Healthcare system Ascension based in St. Louis, MO encountered a ransomware attack in May 2024 that considerably impacted the company, both operationally and financially. Because of the attack, Ascension diverted ambulances, closed pharmacies, took down critical IT systems, and used pen and paper for recording patient data. A large number of its 136 hospitals throughout the United States were impacted. Although it took Ascension approximately six weeks to fix access to its electronic medical record systems and continue normal operations, the investigation and data analysis are not yet over. The company has not yet announced the number of individuals whose protected health information (PHI) were compromised in the breach in compliance with HIPAA laws.
On September 17, 2024, Ascension released its fourth-quarter fiscal year report, revealing a $1.8 billion operating margin loss when the fiscal year ended. The operating loss of Ascension for the first 10 months, ending April 30, 2024, was $332 million. This is better than the $1.9 billion loss reported during the same period last year. Ascension has been attempting to recover from the financial strain caused by the COVID-19 pandemic, which resulted in about $3 billion in losses the previous year. Despite efforts to improve patient volumes and curb the growth of expenses, the ransomware attack had a big blow to its financial recovery.
During the 10 months leading to April 30, 2024, Ascension reported a $79 million loss from recurring operations, which is less than the $1.2 billion loss during the same period in 2023. However, the ransomware attack in May and June 2024 hindered Ascension’s recovery. The inclusion of these months in its financial performance reduced its year-over-year financial improvements.
The ransomware attack also resulted in slowdowns in revenue cycle processes, claims filing, and processing of payments, and bigger remediation costs. These disruptions negatively affected the May and June 2024 operations and cash flows. There was an 8-12% decrease in facility volumes during those months compared to last year due to the rescheduling of medical procedures caused by the IT outages after the attack.
Ascension’s report showed a 5.2% increase in total operating revenue for the 10 months ending April 30, 2024, mainly from its net patient service revenue, and just a net 0.5% growth in operating expenses compared to the previous year. When May and June were factored in, fiscal year 2024 operating revenue grew by 0.7%, and operating expenses rose by only 0.4%. Despite ending the fiscal year with a net loss of nearly $1.1 billion, Ascension had a $1.6 billion improvement from the previous year.
To mitigate the financial strain from the ransomware attack, Ascension acquired advanced payments from the Centers for Medicare and Medicaid Services (CMS) and commercial payers. The February 2024 ransomware attack on Change Healthcare also impacted Ascension. In response, Ascension diversified its claim clearinghouse to safeguard against future cyberattacks.
Image credit: everythingpossible, AdobeStock