A cyberattack group known as BlackCat is threatening to release Henry Schein
(Nasdaq: HSIC)
data unless the medical device manufacturer and distributor pays a ransom.
BlackCat (also known as ALPHV, both named after the ransomware of the same name) said they’ve encrypted Henry Schein’s systems after failed negotiations with Coveware, which describes itself as “ransomware recovery first responders.”
The cyber gang said they’ve stolen 35 TB of “sensitive data,” including “internal payroll data and shareholder folders.”
Henry Schein disclosed a cyber security incident on October 15 and has offered few details.
The latest update came in a Securities and Exchange Filing this week asking for more time to file its quarterly report for the three months ended Sept. 30. The company said it wouldn’t be able to file on time “due to information access limitations arising from the company’s decision to shut down certain operations as a precautionary measure as a result of the cybersecurity incident.”
The BlackCat/ALPHV group reportedly added Henry Schein to its dark web leak site last month. This week, the group threatened to post data as soon as today and said it has already cost Henry Schein $150 million.
The group later removed Henry Schein from its leak site, which could mean negotiations have resumed or the company has paid the ransom.
Cybersecurity expert Dominic Alvieri posted a screenshot of ALPHV/BlackCat’s threats and called them the “most dangerous, damaging and flexible ransomware group today,” citing the Henry Schein attack as well as $500 million in damages for Clorox and an estimated $200 million lost by Dole.
Henry Schein appears to be the first medtech company that’s suffered a cyberattack since the SEC launched new regulations requiring publicly traded companies to promptly disclose cybersecurity incidents that have a material impact. However, Henry Schein has not yet quantified the impact or said whether it is considered to be material. (These regulations are different than the FDA’s new cybersecurity requirements for developers and manufacturers of cyber devices.)
Medical Design & Outsourcing: Henry Schein’s cybersecurity response offers lessons for others