In October, Melville, New York-based Henry Schein responded to a cyberattack, which forced the healthcare product distributor and manufacturer to take certain systems offline, including its eCommerce platform, in a move that primarily disrupted its dental and medical businesses.
Henry Schein has since reported it has contained the cybersecurity incident, which was discovered on Oct. 14, and has restored most of the business-critical systems it “proactively took offline in response to the situation, and is making significant progress towards resuming normal-course operations.” In the company’s 3Q23 earnings call on Nov. 13, CEO and Chairman Stanley Bergman detailed that over the week of Nov. 6-10, orders from the company’s distribution businesses were approximately 85% to 90% of what they were pre-incident, and that Henry Schein would initiate reactivation of its eCommerce platform within the week.
As of the end of Nov. 14, the company’s website instructs customers to place orders through a Henry Schein representative or via telesales instead of the website. Orders were still expected to ship within 24 hours of placement.
Bergman said the breach resulted in “a significant amount of information” obtained by an unauthorized third party, including bank account information for a limited number of suppliers, for which Henry Schein has already separately addressed.
“I would like to extend a heartful thanks to our customers as well as our suppliers and team members for their patience and the incredible support we’ve received from all of our constituents during this period,” Schein said in the earnings call. “Our customers, our suppliers and our team understand that a cyber incident could occur to any business and has been particularly prevalent in the health care arena over the last six months.”
The disclosure of the breach comes two week after Ace Hardware disclosed its (unrelated) cyberattack, which also forced system suspension and disrupted online orders. In September, MRO supplies distributors Shively Bros also disclosed a February data breach.
Financial Impact of Cyberattack on Henry Schein
The cyberattack on Henry Schein is estimated to have caused a $0.55 to $0.75 per share business interruption impact. A Nov. 3 report from medical device and medtech news outlet MassDevice detailed that a cyberattack group known as BlackCat claimed responsibility for the breach and that they’ve stolen 35 terabytes worth of sensitive data, including internal payroll data and shareholder folders. BlackCat reportedly said it has already cost Henry Schein $150 million in lost revenue.
On Nov. 13, Henry Schein updated its full-year 2023 guidance, in which it expects non-GAAP diluted EPS of $4.43 to $4.71, to reflect the cybersecurity incident and a softening of macroeconomic conditions. Full-year 2023 sales are now expected to be approximately 1% to 3% lower than full-year 2022 sales, which is an update from prior guidance of 1% to 3% sales growth. The company reported a third quarter dip in profits to $137 million, compared to 3Q 2022 GAAP net income of $150 million.
Despite the cybersecurity incident, Bergman said in the earnings report that the company has “confidence in the stability of the dental and medical markets” and the company remains committed to its strategic priorities and long-term financial model.
Henry Schein reported that it expects to file an insurance claim in 2024 related to the incident.
“We expect the claim will be covered under its cyber insurance policy, although final resolution is subject to insurer approval,” officials said in the financial report release. “This policy has a $60 million after-tax claim limit after a $5 million retention, and any recovery from the claim will likely not be recognized until late 2024.”