Dive Brief:
- United Health Services (UHS) estimates its September Ryuk ransomware attack cost it $67 million in unfavorable pre-tax costs in 2020, according to its Q4 and year-end earnings released Thursday.
- In the immediate aftermath of the cyberattack, UHS suspended IT applications for U.S.-based operations and used offline patient documentation. Patients and ambulances were redirected to other, sometimes competitor, facilities in the interim.
- Coding and billing functions were delayed into December, which had a negative impact on UHS' operating cash flows in Q4.
Dive Insight:
UHS realized about $12 million in losses in Q3, followed by another $55 million in Q4. The majority of the losses was due to lost operating income in acute care services, UHS said. The operating income suffered from a decline in patience activity and "increased revenue reserves recorded in connection with the associated billing delays."
The healthcare organization is unable to provide an estimate of "receipt timing, or amount, of the proceeds that we may receive" from its insurance carrier at this time. However, UHS expects "we are entitled to recovery of the majority of the ultimate financial impact resulting from the cyberattack."
While cyber insurers are trying to evolve to meet today's demands, traditional insurance policies fall short. In Q4 2019, cyber insurance premiums increased by only 3% on average, despite a historic year in ransomware attacks on the healthcare industry.
Even with cost containment at top of mind, cyber insurers aren't drastically increasing their rates or scale back coverage. In some cases remnants of a malicious actor can remain in a system, leading to future coverage to make up for incurred losses.
The UHS ransomware attack impacted more than 250 hospitals in the U.S., sparing those based in the U.K. While certain IT systems, including its electronic health records, were unaffected by the hack, the healthcare organization was delayed in the recovery process.
The hospital group disclosed the ransomware attack two days after the organization found it on Sept. 27, 2020. UHS restored IT applications on a "rolling/staggered basis" in its acute care and behavioral health facilities throughout October, according to the report.
Part of UHS' initial recovery included "re-establishing connections to all major systems and applications, including electronic medical records, laboratory and pharmacy systems," the organization said in October. The applications sat across acute care facilities and corporate accounts.
Ryuk operators latch onto legitimate credentials to extend their access in networks. After a target opens a phishing email, Ryuk's infection-to-deployment time can be as little as 3 hours, 30 minutes but on average the "time to Ryuk" is just under six days, according to Sophos and Mandiant.