Universal Health Services Inc. said Thursday that a malware attack in late September cost the hospital chain, based in King of Prussia, Pa., $67 million last year before taxes. Revenue dropped as patients went elsewhere for care, Universal Health said, and it incurred expenses to restore its operating systems.
The attack on Universal Health and those at other hospitals last year involved ransomware, people familiar with the incident said, a malicious software that shuts users out of their own data. Hackers then demand payment to unlock it.
A Universal Health spokeswoman said the company didn’t pay a ransom. Universal Health said that it believed the company would be entitled to recoup costs through insurance. The company said in its earnings report that it has found no evidence of any data breach.
Hospitals have become more targets for ransomware scammers betting that executives will make swift payouts to restore lifesaving technology, cybersecurity experts said. As Covid-19 hospitalizations soared in the final three months of 2020, there were more ransomware attacks in healthcare than any other industry in a quarterly review of hundreds of incidents among clients of Coveware Inc., a company that helps negotiate ransoms.
“They have operationalized against healthcare almost as a business model,” said Wes Spencer, chief information security officer for Perch Security, which was acquired in November by software company ConnectWise.
The Federal Bureau of Investigation, Department of Homeland Security and Department of Health and Human Services warned hospitals in October of an “increased and imminent” threat from hackers.
“They are more brazen,” said Joshua Corman, chief strategist for healthcare and Covid-19 for DHS’s Cybersecurity and Infrastructure Security Agency.
Mr. Corman said healthcare companies should invest more in cybersecurity, which he said was already lacking before the pandemic further strained hospital finances, capacity and staff.
“If the industry does not get the wake-up call during a pandemic, we may never get the wake-up call,” he said.
During the attack at Universal Health last fall, the company shut down computer systems for medical records, laboratories and pharmacies across 250 U.S. facilities. Disruption continued for weeks. Ambulances and surgeons sent patients elsewhere to avoid complications, Chief Financial Officer Steve Filton told investors in January.
"I think, intellectually, you know that we’re very reliant on our information technology,” Mr. Filton said,” but you don’t really realize how much you are until something disrupts that.”
At Sky Lakes Medical Center in Klamath Falls, Ore., hackers struck in the last week of October. The hospital’s director of information services, John Gaede, learned of the hack in a 3:30 a.m. phone call from his staff. They raced to contain the malware, but within hours decided to shut down the hospital’s entire network, Mr. Gaede said.
That halted the spread of the malware but left doctors and nurses without access to computerized medical records. Results from magnetic-resonance imaging and other scanning equipment that doctors use to diagnose diseases were also taken offline.
Then, Covid-19 hospitalizations in Oregon surged. Sky Lakes staff raced to create more isolation rooms for coronavirus patients, said Chief Executive Officer Paul Stewart.
Because of the malware attack, staff made paper records of critical patient information for weeks. The hospital’s pharmacy scrambled to find paper prescription pads, and photocopiers ran low on toner as staff churned out documents.
The hospital temporarily halted some nonessential surgeries to ease the burden on staff. "It was a breaking point,” Mr. Stewart said. Halting those procedures helped to depress hospital revenue, he said, which is down 6% annually for the fiscal year that began Oct. 1.
The hospital fully restored access to the records about a month later, after rebuilding its network with new servers and 2,500 new computers. Mr. Stewart estimated costs and lost revenue from the hack totaled about $10 million. Nearly 800 of about 1.5 million diagnostic images couldn’t be recovered. Sky Lakes said it is working with doctors to identify which patients need to return for new scanning.
Of the hackers, Mr. Stewart said, “they are the lowest of the low, in my opinion.”