Four healthcare cyber events. One operating pattern.
The case for continuity during compromise.
The Numbers
$3.09B
Change Healthcare, full-year 2024 impact.
$1.8B
Ascension Health, FY24 operating loss.
$160M
CommonSpirit Health, confirmed cost.
$67M
Universal Health Services, pretax loss.
The category that didn't exist when the attacks landed.
The four healthcare ransomware and cyberattack events covered in this brief are not the rarest on record. They are the most expensive. Together they account for more than $5 billion in disclosed financial damage, three to six weeks of EHR downtime per event, clinical operations run on pen and paper, and at least one documented patient death attributable to delayed lab results during the outage.
Each of these organizations had a security program, a backup architecture, a disaster recovery plan, and cyber insurance. None of those things kept clinical workflow running while the recovery happened. That gap is the thing that has now been named: zero-downtime continuity.
Why it Matters
Sophos’s 2024 State of Ransomware report found 67% of healthcare organizations were hit by ransomware in the preceding year, a four-year high and nearly double the 2021 figure of 34%. The American Hospital Association recorded 94% of US hospitals reporting financial impact from the Change Healthcare attack alone. The math has shifted. Prevention investment is no longer the variable that moves outcomes. Continuity during compromise is.
Event One
Change Healthcare.
The Change Healthcare cyberattack, detected February 21, 2024, with initial access on February 12, took the largest US medical claims clearinghouse offline for months, exposing roughly 100 million patient records and costing UnitedHealth Group $3.09 billion in full-year 2024 financial impact. Threat actor: ALPHV/BlackCat. UnitedHealth Group paid a $22 million ransom that CEO Andrew Witty later confirmed under congressional questioning. The data was not returned. The group exit-scammed.
Change Healthcare is the largest medical claims clearinghouse in the United States. It processes approximately one in every three patient records in the country and clears roughly 15 billion transactions per year. When its systems went offline, claims processing across US healthcare effectively halted.
The most significant cyberattack on the US healthcare system in American history.
Operational Impact
AHA surveyed nearly 1,000 hospitals between March 9 and March 12. 94% reported financial impact. 82% reported impact to cash flow. 74% reported direct impact on patient care. Nearly 60% of hospitals losing cash flow said the impact exceeded one million dollars per day.
Kodiak Solutions, a revenue cycle analytics firm, tracked the claims-submitted value across 1,850 hospital and 250,000 physician clients in the three weeks following the attack. The value dropped by $6.3 billion. CMS advanced more than $3.2 billion in emergency payments to hospitals and providers between March 9 and June 17. UnitedHealth Group lent providers $8.5 billion through a temporary funding program. The combined $11.7 billion in emergency liquidity covered about 2.6% of the $375 billion in quarterly claims Change Healthcare normally processes.
Final Financial Impact
UnitedHealth Group’s full-year 2024 financial reporting disclosed total cyberattack impacts of $3.09 billion. Patient records exposed: approximately 100 million. The attack affected an estimated one-third of all Americans.
The Architectural Read
Change Healthcare was a vendor cascade. The 94% of US hospitals reporting financial impact did nothing wrong. They depended on a third party that went down. Vendor diversification alone does not solve this because the alternative clearinghouses run on the same hyperscaler and software stack. Continuity has to be architecturally separated from the entire vendor chain it is protecting.
Event Two
Ascension Health.
The Ascension Health ransomware attack, detected May 8, 2024, caused 37 days of EHR downtime across 140 hospitals in 19 states and contributed to a $1.8 billion FY2024 operating loss. A contractor working from an Ascension laptop clicked on a link returned by a Microsoft Bing search and downloaded a malicious file they believed was legitimate. The Black Basta ransomware group gained access. Seven of Ascension’s roughly 25,000 servers were compromised. Black Basta used Kerberoasting to escalate from the contractor’s laptop to full control of Ascension’s Windows enterprise.
Ascension operates 140 hospitals across 19 states. EHR access was lost for approximately 37 days. EHR access was first restored in Alabama, Austin, Florida, Tennessee, and Maryland regions before being restored network-wide on June 14, 2024. The Epic primary database was not breached. Files containing PHI and PII on seven file servers were stolen. Notification letters disclosed 5,599,699 affected individuals.
37
days of EHR downtime across 140 hospitals.
Clinical Reality of the Downtime
More than a dozen Ascension clinicians spoke to Michigan Public and KFF Health News in May and June 2024 about working through the outage. They described delayed and lost lab results, medication errors, and the absence of automated safety checks. A NICU nurse in Wichita reported nearly administering the wrong dose of a narcotic to a baby because the electronic scanning system was offline and the handwritten paperwork was confusing. A travel nurse in Indianapolis quit and warned local press about the risk to patients.
A woman with low blood sugar and altered mental status went into cardiac arrest and died after staff said they waited four hours for lab results they needed to determine how to treat her, but never received.
Ascension declined to answer questions about specific patient care claims, stating that care providers “continue to provide quality medical care.” The patient outcomes reported by frontline staff have not been independently confirmed by Ascension.
Final Financial Impact
Ascension reported a $1.8 billion FY2024 operating loss and an approximately $1.1 billion net loss for the fiscal year. In the ten months through April 30, 2024, the system had been narrowing losses to $332 million, a significant improvement from $1.9 billion in the prior year. The May-June downtime erased most of those gains. Facility volumes dropped 8 to 12 percent year over year in May and June due to delayed and rescheduled procedures.
The Architectural Read
Ascension is the cleanest case study for why backup is not continuity. The Epic database itself was untouched. The attackers compromised seven peripheral servers and the Windows enterprise around the EHR. The EHR went offline anyway, because the credentials and infrastructure surrounding it had been encrypted. 37 days of clinicians working from paper is the cost of a continuity layer not existing.
Event Three
CommonSpirit Health.
The CommonSpirit Health ransomware attack, detected October 2, 2022, caused 38 days of EHR downtime across approximately 100 facilities, exposed records on 623,774 individuals, and contributed to a $1.4 billion operating loss for the fiscal year at a confirmed cost of $160 million. Attackers first gained access on September 16, 2022 — 16 days of dwell time before detection. CommonSpirit is the second-largest nonprofit health system in the United States with 140 hospitals across 21 states.
One documented case: a Tacoma woman scheduled to have a cancerous tongue tumor removed at a Virginia Mason Franciscan Health hospital (a CommonSpirit subsidiary) had her surgery delayed several days because the EHR was offline. Her husband told KING-TV at the time. Records of 623,774 patients, family members, and caregivers were exposed.
$160M
confirmed cost across 13 states.
Final Financial Impact
CommonSpirit’s initial public estimate of $150 million in February 2023 was raised to $160 million in May 2023 and held at that figure through later disclosures. The attack was a major factor in the system’s $1.4 billion operating loss for the fiscal year. Cash reserves dropped by $741 million to $1.85 billion as of December 31, 2022. CommonSpirit drew on its working capital line of credit to address the collections shortfall. The system was still waiting on insurance recovery a year later.
The Architectural Read
CommonSpirit shows that the technical recovery and the financial recovery are different events. EHR access came back in 38 days. Revenue cycle disruption stretched across the full fiscal year. Coding, billing, claims submission, and collections all had to catch up after the EHR returned. The financial blast radius of healthcare ransomware is measured in quarters, not days.
Event Four
Universal Health Services.
The Universal Health Services ransomware attack, detected September 27, 2020, took IT systems offline across more than 250 US facilities for approximately three weeks, resulting in $67 million in pretax losses — the earliest canonical case of the pattern all four events share. Ryuk ransomware. UHS is a Fortune 500 healthcare provider with more than 400 facilities globally. The IT team suspended user access to all US applications. Computer screens across UHS hospitals locked and displayed Ryuk ransom messages. Staff were instructed to turn off all computers.
UHS facilities continued operating using established backup processes including offline paper documentation. Ambulance traffic was diverted to competing facilities. Some elective procedures were postponed or sent to competitors. IT systems including EHR, laboratory systems, and pharmacy systems were restored on a rolling basis throughout October 2020. Approximately three weeks from event to substantial operational recovery.
$67M
pretax loss. UHS refused to pay.
Final Financial Impact
UHS Q4 2020 earnings disclosed $67 million in pretax unfavorable impact from the attack. $12 million landed in Q3 2020 (the partial quarter when the attack occurred), $55 million in Q4 2020. The substantial majority came from lost operating income tied to patient activity diverted to competitor facilities and increased revenue reserves connected to billing delays. Administrative functions including coding and billing were delayed into December, with negative impact on Q4 operating cash flows.
The Architectural Read
UHS was the early canonical case of the pattern the next three events repeated. Established backup processes existed. Paper documentation procedures were trained for. Three weeks of operational downtime translated to $67 million regardless. The math at hospital scale is straightforward: diverted patients, billing delays, labor cost, and revenue reserves compound rapidly.
Across all Four
The shape of the event is the same.
Four organizations. Four different causes. Four different threat actors. Operational shape is identical.
Change Healthcare
Ascension
CommonSpirit
UHS
Event Type
Vendor cascade
Ransomware
Ransomware
Ransomware
Threat actor
ALPHV/BlackCat
Black Basta
Unattributed
Ryuk
Detection to operational recovery
Months
37 days
38 days
~3 weeks
Direct financial impact
$3.09B
$1.8B op. loss
$160M
$67M
Records exposed
~100M
5.6M
623,774
Not the data; the disruption
Clinical operations during outage
Pharmacy + claims gridlock
Paper, runners, ambulance diversion
Paper, surgeries cancelled
Paper, ambulance diversion
Patient harm reported
Chronic-care meds delayed
Death attributed by staff
Surgeries cancelled
Indirect, via diversion
Backups existed?
Yes
Yes
Yes
Yes
DR plan existed?
Yes
Yes, for 1-3 day disruption
Yes
Yes, paper procedures
Continuity layer
running through
outage?
No
No
No
No
FAQ
How long does hospital EHR recovery take after a ransomware attack?
Based on the four largest healthcare ransomware events on record, the detection-to-operational-recovery window runs three to six weeks. Universal Health Services recovered in approximately three weeks (2020). Ascension Health’s EHR was offline for 37 days (2024). CommonSpirit Health took 38 days to restore access across affected facilities (2022). Change Healthcare’s disruption extended for months (2024). Downtime procedures designed for 24–72 hours do not reflect the actual event window.
What did the Change Healthcare cyberattack cost?
UnitedHealth Group disclosed $3.09 billion in total cyberattack impacts in its full-year 2024 financial reporting. The attack exposed approximately 100 million patient records — an estimated one-third of all Americans. UnitedHealth Group paid a $22 million ransom to ALPHV/BlackCat. The data was not returned.
What is zero-downtime continuity in healthcare?
Zero-downtime continuity is a dedicated architectural layer that keeps clinicians documenting, ordering, and treating patients during an EHR outage — while backup and disaster recovery focus on restoring systems after the event. It requires three conditions: a separate cloud with separate credentials outside the primary network’s failure domain; EHR-agnostic integration through HL7; and validated sync-back that prevents contaminated data from re-entering the recovered environment.
What percentage of US hospitals were hit by ransomware in 2024?
67% of healthcare organizations were hit by ransomware in the preceding year, according to Sophos’s 2024 State of Ransomware report — a four-year high and nearly double the 34% figure recorded in 2021. Separately, the American Hospital Association found that 94% of US hospitals reported financial impact from the Change Healthcare attack alone.
Does cyber insurance or a disaster recovery plan prevent EHR downtime during a ransomware attack?
No. All four organizations covered in this brief — Change Healthcare, Ascension Health, CommonSpirit Health, and Universal Health Services — had active security programs, DR plans, backup infrastructure, and cyber insurance at the time of their attacks. None of those tools kept clinical workflow running during the recovery. Cyber insurance transfers financial risk after an event; DR restores systems eventually. Neither keeps clinicians treating patients during the outage. That is a separate architectural problem.
What is Adds up to
Five Things Hospital Leaders Should Know About Ransomware EHR Downtime
1. The detection-to-recovery window for healthcare ransomware runs three to six weeks.
None of the four resolved in less than three weeks. Most ran four to six. Downtime procedures designed for 24 to 72 hour disruption do not survive contact with the actual event. Ascension was specific on this point: their downtime plans were built for one to three days.
2. Financial damage concentrates in lost operating income, not technical remediation.
UHS, CommonSpirit, and Ascension all reported in their own filings that the majority of the financial impact came from diverted patients, ambulance reroutes, billing delays, and revenue cycle disruption. The IT recovery itself was the smaller line item. The clinical workflow being unable to run is the cost.
3. Cybersecurity posture and backup infrastructure did not prevent multi-week downtime in any of the four events.
Each organization had real security programs, real DR plans, real backups, and real cyber insurance. None of those things let clinicians keep treating patients during the recovery. Treating continuity as an extension of backup is the category error that runs through all four events.
4. Vendor cascade events are now part of the threat model.
Change Healthcare cascaded to 94% of US hospitals. The July 2024 CrowdStrike outage affected hundreds of hospitals for hours to days. Neither was preventable at the individual hospital level. Both stopped clinical workflow. Continuity has to be architecturally outside the vendor chain it is protecting, not inside it.
5. The boards at every named system have asked the same continuity question since these events.
Not whether they have backup. Whether they have a way to keep clinicians documenting, ordering, and treating during the recovery. The first question has a yes answer at every hospital. The second has no good answer at most hospitals. That gap defines a new category.
The Category POV
Zero-Downtime Continuity: The Answer to EHR Downtime During Ransomware
Backup gets the data back. Every major US health system can do this. Disaster recovery restores the systems, eventually. Cyber insurance transfers the financial risk after the event.
What none of those three things does: keep clinicians treating patients during the recovery. That is a different problem. It defines a different category. ShelterZoom calls the category zero-downtime continuity. The category has not previously had a name because the technology to answer the question did not previously exist. That has changed.
What zero-downtime continuity requires.
Three architectural conditions, all of which Spare Tire meets.
One. Separate Cloud, Separate Credentials.
The continuity layer cannot share the failure domain it is protecting. If it lives inside the hospital’s primary network and shares Active Directory with the EHR, it goes down with the EHR. Spare Tire runs on an external cloud with its own credential plane. Lateral movement from a compromised primary network has nowhere to go. This matters because Sophos’s 2024 healthcare ransomware data showed that 95% of attacks targeted backups and 66% successfully compromised them. Backup systems that share credentials and network paths with the primary are encrypted alongside the primary.
Two. EHR-Agnostic Through HL7.
Spare Tire integrates with Epic, Oracle Cerner, MEDITECH, and any HL7-capable EHR. No rip-and-replace. No clinician retraining. The continuity layer runs alongside the primary EHR and does not replace it. Epic, Oracle Cerner, and MEDITECH have each recommended Spare Tire to customers on the analyst record.
Three. Validated Sync-Back.
When the primary EHR comes back online, Spare Tire validates incoming data before any sync occurs. This addresses the failure mode in which attackers leave compromised data behind that gets copied back into the recovered environment, a pattern that has shown up in the post-mortems of major healthcare ransomware events. The continuity layer protects the EHR during the outage. It also protects the EHR from its own contaminated restore on the way back.
The Economics
What this costs versus what it prevents.
The annual contract cost of Spare Tire for a community hospital runs less than four hours of one day of EHR downtime. For mid-size health systems, less than one hour of one day. One prevented event covers multiple years of the contract. This is not abstract math. It is derived from the financial disclosures in this brief.
Derived from Public Filings
~$3.2M
per day at UHS during the 19-day downtime.
~$3.8M
per day at CommonSpirit during 38-day recovery.
~$48M
per day across Ascension’s 37-day FY24 attack window.
These are system-level figures, not single-hospital. For a 200-bed community hospital with $1.5 to $2.5 million in revenue per day, the math holds at the same shape: an annual continuity contract that prices in well below a single day of downtime, against an event window measured in weeks not hours.
The Payback Math
A community hospital that deploys a continuity layer and never experiences a ransomware event spends the contract value across the term and gets no recoverable return. A community hospital that deploys one and experiences a single event recovers the multi-year contract cost in the first 48 hours of avoided downtime. The base rate of healthcare ransomware in 2024 was 67% of organizations hit at least once. The question priced into the math is not whether an event occurs. It is whether the operating model already accounts for it.
From Oct. 26 to Nov. 18, that 23-day period, 100% of our systems offline. I learned that clinicians will do whatever it takes to take care of patients, but if you can provide them communications, that's the number one way to help them.
Your backup vendor is the tow truck. Spare Tire is the spare tire in the trunk. You need both. Only one of them means clinicians never stop treating patients.
