Tenet Healthcare Cyberattack Had a $100 Million Unfavorable Impact in Q2, 2022
A cyberattack and data breach cost Tenet Healthcare $100 million in lost revenue and mitigation costs in Q2, 2022. Dallas, TX-based Tenet Healthcare is one of the largest healthcare providers in the United States, running 65 hospitals and more than 450 healthcare facilities across the United States through its brands and subsidiaries. In April 2022, Tenet experienced a cyberattack that caused major disruption to its IT systems and acute care operations for several weeks. The attack forced the staff forced to work with pen and paper during the recovery period, and at least one of the affected hospitals had to temporarily divert ambulances to other facilities. The attack also disrupted its phone system, with doctors forced to leave the premises to make phone calls. The cyberattack affected at least two hospitals and started on April 20, 2022. Tenet did not publicly release details of the attack, such as if it involved ransomware.
According to Tenet’s Q2 2022 earnings report, the attack has had a $100 million unfavorable EBITDA (earnings before interest, taxes, depreciation, and amortization) impact. Adjusted admissions fell by 5.3% year-over-year, with total admissions down 8% from Q2, 2021, and same-hospital net patient service revenue was down 0.2% as a direct result of the cyberattack. Over the quarter, Tenet saw a reduction in income of 68% compared to Q1, 2021, which fell to $38 million, and its operating revenue was down 6.4% to $4.6 million for the quarter. The attack was also partly responsible for a 2.8-day increase in its outstanding accounts receivable.
Tenet CEO Saum Sutaria said IT systems at the affected hospitals had to be totally rebuilt, and while the cyberattack had a significant business and financial impact, Tenet still recorded a strong quarter. Sutaria said the company had ample cybersecurity insurance which has helped to reduce the overall financial impact of the cyberattack. Its insurance policies paid out $5 million in Q2, 2022. The cost of the attack is significant, but it is comparable to other cyberattacks. For example, the ransomware attack on Scripps Health that affected 5 hospitals and 19 outpatient facilities cost Scripps Health $112.7 million in lost revenue and remediation costs.
Tenet will also have to cover further costs. A class action lawsuit was filed in Florida in June that alleges Tenet failed to implement appropriate security safeguards to protect against cyberattacks and did not provide adequate notifications to affected individuals. The lawsuit also alleges that notification letters have still not been sent to all individuals affected by the data breach.