Henry Schein’s ongoing response to its cybersecurity incident offers lessons for how other device developers and manufacturers should react under similar circumstances — and could help device designers and engineers understand how much (or little) information they may get from cyberattacked suppliers.
“A cyber incident could occur to any business and [it’s] been particularly prevalent in the healthcare arena over the last six months. … In fact, for the first six months of this year, there were over 300 incidents in healthcare alone,” Henry Schein CEO and Chair Stanley Bergman said while discussing the situation on the company’s Nov. 13 third-quarter earnings call.
Henry Schein appears to be the first company on the Medtech Big 100 to disclose a cybersecurity incident since the launch of new Securities and Exchange Commission regulations mandating quick disclosure of material cybersecurity incidents. (These regulations are different than the FDA’s new cybersecurity requirements for developers and manufacturers of cyber devices.)
Webinar: Shaping HealthTech: Data Security, Modernization, and Beyond
The new SEC rules require all publicly traded companies registered with the SEC — not just developers and manufacturers of medical devices — to release details of a cyberattack within four days of determining that it has a material impact.
Henry Schein has not yet filed a disclosure under the new Form 8-K Item 1.05 for material cybersecurity incidents. But showing the urgency of the matter, the company announced the incident in a news release that it also filed with the SEC on a Sunday, one day after it “determined that a portion of its manufacturing and distribution businesses experienced a cybersecurity incident.”
That first disclosure on Oct. 15 was brief and not overly specific. It broadly described the incident, precautionary actions and the involvement of law enforcement.
“A registrant need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident,” the SEC says.
Behind the scenes, the team reacted fast to contain the problem. On the Q3 earnings call, Bergman credited CTO Christopher Pendergast with a “brilliant move.”
“He brought the whole system down immediately,” Bergman said. “He … was quite comfortable that our backups were good. Our backups have turned out to be very good. And what we need to do now is turn on application by application. Before you can turn on that application, you have to do certain forensic work to make sure that there are no sleepers in there. And so that’s what we’ve been doing.”
Updates after the initial cybersecurity disclosure
Henry Schein followed up with more information for customers and investors nine days after the initial disclosure. In a letter to customers, the company offered updates on the situation, contact information for placing orders and all other questions, and an apology.
At the same time, the company included some of that information to investors in an 8-K filed with the SEC the same day, while offering more details on the status of operations. Again, the update was brief:
“In the United States and Canada, all customer orders are being taken and fulfilled from all major distribution centers, with orders generally expected to ship within one or two business days,” the company said. “Orders for consumables and small equipment (including diagnostics, Rx products (other than controlled substances), and hazardous materials) from all customers can be placed through the Company’s field sales, telesales, and customer service teams. In addition, Henry Schein’s equipment service and installation teams have remained fully operational during this period.”
“Henry Schein’s European distribution businesses are also operational, generally taking and shipping orders. The Company’s distribution businesses in Australia, New Zealand, Asia and Brazil are fully operational,” the company continued. “Henry Schein One, LLC, the Company’s practice management technology business, has not been impacted by the incident, and most of the Company’s manufacturing operations have been unaffected.”
That filing for investors also told them how and where the company planned to offer further updates, including the investor relations section of its website, SEC filings, conference calls, webcasts, press releases and social media channels.
Ransomware gang takes credit
In November, a ransomware group known as BlackCat/ALPHV said it encrypted Henry Schein’s systems and stole 35 TB of “sensitive data,” threatening to start releasing “internal payroll data and shareholder folders.” The cybergang said its business disruption cost Henry Schein $150 million.
Henry Schein has not publicly acknowledged that group’s claims.
But in letters to customers and suppliers on Nov. 13 — the same day as the company’s Q3 earnings call — Henry Schein confirmed the data breach and warned that bank account and credit card numbers may have been exposed.
The company encouraged data security measures for both groups and promised to provide credit monitoring and identify protection services for affected customers.
“Bank account information for a limited number of suppliers was misused and we have already separately addressed this with those impacted,” Bergman said on the call.
Henry Schein’s Q3 earnings call
Bergman and Henry Schein SVP and CFO Ron South discussed the cyberattack on the company’s Q3 earnings call, offering estimates of the financial impact and more details of the business disruption and response.
Henry Schein previously said it would need more time to submit its 10-Q quarterly report for the quarter (ended Sept. 30). The company blamed “information access limitations arising from the company’s decision to shut down certain operations as a precautionary measure as a result of the cybersecurity incident.”
“The company’s internal information security teams, supported by leading third-party forensic and cybersecurity experts, continue to take steps to assess and contain this incident,” the company said in an SEC filing, noting the quarterly report would be in by the end of November.
Bergman concluded the Q3 earnings call with a message for investors that medtech developers and manufacturers should also heed.
“At some point, we’re going to have to deal with cyber threats — as a country, as a world. It’s one of the top concerns on CEO’s lists. And we’re going to have to put much more money into law enforcement in this area. Law enforcement has been extremely collaborative [and] cooperative. But this is a new area — it’s not brand new, but the number of attacks is increasing significantly each month,” he said.
This article was originally published on Oct. 16, 2023, and was most recently updated on Nov. 13 with new information.