Ransomware attack on hospital shows new risk for muni-bond issuers
Hackers have finally done what bond issuers may have feared most from cyber criminals.
A ransomware attack on Pleasant Valley Hospital in West Virginia was partly responsible for the hospital’s breach of its covenant agreement, according to a notice to the hospital’s bondholders from the trustee, WesBanco Bank. It appears to be the first time a cyber attack triggered a formal covenant violation, according to research firm Municipal Market Analytics.
The virus entered the hospital’s system via emails sent 10 months before the cyber criminals asked the hospital for money, said Craig Gilliland, the hospital’s chief financial officer. The information the criminals held for ransom did not contain patient data or confidential data, so it was “more of an annoyance,” he added.
Because of the attack, the hospital was forced to spend about $1 million on new computer equipment and infrastructure improvements, Gilliland said. That cost, along with declining patient volume, caused the hospital’s debt service coverage for the fiscal year that ended on Sept. 30 to fall to 78%, below the 120% the loan agreement requires, according to the material notice to bondholders.
“When we had the cyber attack, we didn’t have the sophisticated anti-virus software that we needed,” he said. “Cyber attacks are effective on smaller hospitals and smaller government agencies who do not have the resources and do not spend the money to proactively get ahead of the curve.”
The hospital did not miss any payments to bond investors. Gilliland said he is not aware of whether or not payments were made to the perpetrators because the attack was managed by a cyber liability insurance carrier Beazley Group. Mairi MacDonald, who manages media relations for Beazley Group, said via email that the company does not comment on specific client matters.
“The resolution of the situation will likely cost the hospital via monetary settlements and security hardening, making a financial rebound a bit more difficult than otherwise,” MMA said in its report. “Pleasant Valley highlights cyber risks as, at least so far, primarily a worsener for most municipal credits.”
Cyber risk is a growing concern for the municipal market. There were 133 publicly reported attacks against health-care providers since 2016, 47 of which occurred in 2019, according to data collected by threat intelligence company Recorded Future, Inc. Health-care providers are at particular risk for cyber attacks because patient care is disrupted, so there is an expectation the hospital will pay to remedy that quickly, said Allan Liska, an intelligence analyst at the company. Health-care providers also use unique software that is often managed by vendors, leaving updates to the software out of their hands.
“You have hospitals and doctors offices that are often forced to run outdated and old software that makes them at risk for these ransomware attacks,” Liska said.
And it’s not just health-care providers that are at risk. In 2019, state and local governments reported 106 ransomware attacks, nearly double what was reported a year before, according to data collected by Recorded Future. Among them were the Syracuse School District, which said it experienced a cyber attack that could “impact its financial position” according to a July 31 regulatory filing, and the city of Baltimore, which disclosed a cyber attack to investors in its bond offering documents when it borrowed last year.
For Pleasant Valley Hospital, the insurance company Beazley Group “connected the Hospital with other vendors to settle and remediate the issue,” according to the statement to bondholders. To address the decreasing patient volume, the hospital has lowered its labor costs and plans to convert doctor offices into two rural health clinics and to offer a new medical withdrawal inpatient service.
The threat to credit will get worse in the public finance realm before it can be alleviated, said Geoffrey Buswick, an analyst for S&P Global Ratings. Issuers can do all the right things, like protect their network and have proper insurance in place, and still find it difficult to fully offset cyber risks, he added.
“The various actors out there, be it a nation-state or criminal organization or just a rogue hacker, seem to have advanced technologies that are changing quickly,” Buswick said.