UHS Discloses Cost of September Cyberattack: $67 Million in Pre-Tax Dollars
In a press release published to the organization’s website on Feb. 25, it was announced that “Universal Health Services, Inc. (NYSE: UHS) announced today that its reported net income attributable to UHS was $308.7 million, or $3.60 per diluted share, during the fourth quarter of 2020, as compared to $245.2 million, or $2.79 per diluted share, during the comparable quarter of 2019. Net revenues increased 6.6% to $3.087 billion during the fourth quarter of 2020 as compared to $2.890 billion during the fourth quarter of 2019.” But, the release went on to say, “An unfavorable estimated impact of $51.3 million ($67 million pre-tax), or $.60 per diluted share, resulting from the information technology incident, as discussed below in Information Technology Incident.”
Describing that incident, the press release went on to say that, “As previously disclosed on September 29, 2020, we experienced an information technology security incident in the early morning hours of September 27, 2020. As a result of this cyberattack, we suspended user access to our information technology applications related to operations located in the United States. While our information technology applications were offline, patient care was delivered safely and effectively at our facilities across the country utilizing established back-up processes, including offline documentation methods. Our information technology applications were substantially restored at our acute care and behavioral health hospitals at various times in October, 2020, on a rolling/staggered basis, and our facilities generally resumed standard operating procedures at that time.”
The press release went on to say that, “Immediately after the incident, we worked diligently with our information technology security partners to restore our information technology infrastructure and business operations as quickly as possible. In parallel, we began investigating the nature and potential impact of the security incident and engaged third-party information technology and forensic vendors to assist. No evidence of unauthorized access, copying or misuse of any patient or employee data has been identified to date.”
The press release added that, “Given the disruption to the standard operating procedures at our facilities during the period of September 27, 2020 into October, 2020, certain patient activity, including ambulance traffic and elective/scheduled procedures at our acute care hospitals, were diverted to competitor facilities. We also incurred significant incremental labor expense, both internal and external, to restore information technology operations as expeditiously as possible. Additionally, certain administrative functions such as coding and billing were delayed into December, 2020, which had a negative impact on our operating cash flows during the fourth quarter of 2020.”
Thus, the press release noted, “As a result of these factors, we estimate that this incident had an aggregate unfavorable pre-tax impact of approximately $67 million during the year ended December 31, 2020. We estimate that approximately $12 million of the unfavorable pre-tax impact was experienced during the third quarter of 2020, and approximately $55 million was experienced during the fourth quarter of 2020. The substantial majority of the unfavorable impact was attributable to our acute care services and consisted primarily of lost operating income resulting from the related decrease in patient activity as well as increased revenue reserves recorded in connection with the associated billing delays. Also included were certain labor expenses, professional fees and other operating expenses incurred as a direct result of this incident and the related disruption to our operations. Although we can provide no assurance or estimation related to the receipt timing, or amount, of the proceeds that we may receive pursuant to commercial insurance coverage we have in connection with this incident, we believe we are entitled to recovery of the majority of the ultimate financial impact resulting from the cyberattack.”
As Healthcare Innovation had reported back on September 28 of last year, “The King of Prussia, Pa.-based Universal Health Services, a hospital system with “more than 400 acute-care hospitals, behavioral health facilities and ambulatory centers across the U.S., Puerto Rico, and the U.K.,” according to its website, was hit with a severe ransomware attack over the weekend, shutting down core information systems at its facilities nationwide on Sunday, Sep. 27.”
And the Healthcare Innovation report quoted Zack Whittaker at TechCrunch, who wrote on Sep. 28 that “Universal Health Services, one of the largest healthcare providers in the U.S., has been hit by a ransomware attack. The attack hit UHS systems early on Sunday morning, according to two people with direct knowledge of the incident, locking computers and phone systems at several UHS facilities across the country, including in California and Florida. One of the people said the computer screens changed with text that referenced the ‘shadow universe,’ consistent with the Ryuk ransomware. ‘Everyone was told to turn off all the computers and not to turn them on again,’ the person said. ‘We were told it will be days before the computers are up again.’” Whittaker added that “It’s not immediately known what impact the ransomware attack is having on patient care, or how widespread the issue is.”
Indeed, At 10:45 AM eastern time on Sep. 28, UHS had released the following statement: “The IT Network across Universal Health Services (UHS) facilities is currently offline, due to an IT security issue. We implement extensive IT security protocols and are working diligently with our IT security partners to restore IT operations as quickly as possible. In the meantime, our facilities are using their established back-up processes including offline documentation methods. Patient care continues to be delivered safely and effectively. No patient or employee data appears to have been accessed, copied or misused.”
And as NBC News’s Kevin Collier noted in an article about the situation at 1:07 PM eastern time on that day, “A major hospital chain has been hit by what appears to be one of the largest medical cyberattacks in United States history. Computer systems for Universal Health Services, which has more than 400 locations, primarily in the U.S., began to fail over the weekend, and some hospitals have had to resort to filing patient information with pen and paper, according to multiple people familiar with the situation.”