The financial fallout from recent data breaches in the healthcare industry continues to raise alarms as organizations grapple with the costs of cyberattacks and ensuing lawsuits.
Two incidents — the ransomware attack on St. Louis-based Ascension and a class-action lawsuit faced by Allentown, Pa.-based Lehigh Valley Health Network — highlight the impact of these breaches on health systems' operations and bottom lines.
Ascension's losses from ransomware attack
Ascension, one of the largest nonprofit health systems in the U.S., reported a $1.8 billion operating margin loss in its fourth quarter fiscal year results, largely attributed to a ransomware attack that occurred in May.
According to the fiscal year 2024 documents released on Sept. 17, the attack not only disrupted operations but also led to revenue losses and additional remediation costs.
The cyberattack necessitated the temporary shutdown of Ascension's EHR system, forcing the organization to revert to established downtime protocols. However, since mid-June, the health system has made strides in restoring EHR and clinical workflows. Ascension leadership confirmed in their report that they are actively working to remediate all affected systems, with investigations ongoing into the incident.
The repercussions of the breach extended beyond immediate operational disruptions; Ascension's days cash on hand decreased from 211 days to 194 days, and net days in accounts receivable rose from 46.7 to 78.4 days, reflecting increased challenges in revenue collection.
To mitigate financial strain, Ascension secured advance payments from commercial payers and CMS during this period.
Lehigh Valley Health Network's $65 million settlement
In a separate incident, Lehigh Valley Health Network agreed to a proposed $65 million settlement related to a ransomware attack claimed by the BlackCat group in 2023. This attack compromised the medical records of approximately 134,000 patients, exposing sensitive personal information — including private photos of some breast cancer patients — on the dark web.
The lawsuit, which originated in Lackawanna County, Pa.,was eventually moved to federal court and then returned to county court, where it remains pending.
The settlement, reached on Aug. 20, will distribute compensation among affected patients based on the extent of the harm they experienced. Notably, Lehigh Valley Health Network maintains its stance of no wrongdoing, asserting that the settlement class does not possess a valid legal claim.
After discovering the unauthorized activity, Lehigh Valley promptly launched an investigation, enlisting the help of cybersecurity experts and notifying law enforcement. The health system temporarily shut down its EHR during the incident to contain the breach, and a spokesperson confirmed that Lehigh Valley refused to pay the ransom demanded by the hackers.
"Patient, physician, and staff privacy is among our top priorities, and we continue to enhance our defenses to prevent incidents in the future," a spokesperson told Becker's.