Fitch says no rating fallout for CommonSpirit over cyberattack

A ransomware attack on CommonSpirit Health may cause operational headaches but it doesn't pose a near-term threat to the nation's largest not-for-profit healthcare system's A-minus rating, Fitch Ratings said.

The cyberattack also didn't get in the way of the system's Tuesday pricing of $1.3 billion of new money and refunding paper.

The system added disclosure of the attack to its preliminary offering statements last week.

"We saw strong demand for our bond offering, especially considering the challenging overall market and rate conditions," Chief Financial Officer Daniel Morissette said in a statement.

The ransomware attack came to light earlier this month and CommonSpirit provided initial detail in an Oct. 4 investor discussion of its fiscal 2022 results and upcoming deal.

The latest details came in a press release Monday that provided a brief update including facilities impacted.

"Fitch believes that the overall credit impact is minimal at this time," analysts said in a special commentary published Tuesday. "While there will certainly be some lost revenues due to the cyberattack requiring some systems be taken off line, the depth and current breadth of the losses are expected to be di minimus compared to CommonSpirit's total operating base."

Chicago-based CommonSpirit also has cybersecurity insurance. The cyberattack timing appears coincidental to the bond sale, according to system officials.

The attack underscores the growing threats healthcare providers must manage as such attacks become more frequent.

"Fitch will continue to assess the effectiveness of CommonSpirit's incident response and the impact on its overall credit profile," analysts wrote. Management quality, including the capacity to manage the impacts of cyberattacks, is a risk factor under credit criteria that could negatively affect CommonSpirit's rating, they wrote.

Potential fiscal costs include potential regulatory fines and penalties, liability for remediating the breaches, reputational damage, and business losses.

"We continue to conduct a thorough forensics investigation and review of our systems and will also seek to determine if there are any data impacts as part of that process," the Oct. 17th press release reported.

Fitch upgraded the system to A-minus from BBB-plus ahead of the deal. S&P Global Ratings also rates the system A-minus while Moody's Investors Service rates it Baa1.

Spreads on the deal's 10-year and 25-year maturities in the $497 million tax-exempt piece, priced through conduit Colorado Health Facilities Authority, came wide to the Municipal Market Data single-A and BBB benchmarks.

The 10-year with a 5% coupon landed at a 4.36% yield. That's a 123 basis point spread to the AAA benchmark and 32 bp to the BBB. The 30-year maturity with a 5.25% coupon paid a 5.28% yield. That's 154 bp over the AAA and 53 bp over the BBB.

On the tax-exempt paper, market sources said market concessions are typical on new issues given rocky market conditions and can be more pronounced on a deal like CommonSpirit's given its size and a buyer base mostly limited to institutions given the ratings and fact that the paper comes from a healthcare borrower.

The system sold $807 million of index-eligible taxables with a corporate CUSIP with the 2027 bond landing at a spread of 185 bps to Treasuries and the 2052 bond at a 240 bp spread.  The system had planned up to $1 billion of taxables, mostly to refund existing debt, and did not comment on the decision to trim the size.

"We saw strong demand for our bond offering, especially considering the challenging overall market and rate conditions," Chief Financial Officer Daniel Morissette said in a statement. "We believe the demand reflects confidence from investors and our rating agencies around the financial stability and sustainability for CommonSpirit. Communicating regularly and transparently with our investors has also been an important priority."

The Chicago-based Catholic system was created through the 2019 merger of Catholic Health Initiatives and Dignity Health. JPMorgan, Citi, and Morgan Stanley served as senior managers with another six firms as co-managers. The system operates 142 hospitals with 2,200 care sites across 21 states that generated $34.4 billion of revenue in fiscal 2021.

The FBI has expressed concern that health systems are a prime target for online attacks due to the mandatory electronic transition of medical records and high payouts for medical records in the black market.

For reprint and licensing requests for this article, click here.
Not-for-profit healthcare Primary bond market Cyber attacks Ratings
MORE FROM BOND BUYER