Henry Schein’s ongoing response to its cybersecurity incident offers lessons for how other device developers and manufacturers should keep investors and customers in the loop under similar circumstances — and could help device designers and engineers understand how much (or little) information they may get from cyberattacked suppliers.
This week, a ransomware group known as BlackCat/ALPHV said it encrypted Henry Schein’s systems and stole 35 TB of “sensitive data,” threatening to start releasing “internal payroll data and shareholder folders.” Henry Schein has not publicly acknowledged that group’s claims.
Henry Schein appears to be the first company on the Medtech Big 100 to disclose a cybersecurity incident since the new Securities and Exchange Commission regulations took effect. (These regulations are different than the FDA’s new cybersecurity requirements for developers and manufacturers of cyber devices.)
The new SEC rules require all publicly traded companies registered with the SEC — not just developers and manufacturers of medical devices — to release details of a cyberattack within four days of determining that it has a material impact.
However, Henry Schein has not yet said whether the incident has a material impact, and has not filed a disclosure under the new Form 8-K Item 1.05 for material cybersecurity incidents.
But showing the urgency of the matter, the company announced the incident last month in a news release that it also filed with the SEC on a Sunday, one day after it “determined that a portion of its manufacturing and distribution businesses experienced a cybersecurity incident.”
Henry Schein’s first disclosure was brief and not overly specific. It broadly described the incident, precautionary actions and the involvement of law enforcement.
“A registrant need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident,” the SEC says.
Updates after the initial cybersecurity disclosure
Henry Schein recently followed up with more information for customers and investors. In a letter to customers nine days after the initial disclosure, the company offered updates on the situation, contact information for placing orders and all other questions, and an apology.
At the same time, the company included some of that information to investors in an 8-K filed with the SEC the same day, while offering more details on the status of operations. Again, the update was brief:
“In the United States and Canada, all customer orders are being taken and fulfilled from all major distribution centers, with orders generally expected to ship within one or two business days,” the company said. “Orders for consumables and small equipment (including diagnostics, Rx products (other than controlled substances), and hazardous materials) from all customers can be placed through the Company’s field sales, telesales, and customer service teams. In addition, Henry Schein’s equipment service and installation teams have remained fully operational during this period.”
“Henry Schein’s European distribution businesses are also operational, generally taking and shipping orders. The Company’s distribution businesses in Australia, New Zealand, Asia and Brazil are fully operational,” the company continued. “Henry Schein One, LLC, the Company’s practice management technology business, has not been impacted by the incident, and most of the Company’s manufacturing operations have been unaffected.”
That filing for investors also told them how and where the company planned to offer further updates, including the investor relations section of its website, SEC filings, conference calls, webcasts, press releases and social media channels.
Henry Schein’s upcoming Q3 earnings call
The company’s third-quarter conference call (for the quarter ended Sept. 30, 2023) is scheduled for Nov. 13, so we’ll see if and how top executives address the cybersecurity incident.
In two SEC filings and the news release announcing that Q3 conference call, Henry Schein also said that it would need more time to submit its 10-Q quarterly report. The company blamed “information access limitations arising from the company’s decision to shut down certain operations as a precautionary measure as a result of the cybersecurity incident.”
“The company’s internal information security teams, supported by leading third-party forensic and cybersecurity experts, continue to take steps to assess and contain this incident,” the company said in an SEC filing yesterday, noting the quarterly report would be in by the end of November.
In the meantime, since the first update came nine days after the initial disclosure, there could be another update from Henry Schein before that call.