May cyberattack cost Scripps nearly $113M in lost revenue, more costs

A massive cyberattack May 1 cost Scripps Health $112.7 million through the end of June, with lost revenue bearing most of the cost.

The nonprofit San Diego-based hospital system reported the impact during its second-quarter earnings filed Tuesday.

The attack led to a major disruption in patient care and forced providers to use paper records. Scripps said at the time that its facilities remained open for care but hasn’t until now divulged the financial impact of the attack.

Scripps restored all its systems May 26 after hiring computer consulting and forensic firms to help investigate the attack and restore its systems.

“As of June 30th, we estimate total lost revenues to be $91.6 million and incremental costs incurred to address the cyber security incident and recovery were estimated at $21.1 million,” the earnings report said.

RELATED: Scripps Health was attacked by hackers. Now, patients are suing for failing to protect their health data

Scripps added that nearly $6 million in insurance recovery “was accrued in other operating revenues in June 2021.”

It expects to get $14.1 million in insurance recoveries by the end of the fiscal year “once accounting requirements for recognition have been met,” the report said.

But the system’s operating revenue for the nine months that ended June 30 was $78 million, which was 3.2% higher than the nine-month period that ended in June 2020.

“This is primarily attributable to higher patient volumes in the current year (due to significant COVID volume reductions in FY 20) partially offset by lost revenues in the current year from the cybersecurity incident which led to volume reductions during May 2021 from emergency room diversions and postponement of elective surgeries,” the earnings report said.