News that no one wants to share with their investors: "We had a cyber incident and it is going to cost the company $67 million."
Universal Health Services (UHS), an American Fortune 500 company that provides healthcare services, recently revealed that it fell victim to a cyberattack in late September 2020, which forced IT networks to be shutdown at multiple hospitals in the U.S.
The cyberattack has caused a "material impact on earnings," resulting in a loss of $67 million.
This is just more proof that cyber risk is business risk.
Operational impact of the data breach
UHS disclosed financial results from 2020 and earnings guidance for 2021. It also included detailed information on the data breach and how that impacted the operations of the company.
"As previously disclosed on September 29, 2020, we experienced an information technology security incident in the early morning hours of September 27, 2020. As a result of this cyberattack, we suspended user access to our information technology applications related to operations located in the United States.
While our information technology applications were offline, patient care was delivered safely and effectively at our facilities across the country utilizing established back-up processes, including offline documentation methods. Our information technology applications were substantially restored at our acute care and behavioral health hospitals at various times in October, 2020, on a rolling/staggered basis, and our facilities generally resumed standard operating procedures at that time."
Incident response to the data breach
UHS continued on to discuss how their IT team responded to the situation:
"Immediately after the incident, we worked diligently with our information technology security partners to restore our information technology infrastructure and business operations as quickly as possible. In parallel, we began investigating the nature and potential impact of the security incident and engaged third-party information technology and forensic vendors to assist. No evidence of unauthorized access, copying or misuse of any patient or employee data has been identified to date.
Given the disruption to the standard operating procedures at our facilities during the period of September 27, 2020 into October, 2020, certain patient activity, including ambulance traffic and elective/scheduled procedures at our acute care hospitals, were diverted to competitor facilities.
We also incurred significant incremental labor expense, both internal and external, to restore information technology operations as expeditiously as possible. Additionally, certain administrative functions such as coding and billing were delayed into December, 2020, which had a negative impact on our operating cash flows during the fourth quarter of 2020."
Financial impact of the data breach
The data breach caused server disruptions to the company's operations. And even with a fast response from the IT team, there was still a massive financial impact.
UHS describes how the company was impacted financially in its statement:
"As a result of these factors, we estimate that this incident had an aggregate unfavorable pre-tax impact of approximately $67 million during the year ended December 31, 2020. We estimate that approximately $12 million of the unfavorable pre-tax impact was experienced during the third quarter of 2020, and approximately $55 million was experienced during the fourth quarter of 2020.
The substantial majority of the unfavorable impact was attributable to our acute care services and consisted primarily of lost operating income resulting from the related decrease in patient activity as well as increased revenue reserves recorded in connection with the associated billing delays.
Also included were certain labor expenses, professional fees and other operating expenses incurred as a direct result of this incident and the related disruption to our operations. Although we can provide no assurance or estimation related to the receipt timing, or amount, of the proceeds that we may receive pursuant to commercial insurance coverage we have in connection with this incident, we believe we are entitled to recovery of the majority of the ultimate financial impact resulting from the cyberattack."
For more information regarding Universal Health Services and the impact of the data breach, you can read its financial earnings statement.