Incident Response, Data Security, Breach

Tenet Health cyberattack, monthlong outage led to $100M in ‘unfavorable impact’

Share
Multiple layers of pills of different colors sit in a pharmacy's pill disposal container.
A cybersecurity incident in April led to several weeks of downtime and service delays for Tenet Healthcare facilities, which cost the provider millions. Pictured: Pills sit in a disposal container. (Staff Sgt. Jessica H. Smith/Air Force)

The April “cybersecurity incident” that led to several weeks of downtime and service delays at Tenet Healthcare facilities caused $100 million in unfavorable impact. The hefty price tag was brought on by lost revenues from interruptions to business operations and remediation.

Tenet is one of the largest hospital care service providers in the U.S., operating 65 hospitals and more than 450 healthcare facilities through its subsidiaries and brand. 

Its Q2 earnings report shows the cyberattack led to “significant adverse EBITDA [earnings before interest, taxes, depreciation, and amortization] impact” and “contributed to same-hospital adjusted admissions,” which decreased 5.3% from the previous year. Tenet has insurance coverage and the claim filed within its policy limits is ongoing, receiving $5 million of insurance proceeds during Q2 2022.

The “ample insurance coverage and will record proceeds” will reduce the overall financial impact, according to the report.

Tenet also reported an 11% decline in net operating revenues, down to $3.65 billion in Q2 2022 from $4.1 billion the previous year, which was directly attributed to the “unfavorable impact” of the cyberattack and the sale of Tenet’s Miami-area hospitals.

The cyberattack was also “primarily responsible” for a 0.2% decline in the same-hospital net patient service revenue per adjusted admission and partially behind a slight decrease in the adjusted EBITDA margin excluding grant income. The cyber incident was also partly responsible for a 2.8 day-increase to its outstanding accounts receivable.

Despite the business and financial impact, Tenet CEO Saum Sutaria said the company had another strong quarter and reaffirmed its 2022 adjusted EBITDA outlook. In a statement, Sutaria stressed that Tenet “demonstrated resilience in the face of a disruptive cyberattack and discipline through challenging market conditions.”

IT and phone disruptions struck Florida hospitals in April

First reported in mid-April, Tenet did not disclose the type of threat that led to the disruptions, nor when the systems’ intrusion first began. But local media reports revealed that at least two of Tenet Health’s Florida hospitals were experiencing IT and phone line issues starting on April 20.

Clinicians leveraged electronic health record downtime procedures and left the hospital to make phone calls. One Tenet hospital, St. Mary’s Medical Center in West Palm Beach, was forced to divert patients to nearby hospitals during the network outages.

Tenet’s only press release about the extended IT outages also showed that the cyberattack caused a short-term, temporary disruption to a “subset of acute care operations.” However, not all of its hospital operations were disrupted by the incident.

While the outage was only felt by some of its hospitals and for less than a month, the $100 million impact aligns with the financial impacts reported by U.S. providers with similar outages.

For context, the more than three-month outage experienced by the entirety of the Ireland Health Service Executive last summer caused $600 million in lost revenue and recovery costs. And the Ireland HSE is the country’s primary caregiver.

On the other hand, the May 2021 cyberattack and monthlong outage at Scripps Health, with just five hospitals and 19 outpatient facilities, cost the California provider $112.7 million in lost revenue and remediation. The health system was “significantly impacted by lost revenue and incremental expense.” Scripps reported a similar insurance recovery to Tenet of $5.9 million.

Smaller health networks or hospitals facing similar outage periods experienced lesser financial impacts, to an extent.

Vermont Health Network’s outage lasted more than a month, led to the deployment of the National Guard and cost more than $63 million, while the Universal Health Services attack with the same outage-period cost $67 million. On average, these attacks cost about $1.5 million for each day of network downtime.

Tenet may not be out of the woods yet, either, as its affiliate Baptist Health System was hacked, which led to the theft of data tied to 1.2 million patients. Tenet is currently defending itself against the breach lawsuit.

These incidents highlight the financial and patient impacts brought on by healthcare cyberattacks and the importance of reviewing and modifying security measures and tools to ensure best practice defenses are employed.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.