In a year that saw Ascension Health making substantial strides toward financial recovery, a May 2024 Ascension cyberattack dealt a significant blow to the organization’s operations, leading to a costly disruption and setting back its fiscal recovery efforts.
According to a recent securities filing, Ascension, one of the nation’s largest nonprofit health systems, was on track for a strong recovery after reporting a $332 million operating loss for the first ten months of the fiscal year ending April 30, 2024. This was a remarkable improvement compared to the staggering $1.9 billion loss it had reported during the same period in the previous year.
However, the Ascension cyberattack severely impacted operations, ballooning Ascension’s total operating loss to $1.8 billion by the end of the fiscal year.
Ascension Cyberattack Derails Financial Recovery
Ascension attributed the sudden decline in its financial performance to the May 2024 cyberattack, which resulted in significant systemwide disruptions. The filing stated that “a significant portion of Ascension’s year-over-year financial improvements were reduced” as a direct consequence of the attack. Although Ascension was on the path to recovery, the cyber incident disrupted clinical operations, interrupted access to critical systems, and resulted in additional business expenses related to mitigating the attack and restoring normalcy.
The health system explained that while it experienced a meaningful operational improvement during the first ten months of FY24, the Ascension cyberattack in May and June 2024 contributed to reduced revenues due to business interruptions. Ascension was forced to spend additional resources on remediation efforts, which further weighed on its financial performance.
Operational Improvements Before the Cyberattack
Before the Ascension cyberattack, the company’s financial performance had been improving significantly, driven by strategic initiatives that focused on volume growth, pricing adjustments, and cost control measures. These efforts resulted in a $1.2 billion year-over-year increase in recurring operating performance, an impressive turnaround from the $1.2 billion recurring loss reported during the same period the previous year.
By April 2024, Ascension’s loss from recurring operations had narrowed to $79 million, a considerable improvement from the prior year’s loss of $1.2 billion for the same period.
These improvements were part of Ascension’s broader economic recovery plan, which emphasized data-driven decision-making, financial discipline, and a focus on meeting the needs of the communities it serves. Eduardo Conrado, President of Ascension, hailed these achievements as evidence of the system’s commitment to its mission.
“The $1.2 billion year-over-year improvement in FY24 is a demonstration of our team’s commitment to quality, stewardship, and the fidelity to our Mission,” Conrado said. He added that the organization’s focus on financial discipline and delivering exceptional care had put it on a solid foundation for the future.
Cyberattack and Its Impact
On May 8, 2024, Ascension became aware of a cybersecurity incident that affected its technology network systems, causing widespread disruptions. The Ascension cyberattack prompted to take swift action, including taking certain systems offline and initiating an immediate investigation. As the system worked to understand the full extent of the cyber incident, the disruption affected clinical operations across its vast network of hospitals and care facilities. Ascension operates in 19 states and the District of Columbia, overseeing 140 hospitals and 40 senior care facilities, employing over 8,500 providers, and supporting 134,000 associates. Its total revenue in 2023 was $28.3 billion.
The disruption caused by the cyberattack was significant, given Ascension’s large footprint and the critical role its systems play in patient care. The system’s revenue took a hit as certain services were interrupted, and business partners were advised to temporarily sever their connections to Ascension’s network as a precaution. The health system stated that it would notify partners when it was safe to reconnect, underscoring the serious nature of the attack.
On May 10, 2024, The Cyber Express reported that the cyberattack had severely affected Ascension’s clinical operations, forcing the health system to take further precautionary steps to mitigate the impact. Ascension developed a dedicated cyber event section on its website to communicate recovery efforts and provide updates to the public and its partners.
A $1.2 Billion Year-over-Year Improvement Despite the Attack
Despite the challenges posed by the cyberattack, Ascension’s overall financial performance in FY24 represented a notable improvement from the previous year. The health system reported a $1.2 billion improvement in its total operating loss, which was partially offset by $402 million in one-time, non-cash write-downs and non-recurring losses. However, the Ascension cyberattack caused total operating loss for FY24 to climb to $1.8 billion, compared to a $3.0 billion loss the previous year.
The fact that Ascension was able to reduce its operating loss by $1.2 billion year-over-year, despite the financial burden of the cyberattack, speaks to the strength of its recovery efforts before the incident. The health system’s ability to implement strategic operational improvements during the first ten months of the fiscal year had positioned it for a more favorable outcome, had the attack not occurred.