Healthcare provider expected to lose $106.8 million following ransomware attack
Scripps Health, a California-based nonprofit healthcare provider that runs five hospitals and 19 outpatient facilities, said it expects to lose an estimated $106.8 million following a ransomware attack that hit the organization in May 2021.
"Operating revenues and operating expenses for the quarter ended June 30, 2021 were significantly impacted by lost revenues and incremental expense incurred during the cyber security incident that occurred in May 2021," the company said in its quarterly financial and operating filings last week.
The bulk of the losses, representing $91.6 million, came from lost revenues during the four weeks the organization needed to recover from the May ransomware attack.
Scripps also lost $21.1 million in costs associated with response and recovery. While the company said it recovered $5.9 million through its insurance policy, the healthcare provider said it expects to lose an estimated $106.8 million by the end of the year.
The losses stemming from the ransomware attack do not include potential losses due to litigation.
Following the attack, several patient groups also filed class-action lawsuits against the organization for failing to protect their data after the organization revealed that the hackers also stole data on roughly 150,000 patients before they encrypted the healthcare provider's servers.
The attack, while it did not get the same national coverage in the US as the ones on Colonial Pipeline, JBS Foods, and Kaseya, was one of the most impactful of the year, with Scripps being unable to access its web portal, patient medical records, and provide some patient services for four weeks, during which time staff had to redirect patients to other hospitals, which eventually resulted in the $91.6 million in lost revenue.
While other companies most likely suffered bigger losses following a ransomware attack, Scripps is one of the few companies that chose to disclose such figures, making its ransomware attack one of the most costly known to date.
Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.