CommonSpirit Details Financial Fallout of $160M CyberattackNo Word Yet on Hospital Chain's Cyber Insurance Claim, Multiple Lawsuits Pending
Chicago-based CommonSpirit is still waiting to hear back on its insurance claim for an October 2022 ransomware attack, but the hospital chain said in its annual financial statement that the disruption of some facilities and "significantly" hampered billing and collection activities contributed to a $1.4 billion operating loss for the year.
The Catholic, nonprofit organization - which has grown over the years predominately through mergers and acquisitions - operates about 2,200 healthcare facilities in 24 states, including 142 hospitals.
In an unaudited annual report issued Thursday, CommonSpirit reported a $1.4 billion operating loss for fiscal year 2023 ended June 30. The organization reported a slightly narrower operating loss of $1.3 billion in fiscal year 2022.
During the same period, fiscal year 2023 revenues were up 0.5% over the prior year, at $34.6 billion.
The entity's Oct. 2, 2022 cyberattack has caused approximately $160 million in financial damage to date, including loss revenue associated with the business disruption, costs incurred to remediate the incident and related business expenses - exclusive of any insurance-related recoveries, CommonSpirit reported.
CommonSpirit in May also estimated that the cyberattack had cost the organization about $160 million - up from its original estimate of $150 million (see: CommonSpirit Ups Cost Estimate on its 2022 Ransomware Breach).
At that time, CommonSpirit officials told financial analysts that the organization expected its insurance to cover much of the cyberattack costs.
But as of the issuance of CommonSpirit's annual report last week, the entity still had not received confirmation on exactly what would be covered and when costs might be paid.
"We have notified and continue to consult with our insurance carriers but are unable to predict the amount or timing of insurance recoveries at this time," CommonSpirit reported.
Class Action Litigation Looming
In its report, CommonSpirit also acknowledged it is facing financial uncertainty related to proposed class action lawsuits filed against the entity related to the cyberattack.
"There can be no assurance that resolution of this matter will not affect the financial condition or operations of CommonSpirit, taken as a whole," the organization reported.
Plaintiffs in at least two proposed class action lawsuits filed in an Illinois federal court allege, among other claims, that CommonSpirit was negligent in failing to protect individuals' sensitive health and personal information in the ransomware compromise (see: CommonSpirit Facing 2 Proposed Class Actions Post-Breach).
Aside from the costs associated with managing and recovering from the ransomware attack last fall, CommonSpirit in its annual report cited other factors affecting financial performance, including continued labor shortages and inflation, declining acuity and rates, and charges related to a workforce reduction of about 2,000 full-time employees in the fourth quarter.
The cyberattack caused "short-term" disruptions of patient services in some locations and "significant" disruptions in claims processing and collections, CommonSpirit said.
The incident affected revenues in four of CommonSpirit's nine regional divisions - the Pacific Northwest, Southeast, Midwest and Texas.
CommonSpirit also reported that $1.5 billion in net borrowing of debt during fiscal 2023 included a draw on its working capital line of credit to address the collections shortfall that occurred in the wake of the cyber incident. The loan also was used to pay for certain acquisitions.
The organization reported the ransomware attack to the U.S. Department of Health and Human Services' Office for Civil Rights in December as a HIPAA breach affecting nearly 624,000 individuals, though one lawsuit alleges that the actual number is as many as 20 million individuals (see: CommonSpirit Ransomware Breach Affects About 624,000 So Far).
CommonSpirit said in its financial statement that it completed breach notifications to affected individuals in April.
Files compromised in the incident contained information pertaining to patients, family members of patients, or caregivers of patients, including name, address, phone numbers, birthdate and a unique ID used internally by the organization.
As CommonSpirit was dealing with the immediate impact of the cyberattack last year, the organization took many of its IT systems offline, including some electronic health records and other applications, resulting in some patients being turned away from a few of its affected hospitals as a "precautionary" step.
CommonSpirit did not immediately respond to Information Security Media Group's request for comment and for additional details involving the financial fallout from the cyberattack.