Henry Schein says 29K people affected in September cyberattack

Dive Brief:

  • Henry Schein has notified Maine’s attorney general that the personal information of 29,112 people, including more than three dozen residents of the state, may have been accessed in a Sept. 27 cyber incident that affected part of the company’s manufacturing and distribution businesses.
  • The hackers acquired information that included individuals’ names and financial account or credit/debit card numbers combined with the security code, access code, password or PIN for the account, the Office of the Maine Attorney General said Wednesday in a notification to consumers.
  • Goldman Sachs analysts, after meeting with Henry Schein management on Tuesday, said in a report to clients that the dental and medical products supplier is offering price discounts to try to win back the up to 10% to 15% of customers that “went elsewhere” when the company’s system was down during the cybersecurity incident.

Dive Insight:

Henry Schein discovered the system breach on Oct. 14. The next day, the company publicly announced that it took some of its systems offline as it worked to contain the incident. Practice management software used by its clients was not disrupted, the Melville, New York-based company said.

A month later, Henry Schein sent a letter to employees informing them that their personal data and that of their dependents may have been accessed and obtained by an unauthorized third party. The attorneys general of both Maine and California this week disclosed the letter, which is dated Nov. 17.

The information may include an employee’s name, address, phone number, email address, photograph, date of birth, demographic information, government-issued identification numbers, financial information, medical history, insurance information, employment details and IP address, the company wrote.

Henry Schein also notified U.S. suppliers on Nov. 13 that the bank account information of a limited number of suppliers was “misused” due to the data breach.

The company last month said it had mostly restored its operations but lowered sales expectations for its 2023 fiscal year due to the cybersecurity breach and expects a $0.55 to $0.75 impact to earnings per share related to the business interruption.

The ransomware group AlphV/BlackCat claimed responsibility for the breach, according to the website Bleeping Computer.

The incident delayed the company’s filing of its 10-Q with regulators, but Henry Schein has since submitted the form. In it, the company said that on Nov. 22 it experienced a subsequent disruption to its e-commerce platform and related applications.

In a Nov. 27 update on its website, the company said it has restored the e-commerce platform in the United States, and its platforms in Canada and Europe are expected to follow shortly.

In a Nov. 22 update, Henry Schein said the “threat actor from the previously disclosed cybersecurity incident has claimed responsibility” for the second incident.

The company did not immediately respond to a request for comment from MedTech Dive.

Goldman Sachs’ analysts said Henry Schein is offering discounts of 10% to 20% off product list prices to all customers through December, and may continue them into next year, as its sales representatives work to retain business.