It appears that Henry Schein was forced to spend Thanksgiving scrambling to restore its system applications after the health care products distributor suffered its second cybersecurity incident in eight weeks — and from the same bad actor.
The situation may best be explained with a timeline:
On Oct. 15, Henry Schein disclosed that it had to take certain systems offline, including its eCommerce platform — after discovering a cyber breach on Oct. 14 that may have exposed customer and personal information such as bank account numbers, credit card numbers and other sensitive data to third parties.
About two weeks later, ransomware group BlackCat — also known as AlphV and Noberus — claimed responsibility for the attack, saying that it had encrypted files on the company’s systems and stolen 35 terabytes worth of sensitive data that it would publicly release on a daily basis and that the breach had already cost Henry Schein $150 million in lost revenue at that time.
On Nov. 2, BlackCat said that negotiations with Henry Schein had stalled, and in response, it decided to re-encrypt those files just as the distributor had nearly completed restoring its systems.
In the company’s 2023 third quarter earnings call on Nov. 13, CEO and Chairman Stanley Bergman said the company expected to reactivate its eCommerce platform within the week.
On Nov. 22, the company issued an update saying that certain applications, including its eCommerce platform, were unavailable after another cyber incident from the same threat actor and that Henry Schein continues to take orders using alternate means and continues to ship to its customers. A day later, the company updated that it was leveraging the prior work it did to restore its systems from the first breach, and that the company believed the disruption to its eCommerce platform and other applications would be “short-term.”
The company provided additional updates on Nov. 26 and 27, with the latter noting that it had restored its eCommerce platform in the U.S., while Canada and Europe are expected to follow shortly.
Cybersecurity media outlet SecurityWeek reported that, as of midday Nov. 27, Henry Schein was no longer listed on BlackCat’s dedicated website that enables customers and victims to check if their data was stolen in a hack. SecurityWeek notes this may indicate that negotiations have resumed and that a ransom has been paid.
Henry Schein’s initial cyberbreach came about two weeks after Ace Hardware disclosed its (unrelated) cyberattack, which also forced system suspension and disrupted online orders. In September, MRO supplies distributors Shively Bros also disclosed a February data breach.