Cyber ​​incident cost $100 million, Tenet Healthcare Reports says

SEC filing reveals financial cost of recent disruptive security event

Marianne Kolbasuk McGee (HealthInfoSec) •
July 26, 2022

It’s not just the incident: it’s also the business interruption and recovery cost that makes a cyber incident so disruptive to healthcare delivery organizations.

See also: Spying on Data Sharing: A Discussion of Fraud

Tenet Healthcare, in a report filed Thursday with the Securities and Exchange Commission, disclosed an April cyber incident that temporarily disrupted a subset of the company’s acute care operations, causing an estimated “adverse impact” of 100 million in the organization’s second quarter.

Tenet further disclosed to investors during a presentation that the $100 million financial impact of the cybersecurity incident was caused by lost revenue and remediation costs.

Tenet is one of a handful of healthcare entities in the past year to publicly report that cybersecurity incidents have resulted in multimillion-dollar costs associated with lost revenue, corrective actions and other financial benefits. Like some of these other entities, Tenet’s financial sting is mitigated through cyber insurance coverage.

Tenet, in its filing with the SEC, said it has “adequate insurance coverage” and will record the proceeds in earnings as it receives them. So far, the company says it has recovered around $5 million of its cyber insurance coverage related to the incident.

Tenet, which reported revenues of about $4.85 billion in 2021, operates more than 600 healthcare facilities in nearly three dozen states, including 465 outpatient surgery centers and surgical hospitals, 60 hospitals, and about 110 ambulatory care centers.

Helped backup process

To date, Tenet has released few details about the cyber incident itself, which the company first revealed publicly in an April 26 statement.

At the time, Tenet said it had suffered a cybersecurity incident about a week earlier and efforts to restore affected IT operations continued to progress. Tenet, also at the time, said “critical applications” had largely been restored and the affected subset of installations had begun to resume normal operations.

In its SEC filing last week, Tenet said that during the cyber incident, the company’s hospitals remained operational and continued to provide patient care, using “well-established” backup processes.

“The company immediately suspended user access to affected information technology applications, implemented extensive cybersecurity protection protocols, and took steps to restrict unauthorized activity,” Tenet’s SEC report said.

Tenet did not immediately respond to Information Security Media Group’s request for more details about the cybersecurity incident, including whether it involved ransomware and whether Tenet was reporting the incident to regulators as a data breach.

On Tuesday, the Department of Health and Human Services’ HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more people, appeared to show no reports from Tenet regarding the April cyber incident.

Public disclosures

While the SEC’s requirements to report financial obligations related to cybersecurity risks and incidents apply to publicly traded companies, more and more nonprofits are choosing to follow similar governance practices and public reporting, says privacy attorney David Holtzman of consulting firm HITprivacy LLC.

“Given the frequency, scale and cost of cybersecurity incidents, it is critical that healthcare organizations identify and implement disclosure controls to ensure that internal and external stakeholders are informed of the risks and impacts that such an event would have,” he said.

Regulators such as the SEC have paid greater attention to financial disclosures relating to cybersecurity incidents, says insurance attorney Peter Halprin of law firm Pasich LLP.

“Last year, the SEC settled charges against First American Financial Corp. for breaching disclosure controls and procedures following the exposure of sensitive customer information,” he says.

In June 2021, the SEC fined the Santa Clara, Calif.-based title insurance company $488,000 for its handling of a 2019 data breach that exposed hundreds of millions of mortgages. and other financial documents.

Among other allegations, the SEC said its investigation into the First American Financial Corp. revealed that the company’s information security staff had been aware of a software vulnerability for five months but had failed to fix it or report it to senior company management. , leading to the breach.

“Companies will therefore want to ensure that they appropriately disclose such incidents,” Halprin said.

Meanwhile, Tenet’s recent filing with the SEC regarding its April cybersecurity incident underscores the importance of cyber insurance, he says.

“The fact that the claim was within the policy limits suggests that Tenet purchased cyber insurance limits greater than the amount of the claim. [$100 million] adverse impact,” he says.

“If so, it would be a classic example of how cyber insurance can provide basic protection to businesses that have been victims of cybersecurity incidents.”

Comments are closed.