHS was among the first hit with the coordinated ransomware wave that targeted the healthcare sector in the fall. In the early hours of September 27, UHS clinicians and staff members took to Reddit to determine if other UHS employees across the country were experiencing similar computer and phone outages.

The thread detailed internet and data center outages, with one employee attributing the incident to a ransomware attack after seeing ransom messages from the Ryuk hacking group displayed on some computer screens.

Upon discovery, the IT team took all systems offline to prevent further propagation. The following day, UHS officials confirmed the event as an IT disruption, before reporting as a malware infection several days later.

Patient care continued safely and effectively through previously established EHR downtime procedures. Officials provided several updates over the course of the recovery, which lasted a total of three weeks.

The earnings report shed further light on the recovery efforts: “Immediately after the incident, we worked diligently with our IT security partners to restore our IT infrastructure and business operations as quickly as possible.”

“In parallel, we began investigating the nature and potential impact of the security incident and engaged third-party information technology and forensic vendors to assist,” officials added.

The attack forced the security team to suspend user access to the IT applications, tied to all US operations. Access to these applications were substantially restored at all acute care and behavioral health hospitals on a rolling basis throughout the month of October.

As a result of the disruption to standard operating procedures, some patient activity, including ambulance traffic and elective procedures at UHS acute care hospitals were diverted to competitor facilities.

So far, the investigation had not found evidence of data being accessed or copied.

However, the outage and subsequent recovery efforts have caused several financial losses for the health system. The financial earnings report revealed an unfavorable estimated impact of $42.1 million, $55 million pre-tax, or about $0.49 per diluted share

The losses are a direct result of the previously disclosed IT incident. The loss also had an estimated pre-tax unfavorable impact of about $67 million during the 12-month period that ended on December 31.

The attack also negatively impacted revenue with an unfavorable estimated impact of $51.3 million, $67 million pre-tax, which was a direct result of the ransomware attack. Approximately $12 million of the unfavorable pre-tax impact was experienced during the third quarter of 2020, and approximately $55 million was experienced during the fourth quarter of 2020.

The attack also caused “significant incremental labor expense, both internal and external, to restore information technology operations as expeditiously as possible.”

“Additionally, certain administrative functions such as coding and billing were delayed into December, 2020, which had a negative impact on our operating cash flows during the fourth quarter of 2020,” officials added.

“The substantial majority of the unfavorable impact was attributable to our acute care services and consisted primarily of lost operating income resulting from the related decrease in patient activity as well as increased revenue reserves recorded in connection with the associated billing delays,” they explained.

The estimated losses were also directly attributed to certain labor expenses, professional fees, and other operating expenses. UHS officials said that it’s likely the health system is entitled to recover the majority of financial impact caused by the cyberattack.

The details of the attack and its impact provide real-world evidence of the need to ensure healthcare systems are employing best practice security measures, as even the largest health systems with adequate security resources can still fall victim under the current threat landscape.

Security researchers have long-recommended the need for providers to shift into a proactive security model, like zero trust. Recent reports show successful cyberattacks on healthcare providers doubled in the last year, with at least 560 providers falling victim to ransomware.

Entities should review insights from Microsoft, NIST, and the NSA to gain insights into the methods used by ransomware actors and recommended steps for shifting into a zero trust security model.