The Financial Fallout From Data BreachesBanner Health Follows Nuance, Merck in Reporting Details About the Impact
Recent financial reports from three healthcare sector organizations that suffered cyberattacks demonstrate how costly data breaches can be to not-for-profit healthcare providers and for-profit companies alike.
For example, a new auditor report for Arizona-based Banner Health acknowledges that anticipated federal fines resulting from a 2016 breach incident, and a pending lawsuit, could impact the not-for-profit Arizona healthcare system's financial performance.
Similarly, recent 2017 fiscal year-end filings with the U.S. Securities and Exchange Commission by medical transcription vendor software vendor Nuance and pharmaceutical giant Merck reveal the financial effect on each of those organizations of the NotPetya ransomware attacks last June that disrupted their operations.
The financial impact from cyberattacks on all these organizations offers a powerful lesson for others, says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
"Healthcare entities have historically lagged behind many other industries with respect to how much budget is spent on information security," he says. "But the last few years have really highlighted the substantial damage that information security breaches can cause, demonstrating a much higher return on investment for robust information security controls."
Banner Health Breach
A consolidated financial statement report for 2016 and 2017 issued on March 16 by the consultancy Ernst & Young about Banner Health notes that it's facing a consolidated class action lawsuit as well as an investigation by the Department of Health and Human Services related to a 2016 data breach.
The auditor report states that Banner Health expects potential "negative findings" from the breach investigation by HHS' Office for Civil Rights as well as a possible fine.
"The OCR investigation is still active, and OCR has indicated that initial Banner responses with respect to its past security assessment activities are inadequate," the report says. "Although Banner has supplemented its initial responses, Banner anticipates it may receive negative findings with respect to information technology security program and that a fine may be assessed against Banner."
The report notes that the class action lawsuit against Banner - which represents the consolidation of nine lawsuits - seeks damages and other remedies on behalf of individuals impacted by the breach. The report notes that Banner intends to vigorously defend itself against the suit and expects a "substantial portion of the potential exposure from the cyberattack and litigation" will be covered by its cyber risk insurance policy. "The extent of potential liability has not yet been settled," it notes.
The Ernst & Young report notes that a forensics investigation into the Banner breach determined that the organization's computer systems that process credit cards in food and beverage outlets at some locations were accessed by unauthorized users resulting in the copying of about 21,000 credit cards numbers. The attackers also gained access to a number of Banner servers containing other information of 3.7 million Banner patients and healthcare providers.
In a statement provided to Information Security Media Group, Banner says that after it reported the August 2016 cyberattack, OCR opened an initial investigation in November 2016, which is progressing. "Banner provided all of the information the OCR requested, and has fully cooperated in the investigation," the statement says.
"Over the last 16 months, Banner has participated in an ongoing dialogue with the OCR to ensure they were highly informed about the advances we are making in our information security program to help protect against future intrusions," the statement notes.
OCR declined to comment, saying it doesn't discuss current or potential investigations.
Privacy attorney David Holtzman, vice president of consulting firm CynergisTek, notes that the SEC recently issued guidance greatly expanding the responsibilities of public companies to disclose obligations related to cybersecurity risks and incidents.
"This new guidance applies to disclosures in registration statements and periodic reports filed by publicly traded companies," he says. But some not-for-profit organizations, such as Banner Health, apparently are choosing to follow the guidance as well, he points out.
Nuance's Financial Impact
Cyberattacks have also taken a financial toll on Nuance and Merck.
In Nuance's 10K filings with the SEC for fiscal 2017 ended Sept. 30, the Waltham, Mass.-based company says its revenue and operating results for fiscal year 2017 were negatively impacted by the NotPetya malware incident.
"For fiscal year 2017, we estimate that we lost approximately $68 million in revenues, primarily in our healthcare segment, due to the service disruption and the reserves we established for customer refund credits," the company reports.
"Additionally, we incurred incremental costs of approximately $24 million for fiscal year 2017 as a result of our remediation and restoration efforts, as well as incremental amortization expenses."
Nuance says in the filing that it's evaluating its insurance coverage to determine the amount, if any, of the malware incident losses that are recoverable under the company's policies.
Additionally, as a result of the ransomware attack, Nuance reports to the SEC it incurred capital expenditures of approximately $13 million related to upgrading its existing technology infrastructures during the fourth quarter of fiscal year 2017.
Impact on Merck
In its 10-K filing with the SEC for its fiscal year 2017, which ended on Dec. 31, Merck says that the June 27, 2017, network attack involving NotPetya led to a disruption of the company's worldwide operations, including manufacturing, research and sales operations.
"Due to the cyberattack, the company was unable to fulfill orders for certain products in certain markets, which had an unfavorable effect on sales in 2017 of approximately $260 million," Merck says in the filing. <.p>
In addition, the company says it recorded other related expenses totaling $285 million in 2017, net of insurance recoveries of approximately $45 million.
But the impact on Merck will linger into 2018, the company warns.
"Due to a residual backlog of orders, the company anticipates that in 2018 sales will be unfavorably affected in certain markets by approximately $200 million from the cyberattack. Merck does not expect a significant impairment to the value of intangible assets related to marketed products or inventories as a result of the cyberattack."
The company notes that it has insurance coverage insuring against costs resulting from cyberattacks and has received proceeds. "However, there may be disputes with the insurers about the availability of the insurance coverage for claims related to this incident," Merck says in the filing.
Merck also notes that the temporary production shutdown as a result of the cyberattack also contributed to the company's inability to meet higher than expected demand for vaccine Gardasil 9, which resulted in Merck's decision to borrow doses of Gardasil 9 from the U.S. Centers for Disease Control and Prevention Pediatric Vaccine Stockpile.
"The company subsequently replenished a portion of the borrowed doses in 2017. The net effect of the borrowing and subsequent partial replenishment was a reduction in sales of $125 million in 2017," according to the SEC filing.
Merck says it has implemented a variety of measures to further enhance its systems to guard against similar attacks and taking steps to enhance the company's resiliency following a cyberattack.
"The objective of these efforts is not only to protect against future cyberattacks, but also to improve the speed of the company's recovery from such attacks and enable continued business operations to the greatest extent possible during any recovery period," the company says.
Banner, Nuance and Merck each appear hopeful that their cyber insurance policies can potentially help cover some of the expenses related to cyberattacks.
"The importance of cyber insurance cannot be understated," attorney Greene notes. "Because the cyber market is relatively new, insurance policies aren't as standardized. They should typically cover regulatory investigations and regulator settlements or fines, but each policy must be carefully reviewed on this point, including whether there are specific sub-limits."
The attorney emphasizes: "It's very important that information security staff are involved in the cyber insurance process, so that an organization does not fill out an insurance application inaccurately regarding what safeguards are in place, potentially leading to coverage issues later should an incident occur."