Scripps Health Ransomware Attack Cost Increases to $112.7 Million

The 2021 IBM Security/Ponemon Institute Cost of a Data Breach Study determined the average cost of a data breach in 2021 was $ 4.24 million, which represents a 10% increase from 2020. Healthcare data breaches were the costliest, with an average cost of $9.23 million in 2021, up 29.3% from $7.13 million in 2020. However, data breach costs can be considerably higher.

Most data breaches take a long time to detect, with the report showing the average time from the breach to detection was 287 days. Ransomware attacks tend to be detected more quickly, as the encryption of files makes it quite clear an incident has occurred, although attackers often do take their time within a network prior to deploying ransomware to identify data of interest to steal and encrypt. The average cost of a ransomware attack in was $4.62 million, but these attacks, especially in healthcare, can be incredibly costly.

The problem with ransomware attacks is the length of time it can take to recover, even when decryptors are obtained after a ransom is paid. Files must be restored entire systems often need to be rebuilt from scratch and that takes time. It is not uncommon for recovery to take weeks, or even months, which significantly adds to the cost. In healthcare, which is heavily reliant on access to data such as patient medical records, appointments often need to be cancelled due to patient safety issues and it is the loss of business following an attack that makes up the bult of losses.

In March 2021, Universal Health Services (UHS) announced that the ransomware attack it experienced in September 2020 resulted in losses of $67 million – 625% higher than the average healthcare ransomware attack cost, and 1,350% higher than the average ransomware attack cost. A large percentage of that cost was loss of business while the attack was remediated and data were restored.

Now Scripps Health has announced that it expects the cost of its ransomware attack in May 2021 to be significantly higher. Scripps Health operates 5 hospitals in California – compared to the 330 hospitals run by UHS, yet  the cost of the Scripps Health ransomware attack is estimated to have already reached $112.7 million and that cost is likely to increase further still. Those figures do not include the cost of litigation. The breach affected around 147,000 patients, and multiple class action lawsuits have been filed over the breach and the exposure/theft of patient data.

As it stands, the cost is 1,121% higher than the average healthcare data breach cost and 2,339% higher than the average cost of a ransomware attack. The bulk of the cost – $91.6 million – is due to the loss of revenue during the 4-week recovery period. $21.1 million was spent on recovery costs. Scripps Health has so far received $5.9 million from its cyber insurer, with the $14.1 million balance due to be received by the end of the fiscal year.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

With such high potential costs from a ransomware attack, it is essential for healthcare providers to ensure their security defenses are capable of preventing attacks, they take steps to improve the resilience of IT systems to ensure that damage caused by an attack is limited, and to make sure they have cyber insurance policies in place that will pay out and cover the bulk of the cost in the event of an attack.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/