Commentary: Cyberattacks threaten financial survival of surgical practices

Editor's Note

One cyberattack can unravel years of work and financial stability for a surgical practice. That’s the central warning in an April 9 commentary by Lenworth M. Jacobs Jr., MD, MPH, FACS, professor of surgery at the University of Connecticut and director of the Trauma Institute at Hartford Hospital. Published April 9 by the American College of Surgeons (ACS), the article details how a single ransomware incident targeting a billing company brought a small surgery practice’s revenue to a standstill, forcing it to operate without income and scramble for financial survival.

The February 2024 attack halted all claims processing between the billing company and insurers, Dr Jacobs writes, effectively cutting off the practice’s revenue. While surgeons continued to care for patients and submit billing codes, invoices were never sent. It took three months for the billing company to provide the practice with a loan to cover expenses like staff salaries and facility overhead.

As detailed in the commentary, such attacks are becoming increasingly common and severe. Since 2019, the U.S. Department of Health and Human Services has reported an 89% rise in data breaches and a 102% increase in ransomware incidents. In 2024 alone, 259 million Americans had healthcare data compromised across roughly 590 attacks. One ransomware breach accounted for more than 190 million records.

These attacks pose far more than administrative headaches, Dr Jacobs notes. He quotes cybersecurity expert John Riggi of the American Hospital Association (AHA), who says attacks also can disrupt care, delay services, and pose real threats to patient and community safety.

Riggi co-authored Sentinel Event Alert 67 with The Joint Commission in 2023, offering guidance for cyberattack response, particularly for smaller providers. As explained by Dr Jacobs, the guidance’s recommendations for surgical practices include performing hazard analyses, forming downtime planning committees, identifying critical services, training staff to spot cyber threats, and maintaining immutable data backups. Practices are also advised to vet third-party vendors, assess whether billing companies can extend emergency loans, and ensure that any such financial arrangements are clearly understood.