Scripps Health Ransomware Attack Cost Increases to Almost $113 Million

Ransomware attacks on hospitals can cause huge financial losses, as the Ryuk ransomware attack on Universal Health Services showed. UHS is one of the largest healthcare providers in the United States, and operates 26 acute care hospitals, 330 behavioral health facilities, and 41 outpatient facilities. UHS said in March 2021 that the September 2020 ransomware attack resulted in $67 million in pre-tax losses due the cost of remediation, loss of acute care services, and other expenses incurred due to the attack.

While the losses suffered by UHS were significant, the ransomware attack on Scripps Health has proven to be far more expensive. Scripps Health is a California-based nonprofit operator of 5 hospitals and 19 outpatient facilities in the state. In the May 2021 ransomware attack, Scripps Health lost access to information systems at two of its hospitals, staff couldn’t access the electronic medical record system, and its offsite backup servers were also affected.

Without access to critical IT systems, Scripps Health was forced to re-route stroke and heart attack patients from four of its main hospitals in Encinitas, La Jolla, San Diego and Chula Vista, and trauma patients could not be accepted at Scripps Mercy Hospital San Diego in Hillcrest and Scripps Memorial Hospital La Jolla. Scripps Health said it took 4 weeks to recover from the attack.

Losses sustained as a result of the attack are expected to exceed $113 million, with its third-quarter earnings report estimating the cost so far to have reached $112.7 million. The majority of that figure – $91.6 million – due to lost revenue during the 4-week recovery period. $21.1 million had to be spent on response and recovery, and Scripps Health was only able to recover $5.9 million from its cyber insurance policy so far. A further $14.1 million is expected to be recovered from its insurer by the end of the fiscal year.

The costs are likely to increase further still. The protected health information of 147,267 patients was compromised in the attack, and several class action lawsuits have been filed against Scripps Health over the theft of patient data. The expected losses do not include litigation costs.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.