Ransomware hit organizations in the healthcare industry especially hard last year. One recent report said healthcare organizations like hospitals experienced a 45 percent increase in attacks since November, more than double the rate of attacks on other sectors.

They reached a fever pitch at one point last fall that the Cybersecurity and Infrastructure Security Agency, the Department of Health and Human Services and the FBI had to warn that hospitals faced what they called an imminent and increased cybercrime threat - attackers using the Ryuk ransomware via Trickbot to disrupt healthcare systems – all while these organizations were deep in the throes of fighting the COVID-19 pandemic

We learned last week that one of, if not the biggest ransomware attack, last year cost one firm a staggering $67 million before taxes to recover from.

Universal Health Services, a Fortune 500 company based in King of Prussia, Pa., had its systems knocked offline by Ryuk on September 28 last year. As a result, the company - whose systems help hospitals and offices schedule appointments, facilitate lab results and medical forms - was forced to take its U.S. information technology networks offline for weeks.

In its Q4 earnings report, released last week, the company disclosed losses of $67 million due to the attack. Because of Ryuk, those costs, mostly derived from its acute care services, came as a result of loss of operating income, a reduction in patient activity, and increased revenue reserves stemming from billing delays.

As UHS didn't gets its systems back up and running until October, damage incurred by the ransomware attack spilled over from Q3 into Q4.

"We estimate that approximately $12 million of the unfavorable pre-tax impact was experienced during the third quarter of 2020, and approximately $55 million was experienced during the fourth quarter of 2020," the earnings report reads.

The report, issued for investors, is an interesting look back on several weeks the company would probably prefer to forget.

While the company has long insisted that there was no unauthorized access, copying or misuse of patient or employee data, it's clear the incident had repercussions that lingered weeks, almost into 2021, for some parts of the company.

Because of the attack, ambulances and previously scheduled procedures at its hospitals were diverted/rerouted to other hospitals. UHS didn't pay a ransom, something which forced its information technology department to work around the clock to restore operations. Progress around some of these, like administrative functions like coding and billing, were bumped to December, something that also affected the company's Q4 bottom line.

UHS, which operates 400 hospitals and behavioral health facilities in the United States and United Kingdom, said only its US facilities were impacted by the incident. In the wake of the attack, it suspended access to its applications, later restoring them at acute care and behavioral health hospitals along with corporate levels, bridging the gap that was erased between employees and electronic medical records, laboratory and pharmacy systems.

According to the report, the company believes it’s entitled to the majority of the $67 million through the commercial cybersecurity insurance coverage it has in place.

Even if UHS doesn’t get the full sum back, the sheer amount it cost the company makes it clear that over the last several months, Ryuk has proven to be one of the most lucrative strains of ransomware.

Sopra Steria, a France-based IT firm said a Ryuk attack it experienced last fall could wind up costing it between €40 million and €50 million, or between $48 and $60 million USD, a figure that far surpasses its cyber risk insurance coverage of €30 million, or $36 million.

Earlier this year it was estimated the group behind the ransomware, which operates as a ransomware-as-a-service, had made between $123 and $150 million in ransom in 2020.

IBM, which asserted the figure is closer to $123 million said that two-thirds of Ryuk victims ultimately pay a ransom, a statistic that could be tied to one of the group's tactics: threatening to release stolen data publicly in addition to encrypting data if a victim doesn’t pay.