REGISTER

email 14 48

Hospital chain CommonSpirit has revised its assessment of the financial impact caused by a ransomware incident that occurred last autumn and disrupted patient services at some of its facilities for an extended period. The estimated cost of the incident is now believed to be around $160 million, an increase of $10 million from the previous estimate released in February.

CommonSpirit, a nonprofit Catholic hospital chain operating in 22 states with 143 hospitals and 2,300 other care facilities, expects a significant portion of these costs to be covered by its insurance policy. The updated figure encompasses various expenses related to the cyberattack, including lost revenues from business interruption, costs incurred for remediation, and other associated business expenditures. However, the estimate does not account for any potential insurance recoveries.

Company officials have expressed confidence that the bulk of the expenses will ultimately be covered by the underwriters, although the resolution of the matter may take some time. CommonSpirit also acknowledged the possibility of facing class action lawsuits in relation to the ransomware incident, which could potentially impact its overall financial condition and operations.

The hospital chain reported the cyberattack to the Department of Health and Human Services on December 1, 2022, identifying it as a hacking incident affecting approximately 624,000 individuals. As of now, CommonSpirit has not responded to requests for comments regarding its most recent financial results.

Insurance attorney Peter Halprin, who is not involved in the CommonSpirit case, suggested that the company may only be responsible for a single deductible or self-insured retention if the underwriters honor its insurance claims and all parties agree on the loss amounts. However, Halprin noted that the cautious comments in CommonSpirit's financial report could indicate possible disputes with insurers regarding aspects such as the calculation of business interruption losses.

Halprin emphasized the importance for healthcare organizations to involve various stakeholders, including legal, finance, operations, IT, and risk management, as well as external professionals like insurance brokers, when evaluating cyber risks and assessing potential insurance coverage for such incidents.

CommonSpirit reported that the ransomware attack was detected on October 2, 2022, prompting immediate measures to secure the IT network, including taking certain systems offline. A forensic investigation revealed that an unauthorized third party gained access to the network between September 16, 2022, and October 3, 2022.

Although the hackers did not directly extract data from CommonSpirit's electronic medical records systems, they did obtain copies of certain data from the company's file-sharing servers. This data included patient demographic information, medical details, billing and claims information, and health insurance information. For a limited number of individuals, Social Security numbers were also compromised.

CyberBanner

Log in

Please Login to download this file

Username *
Password *
Remember Me

CyberBanner

CyberBanner

MetricStream TPRM

CyberBanner

Go to top