[BreachExchange] The Financial Fallout From Data Breaches

[Audrey McNeil]

https://www.databreachtoday.com/financial-fallout-from-data-breaches-a-10734

Recent financial reports from three healthcare sector organizations that
suffered cyberattacks demonstrate how costly data breaches can be to
not-for-profit healthcare providers and for-profit companies alike.

For example, a new auditor report for Arizona-based Banner Health
acknowledges that anticipated federal fines resulting from a 2016 breach
incident, and a pending lawsuit, could impact the not-for-profit Arizona
healthcare system's financial performance.

Similarly, recent 2017 fiscal year-end filings with the U.S. Securities and
Exchange Commission by medical transcription vendor software vendor Nuance
and pharmaceutical giant Merck reveal the financial effect on each of those
organizations of the NotPetyaransomware attacks last June that disrupted
their operations.

The financial impact from cyberattacks on all these organizations offers a
powerful lesson for others, says privacy attorney Adam Greene of the law
firm Davis Wright Tremaine.

"Healthcare entities have historically lagged behind many other industries
with respect to how much budget is spent on information security," he says.
"But the last few years have really highlighted the substantial damage that
information security breaches can cause, demonstrating a much higher return
on investment for robust information security controls."

Banner Health Breach

A consolidated financial statement report for 2016 and 2017 issued on March
16 by the consultancy Ernst & Young about Banner Health notes that it's
facing a consolidated class action lawsuit as well as an investigation by
the Department of Health and Human Services related to a 2016 data breach.

The auditor report states that Banner Health expects potential "negative
findings" from the breach investigation by HHS' Office for Civil Rights as
well as a possible fine.

"The OCR investigation is still active, and OCR has indicated that initial
Banner responses with respect to its past security assessment activities
are inadequate," the report says. "Although Banner has supplemented its
initial responses, Banner anticipates it may receive negative findings with
respect to information technology security program and that a fine may be
assessed against Banner."

The report notes that the class action lawsuit against Banner - which
represents the consolidation of nine lawsuits - seeks damages and other
remedies on behalf of individuals impacted by the breach. The report notes
that Banner intends to vigorously defend itself against the suit and
expects a "substantial portion of the potential exposure from the
cyberattack and litigation" will be covered by its cyber risk insurance
policy. "The extent of potential liability has not yet been settled," it
notes.

The Ernst & Young report notes that a forensics investigation into the
Banner breach determined that the organization's computer systems that
process credit cards in food and beverage outlets at some locations were
accessed by unauthorized users resulting in the copying of about 21,000
credit cards numbers. The attackers also gained access to a number of
Banner servers containing other information of 3.7 million Banner patients
and healthcare providers.

In a statement provided to Information Security Media Group, Banner says
that after it reported the August 2016 cyberattack, OCR opened an initial
investigation in November 2016, which is progressing. "Banner provided all
of the information the OCR requested, and has fully cooperated in the
investigation," the statement says.

"Over the last 16 months, Banner has participated in an ongoing dialogue
with the OCR to ensure they were highly informed about the advances we are
making in our information security program to help protect against future
intrusions," the statement notes.

OCR declined to comment, saying it doesn't discuss current or potential
investigations.

Privacy attorney David Holtzman, vice president of consulting firm
CynergisTek, notes that the SEC recently issued guidance greatly expanding
the responsibilities of public companies to disclose obligations related to
cybersecurity risks and incidents.

"This new guidance applies to disclosures in registration statements and
periodic reports filed by publicly traded companies," he says. But some
not-for-profit organizations, such as Banner Health, apparently are
choosing to follow the guidance as well, he points out.

Nuance's Financial Impact

Cyberattacks have also taken a financial toll on Nuance and Merck.

In Nuance's 10K filings with the SEC for fiscal 2017 ended Sept. 30, the
Waltham, Mass.-based company says its revenue and operating results for
fiscal year 2017 were negatively impacted by the NotPetya malware incident.

"For fiscal year 2017, we estimate that we lost approximately $68 million
in revenues, primarily in our healthcare segment, due to the service
disruption and the reserves we established for customer refund credits,"
the company reports.

"Additionally, we incurred incremental costs of approximately $24 million
for fiscal year 2017 as a result of our remediation and restoration
efforts, as well as incremental amortization expenses."

Nuance says in the filing that it's evaluating its insurance coverage to
determine the amount, if any, of the malware incident losses that are
recoverable under the company's policies.

Additionally, as a result of the ransomware attack, Nuance reports to the
SEC it incurred capital expenditures of approximately $13 million related
to upgrading its existing technology infrastructures during the fourth
quarter of fiscal year 2017.

Impact on Merck

In its 10-K filing with the SEC for its fiscal year 2017, which ended on
Dec. 31, Merck says that the June 27, 2017, network attack involving
NotPetya led to a disruption of the company's worldwide operations,
including manufacturing, research and sales operations.

"Due to the cyberattack, the company was unable to fulfill orders for
certain products in certain markets, which had an unfavorable effect on
sales in 2017 of approximately $260 million," Merck says in the filing. <.p>

In addition, the company says it recorded other related expenses totaling
$285 million in 2017, net of insurance recoveries of approximately $45
million.

But the impact on Merck will linger into 2018, the company warns.

"Due to a residual backlog of orders, the company anticipates that in 2018
sales will be unfavorably affected in certain markets by approximately $200
million from the cyberattack. Merck does not expect a significant
impairment to the value of intangible assets related to marketed products
or inventories as a result of the cyberattack."

The company notes that it has insurance coverage insuring against costs
resulting from cyberattacks and has received proceeds. "However, there may
be disputes with the insurers about the availability of the insurance
coverage for claims related to this incident," Merck says in the filing.

Sales Affected

Merck also notes that the temporary production shutdown as a result of the
cyberattack also contributed to the company's inability to meet higher than
expected demand for vaccine Gardasil 9, which resulted in Merck's decision
to borrow doses of Gardasil 9 from the U.S. Centers for Disease Control and
Prevention Pediatric Vaccine Stockpile.

"The company subsequently replenished a portion of the borrowed doses in
2017. The net effect of the borrowing and subsequent partial replenishment
was a reduction in sales of $125 million in 2017," according to the SEC
filing.

Merck says it has implemented a variety of measures to further enhance its
systems to guard against similar attacks and taking steps to enhance the
company's resiliency following a cyberattack.

"The objective of these efforts is not only to protect against future
cyberattacks, but also to improve the speed of the company's recovery from
such attacks and enable continued business operations to the greatest
extent possible during any recovery period," the company says.

Insurance Benefits

Banner, Nuance and Merck each appear hopeful that their cyber insurance
policies can potentially help cover some of the expenses related to
cyberattacks.

"The importance of cyber insurance cannot be understated," attorney Greene
notes. "Because the cyber market is relatively new, insurance policies
aren't as standardized. They should typically cover regulatory
investigations and regulator settlements or fines, but each policy must be
carefully reviewed on this point, including whether there are specific
sub-limits."

The attorney emphasizes: "It's very important that information security
staff are involved in the cyber insurance process, so that an organization
does not fill out an insurance application inaccurately regarding what
safeguards are in place, potentially leading to coverage issues later
should an incident occur."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180323/a0ef207c/attachment.html>