by John R. Fischer
, Senior Reporter | August 18, 2021
A malware attack back in May has so far cost Scripps Health in San Diego almost $113 million.
The healthcare system revealed the estimate in its quarterly financial statement, saying the loss was a combination of mid-year revenue lost and incremental expenses incurred from its response to the attack, reported Modern Healthcare
Hackers in late April gained access to Scripps’ network
and deployed malware to exfiltrate copies of data. Scripps discovered the attack in May and shut down its patient portals, email servers and other healthcare-related technology applications temporarily in response. It also implemented emergency downtime procedures and switched to offline charts. Systems were fully restored
by late May, but the shutdowns and investigation into the matter added to the loss, it said.
The attackers stole patient health and financial information, including names, drivers' licenses, addresses, dates of birth, health insurance information, social security numbers, patient account numbers, clinical information and patient records. A group of these patients filed a suit against Scripps
in June, claiming that its inadequate security measures prevented it from detecting the attack sooner, and has potentially created "a lifetime risk of identity theft” for nearly 150,000 patients.
“That medical histories were accessed in this data hack makes this situation unique. Despite hundreds of data breaches every year in this country, most do not involve such highly sensitive patient information as was obtained here,” said Scott Cole, an attorney at Scott Cole & Associates, the firm representing the patients.
The healthcare system was also criticized for not disclosing the attack when it was discovered, instead waiting until late May and early June to inform patients. Scripps CEO and president Chris Van Gorder said in a letter that Scripps acknowledged patient frustrations, but that sharing more details put it at risk for more attacks.
Scripps makes $3.6 billion in annual revenue, with the loss considered a heavy blow. A similar attack in September cost Universal Health Services $67 million
, with the healthcare system also taking its U.S. information expertise networks offline. Servers were not fully up again until October.
A 2020 report by cybersecurity firm, CynergisTek, found that while providers were improving their programs, only 44% across the continuum, including hospital and health systems, met national standards
for combating and protecting themselves against cyberattacks, as outlined by the National Institute of Standards and Technology’s Cybersecurity Framework.
The problem is they are not investing fast enough relative to an innovative and well-resourced adversary,” said Caleb Barlow, president and CEO of CynergisTek, at the time of the report’s release. “These issues, combined with the rapid onset of remote work, accelerated deployment of telemedicine and impending openness of EHRs and interoperability, have set us on a path where investments need to be made now to shore up America’s health system.”