CommonSpirit reports $160 million loss from last year’s ransomware attack

A 2022 ransomware attack on CommonSpirit Health cost the health system around $160 million in lost revenue and remediation costs, the Chicago-based company announced in an earnings call this week.

The breach affected over 150 facilities in at least 13 states, which impeded access to electronic health records and delayed patient care—and the effects are still reverberating through the one of the nation’s largest Catholic health systems.

CommonSpirit, whose fiscal year ends June 30, reported a $1.1 billion operating loss in the nine months that ended on March 31, according to its Q3 earnings report, which attributed the losses to “revenue challenges, the continued impact of labor shortages and inflation, the Cybersecurity Incident, and the lingering effects of the pandemic.”

The system previously estimated that damages from the attack cost about $150 million, according to the previous quarter’s earnings report. The company is still determining a timeline for insurance recoveries, CommonSpirit SVP and Corporate Controller Benjie Loanzon said in the earnings call.

“Most of [the financial loss from the ransomware attack] will be recoverable, but it will take some time,” Loanzon said.

Zoom out. More systems are experiencing ransomware attacks, which have grown in cost, frequency, and scale, yet hospital leaders are still reactive—rather than proactive—when it comes to prevention.

The ransom itself in a ransomware attack can cost millions of dollars, cyber-risk monitoring platform Black Kite Chief Security Officer Bob Maley told Healthcare Brew in March. Other costs depend on the size of the data breach, Maley said. CommonSpirit’s ransomware attack exposed the data of more than 623,700 patients.

“That’s where a lot of their costs are going to come from: incident response, remediation, notification, and those types of things. The more records, the more people have to be notified,” Maley said.

Secondary costs from a cyberattack include regulatory fines and providing affected patients with credit monitoring services, Maley said. For example, Phoenix-based Banner Health paid the Department of Health and Human Services’ Office of Civil Rights $1.25 million earlier this year after a 2016 cyberattack exposed the health information of 2.81 million people.

What’s next: CommonSpirit is also facing lawsuits following the data breach, per the Q3 earnings report.

“There can be no assurance that the resolution of this matter will not affect the financial condition or operations of CommonSpirit, taken as a whole,” according to the earnings report.