Universal Health Services lost $67 million due to Ryuk ransomware attack


Universal Health Services (UHS) said that the Ryuk ransomware attack it suffered during September 2020 had an estimated impact of $67 million.

UHS, a Fortune 500 hospital and healthcare services provider, has over 90,000 employees who provide services to roughly 3.5 million patients each year in more than 400 US and UK healthcare facilities.

UHS said last week that the Ryuk ransomware attack “had an aggregate unfavorable pre-tax impact of approximately $67 million during the year ended December 31, 2020.”

“The substantial majority of the unfavorable impact was attributable to our acute care services and consisted primarily of lost operating income resulting from the related decrease in patient activity as well as increased revenue reserves recorded in connection with the associated billing delays,” UHS added.

“Also included were certain labor expenses, professional fees and other operating expenses incurred as a direct result of this incident and the related disruption to our operations.”

“We also incurred significant incremental labor expense, both internal and external, to restore information technology operations as expeditiously as possible.”

Systems restored one month later

UHS managed to restore most affected systems and hospital operations systems during late-October after starting the process of bringing back all business operations and information technology (IT) infrastructure immediately after the attack.

“With the back-loading of data substantially complete at this point, our hospitals are resuming normal operations,” the company said.

So far, UHS says that the ongoing investigation wasn’t able to find any evidence of unauthorized access, theft, or misuse of patient or employee data.

In October, the U.S. government warned of Ryuk ransomware attacks against healthcare industry organizations including hospitals and healthcare providers.

Ryuk affiliates have been observed hitting roughly 20 companies every week during the third quarter of 2020 and, starting with November 2020, they have been behind a massive wave of attacks on the US healthcare system.

Security researchers estimated that the RaaS operation made at least $150 million, after following the money circuit from Ryuk ransomware victims.

The losses reported by UHS last week follow two other similar disclosures during last year coming made by IT services provider Cognizant and Norwegian aluminum producer Norsk Hydro.

The two companies reported revenue losses of up to $70 million and over $40 million, respectively.

h/t DataBreaches

You May Also Like…