Henry Schein
(Nasdaq: HSIC)
warned customers and suppliers today that their sensitive information may have been exposed in a cyberattack.
The medical device manufacturer and distributor first disclosed the cyber security incident on Oct. 15. Then this month, a ransomware gang known as BlackCat/ALPHV said they encrypted the company’s systems and stole 35 TB of sensitive data. The cyberattackers said they caused $150 million in losses and threatened to release internal payroll data and shareholder folders.
Today, Henry Schein shared more details on its disruption and financial impacts during today’s earnings call for Q3 (ended Sept. 30).
In letters to customers and suppliers, Henry Schein confirmed the data breach and said bank account and credit card numbers may have been exposed. The company encouraged data security measures for both groups and promised to provide credit monitoring and identify protection services for affected customers.
“We are aware that bank account information for a limited number of suppliers was misused, and we have already separately addressed those impacted,” the company said in its letter to suppliers.
In a news release, the company also said it “contained the incident, restored most of the business-critical systems it proactively took offline in response to the situation, and is making significant progress towards resuming normal-course operations.”
On today’s earnings call, Henry Schein CEO and Chair Stanley Bergman said last week’s distribution business orders were still down by at least 10% compared to before the incident.
“Over the past weeks, we have worked to create a clean network in a controlled manner from the backup data we maintain,” he said on today’s call. “Our distribution businesses are now operational and we are initiating our e-commerce platform early this week and we’re indeed hopeful that the website will come up tomorrow morning.”
“A cyber incident could occur to any business and [it’s] been particularly prevalent in the healthcare arena over the last six months. … In fact, for the first six months of this year, there were over 300 incidents in healthcare alone,” Bergman later continued after thanking customers and partners for their patience and support.
Henry Schein cyberattack financial impact
Henry Schein expects full-year sales to be 1% to 3% lower than the prior year rather than the previously forecasted sales growth increase of 1% to 3%. The change is primarily due to the cybersecurity incident, the company said.
The company also updated its full-year adjusted earnings per share guidance, decreasing the top end of the previous range of $5.18-$5.35 to $5.26. The company estimates the cybersecurity incident’s business interruption impact at $0.55-$0.75 per share.
Henry Schein expects its cyber insurance policy will offer some coverage for the incident, CFO Ron South said, with final resolution subject to insurer approval.
“This policy has a $60 million after-tax claim limit after a $5 million retention, and any claim recovery will likely not be recognized until late 2024,” he said.
Henry Schein appears to be the first medtech company that’s suffered a cyberattack since the SEC launched new regulations requiring publicly traded companies to promptly disclose cybersecurity incidents that have a material impact. (These regulations are different than the FDA’s new cybersecurity requirements for developers and manufacturers of cyber devices.)
Henry Schein has requested more time to file its Q3 report “due to information access limitations arising from the company’s decision to shut down certain operations as a precautionary measure as a result of the cybersecurity incident.”
Medical Design & Outsourcing: Henry Schein’s cyberattack offers lessons for others