The October cyberattack cost the University of Vermont Medical Center $1.5 million a day in increased expenses and lost revenue, hospital president Stephen Leffler said Tuesday.
That “back of the envelope” calculation doesn’t include the cost of getting the system back up and running, he told reporters.
Forty-two days have elapsed since the attack occurred on Oct. 28. The total cost, including lost revenue and expenses, could exceed $63 million.
The hospital is still grappling with the impacts of the attack six weeks after a hacker downed all of its online operations. Though many of the medical center’s systems have been restored, Leffler predicted a “multiweek process” to address a backlog of postponed appointments and the slew of handwritten records that must be entered into the online system.
The medical health records system is operating again, as is the patient portal, but roughly 30% of the hospital’s 600 applications are still not functional, he said.
The hospital has yet to restart sleep studies, for instance. And though most of its radiology systems were restored last weekend, the hospital does not yet have full capabilities for cancer treatment, or the ability to examine certain scans.
The hospital chief said he continues to hear from patients who were affected by delayed medical care, canceled appointments or mixups due to lack of electronic access.
“If you told me more than a month [after the Oct. 28 attack], we still would have functions that weren’t normal, I would have bet you that you’d be wrong,” Leffler said. “We really did not anticipate the scope or the impact the attack had on our system and how far-reaching it was.”
Leffler apologized for the effects on patients, and vowed to do “everything in our power to make it right.” He also promised to provide more information next week on the cause of the attack.
The hospital president had initially predicted it would take “days, not weeks” to restore the hospital systems. After the attack, the Federal Bureau of Investigation swooped in to investigate, as several other health systems around the country had fallen victim to similar attacks. Gov. Phil Scott deployed a National Guard unit to help clean and restore the hospital’s 5,000 workstations and laptops.
The hospital temporarily furloughed and reassigned more than 300 workers.
The reboot process hasn’t always been smooth.
Last week, state officials announced that the UVM Medical Center had failed to report the results of 50 Covid tests to the health department. Leffler attributed the mistake to a glitch as the hospital restarted its electronic reporting programs.
It has also been slowed by the pandemic safety restrictions.
“Normally, things you might do to really move things up quickly and get them done as quickly as possible” aren’t possible in the pandemic, Leffler said, referring to working through the backlog of patients. “Social distancing guidelines and other things just add some complexity to that.”
The medical center has nine patients hospitalized with Covid. Cases continue to rise across the state, and in elder care facilities.
Leffler also said he will provide more details next week about the nature of the cyberattack and its perpetrators. He has refused to say whether the hospital was hit by ransomware. Leffler has denied being asked for ransom, though he has also danced around the question.
“Now that things are starting to settle down, very likely in the next week we’ll be able to give some more detail,” he said.
He has cited the FBI investigation as the reason for his reticence. Other hospitals that were hit by cyberattacks, and were also part of a federal investigation, said they were attacked by Ryuk, a Russian-based group. Some said they were asked for ransom.