Ascension reported a cyberattack on May 8 interrupting its IT systems and disrupting patient care. The system reverted to downtime procedures through mid-June, when the EHR was restored, but reverberations from the attack continue.
"Our investigation and analysis of the incident is ongoing and will likely be concluded during fiscal year 2025," the health system noted in its first quarter of the 2025 fiscal year report. "As our data analysis is completed, Ascension is committed to following all applicable laws and regulations to notify affected individuals and the appropriate regulatory bodies."
The attack slowed patient volume, and Ascension is continuing to ramp up care missed during that time. The ransomware attack also affected back office and revenue cycle operations, compounding the challenges Ascension and many other healthcare organizations already faced in the aftermath of the February ransomware attack against Optum's Change Healthcare, a revenue cycle management company.
"Subsequent to the incident, Ascension has diversified its claim clearinghouses to better protect itself from future incidents," the health system noted, later adding, "The combination of these incidents resulted in various disruptions related to healthcare services provided and/or revenue cycle processes, including claim submissions, payment processing and posting and insurance verification processes. Claims submission for certain patients treated during the downtime period remains in process and is expected to substantially be completed in Q2 of FY25."
The health system also incurred costs to remediate the issues during the cyberattack and other business expenses. Ascension worked with CMS and commercial payers to secure around $1 billion of advance payment for services and accessed short-term liquidity facilities for extra cash flow amid the cyberattacks. Around $161 million of the advanced payments were outstanding as of Sept. 30.
The net days in accounts receivable is 72.6 days, compared to 47 days before the cyberattacks.
"The increase in net days in accounts receivable late in the prior fiscal year is attributable to the cyberattacks noted above as Ascension has experienced temporary delays in billing for services provided along with receipt and posting of payments. Through restoration of its revenue cycle processes, Ascension continues to make substantial progress on the backlog of claims that developed due to the downtime from the cybersecurity incidents and expects these processes to be fully restored later in FY25," the company said.