A salutory lesson for all organisations with Tenet Healthcare reporting a cyber attack costing it $100 million

August 1, 2022 |

The impact of data breaches cannot be underestimated.  Many, if not most, businesses and organisations store their data on computers which are connected with the internet.  For the service industry that usually means personal information.  Masses of it.  And the health sector is a prime target for cyber attacks because health service providers collect a vast amount of personal information and types of information which may be used for identity theft and other forms of fraud.  Unfortunately the health sector is also prone to poor cyber security practices. This is highlighted in Cyber Incident Cost $100 Million, Tenet Healthcare Reports.  That is a significant cost but not a record by current standards. 

Tenet’s data breach is not an isolated incident by any stretch.  In June and July there have been the following breaches of health care providers:

  • Avamere Health Services suffered intermittent unauthorized network access between January 19, 2022 and March 17, 2022. A total of 380,984 patient records were affected and notified. The personal information involved were names, addresses, dates of birth, driver’s license or state identification numbers, Social Security numbers, claims information, financial account numbers, medications information, lab results, and medical diagnosis/conditions information.
  • The City of Newport suffered a data breach on June 8, 2022 and June 9, 2022 involving records of city employees.
  • in the Canadian province of Newfoundland and Labrador Eastern Health suffered a data breach  resulting in a privacy breach notification sent to 37,800.  That equates to one out of every 13 people in the province.
  • Feelyou a journaling and social mood tracking app had a flaw whereby anyone could obtain the personal email addresses of users and link them to anonymous posts by simply accessing the app’s GraphQL application programming interface (API), which did not require any authentication to do so. This affected 70,000 personal emails.

The article provides:

Tenet Healthcare in a report filed Thursday with the Securities and Exchange Commission disclosed an April cyber incident that temporarily disrupted a subset of the company’s acute care operations, causing an estimated $100 million “unfavorable impact” on the organization’s second quarter.

Tenet further disclosed to investors during a presentation that the $100 million financial impact from the cybersecurity incident was caused by lost revenues and remediation costs.

Tenet is among a handful of healthcare sector entities in the last year to publicly report that cybersecurity incidents have resulted in multimillion-dollar costs, associated with loss revenue, remediation and other financial fallout. Like some of those other entities, Tenet’s financial sting is being eased through cyber insurance coverage.

Tenet in its SEC filing said it has “ample insurance coverage” and will record proceeds in earnings as it receives them. So far, the company says it has recouped about $5 million from its cyber insurance coverage related to the incident.

Tenet, which reported revenue of about $4.85 billion in 2021, operates more than 600 healthcare facilities in nearly three dozen states, including 465 ambulatory surgery centers and surgical hospitals, 60 hospitals and about 110 outpatient centers.

Backup Processes Helped

To date, Tenet has disclosed scant details about the cyber incident itself, which the company first publicly revealed in an April 26 statement.

At that time, Tenet said it had experienced a cybersecurity incident about a week earlier and that efforts to restore affected IT operations continued to make progress. Tenet, also at that time, said “critical applications” had been largely restored and the subset of affected facilities had begun to resume normal operations.

In its SEC filing last week, Tenet said that during the cyber incident, the company’s hospitals remained operational and continued to deliver patient care, utilizing “well-established” backup processes.

“The Company immediately suspended user access to impacted information technology applications, executed extensive cybersecurity protection protocols, and took steps to restrict further unauthorized activity,” Tenet’s SEC report says.

Tenet did not immediately respond to Information Security Media Group’s request for additional details about the cybersecurity incident, including whether it involved ransomware, and whether Tenet was reporting the incident to regulators as a data breach.

As of Tuesday, the Department of Health and Human Services’ HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals, did not appear to show any reports by Tenet involving the April cyber incident.

Public Disclosures

While the SEC’s requirements to report financial obligations tied to cybersecurity risks and incidents apply to publicly traded companies, more not-for-profit organizations are choosing to follow similar governance and public reporting practices, says privacy attorney David Holtzman of the consulting firm HITprivacy LLC.

“Given the frequency, magnitude and cost of cybersecurity incidents, it is vital that healthcare organizations identify and have disclosure controls in place to ensure that internal and external stakeholders are informed of the risks and impacts that such an event would have,” he says.

Regulators such as the SEC have been paying closer attention to financial disclosures relating to cybersecurity incidents, says insurance attorney Peter Halprin of the law firm Pasich LLP.

“Last year, the SEC settled charges against First American Financial Corp. for disclosure controls and procedures violations following the exposure of sensitive customer information,” he says.

The SEC in June 2021 smacked the Santa Clara, California-based title insurance firm with a $488,000 penalty for its handling of a 2019 data breach that exposed hundreds of millions of mortgage and other financial documents.

Among other allegations, the SEC said its investigation into the First American Financial Corp. incident revealed that information security staff members at the company had been aware of a software vulnerability for five months but had failed to fix it or report it to the firm’s senior executives, leading up to the breach.

“Companies will therefore want to ensure that they make appropriate disclosures in relation to such incidents,” Halprin says.

In the meantime, Tenet’s recent SEC filing related to its April cybersecurity incident underscores the importance of cyber insurance, he says.

“The fact that the claim was within policy limits suggests that Tenet purchased cyber insurance limits in excess of the amount of the [$100 million] unfavorable impact,” he says.

“If so, this would be a classic example as to how cyber insurance can provide bottom-line protection for companies who have been the victims of cybersecurity incidents.”

 

 

Leave a Reply





Verified by MonsterInsights