NIST Updates Guidance for Health Care CybersecurityJuly 28, 2022
Three Ransomware Readiness Essentials for Healthcare ProvidersAugust 25, 2022
SEC Filing Reveals Financial Toll of Recent Disruptive Security Event
Marianne Kolbasuk McGee (HealthInfoSec) • July 26, 2022
It's not just the incident: It's also the business interruption and the cost to recuperate that makes a cyber incident so disruptive to healthcare delivery organizations.
Tenet Healthcare in a report filed Thursday with the Securities and Exchange Commission disclosed an April cyber incident that temporarily disrupted a subset of the company's acute care operations, causing an estimated $100 million "unfavorable impact" on the organization's second quarter.
Tenet further disclosed to investors during a presentation that the $100 million financial impact from the cybersecurity incident was caused by lost revenues and remediation costs.
Tenet is among a handful of healthcare sector entities in the last year to publicly report that cybersecurity incidents have resulted in multimillion-dollar costs, associated with loss revenue, remediation and other financial fallout. Like some of those other entities, Tenet's financial sting is being eased through cyber insurance coverage.
Tenet in its SEC filing said it has "ample insurance coverage" and will record proceeds in earnings as it receives them. So far, the company says it has recouped about $5 million from its cyber insurance coverage related to the incident.
Tenet, which reported revenue of about $4.85 billion in 2021, operates more than 600 healthcare facilities in nearly three dozen states, including 465 ambulatory surgery centers and surgical hospitals, 60 hospitals and about 110 outpatient centers.
Backup Processes Helped
To date, Tenet has disclosed scant details about the cyber incident itself, which the company first publicly revealed in an April 26 statement.
At that time, Tenet said it had experienced a cybersecurity incident about a week earlier and that efforts to restore affected IT operations continued to make progress. Tenet, also at that time, said "critical applications" had been largely restored and the subset of affected facilities had begun to resume normal operations.
In its SEC filing last week, Tenet said that during the cyber incident, the company's hospitals remained operational and continued to deliver patient care, utilizing "well-established" backup processes.
"The Company immediately suspended user access to impacted information technology applications, executed extensive cybersecurity protection protocols, and took steps to restrict further unauthorized activity," Tenet's SEC report says.
Tenet did not immediately respond to Information Security Media Group's request for additional details about the cybersecurity incident, including whether it involved ransomware, and whether Tenet was reporting the incident to regulators as a data breach.
As of Tuesday, the Department of Health and Human Services' HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals, did not appear to show any reports by Tenet involving the April cyber incident.
While the SEC's requirements to report financial obligations tied to cybersecurity risks and incidents apply to publicly traded companies, more not-for-profit organizations are choosing to follow similar governance and public reporting practices, says privacy attorney David Holtzman of the consulting firm HITprivacy LLC.
"Given the frequency, magnitude and cost of cybersecurity incidents, it is vital that healthcare organizations identify and have disclosure controls in place to ensure that internal and external stakeholders are informed of the risks and impacts that such an event would have," he says.
Regulators such as the SEC have been paying closer attention to financial disclosures relating to cybersecurity incidents, says insurance attorney Peter Halprin of the law firm Pasich LLP.
"Last year, the SEC settled charges against First American Financial Corp. for disclosure controls and procedures violations following the exposure of sensitive customer information," he says.
The SEC in June 2021 smacked the Santa Clara, California-based title insurance firm with a $488,000 penalty for its handling of a 2019 data breach that exposed hundreds of millions of mortgage and other financial documents.
Among other allegations, the SEC said its investigation into the First American Financial Corp. incident revealed that information security staff members at the company had been aware of a software vulnerability for five months but had failed to fix it or report it to the firm's senior executives, leading up to the breach.
"Companies will therefore want to ensure that they make appropriate disclosures in relation to such incidents," Halprin says.
In the meantime, Tenet's recent SEC filing related to its April cybersecurity incident underscores the importance of cyber insurance, he says.
"The fact that the claim was within policy limits suggests that Tenet purchased cyber insurance limits in excess of the amount of the [$100 million] unfavorable impact," he says.
"If so, this would be a classic example as to how cyber insurance can provide bottom-line protection for companies who have been the victims of cybersecurity incidents."