Report: Ransomware Attack Contributes to Breach of Hospital Covenant Agreement With Bondholders

Feb. 7, 2020
Pleasant Valley Hospital in West Virginia forced to spend about $1 million on infrastructure improvements after cyber attack, according to Insurance Journal report

A recent Emsisoft report on the state of ransomware in the United States found that 764 healthcare providers were hit in 2019. A fascinating story recently published in Insurance Journal opened a window on the financial burden these attacks are having.

A ransomware attack on Pleasant Valley Hospital in West Virginia was partly responsible for the hospital’s breach of its covenant agreement with bondholders, according to the story. The journal cited a report to the hospital’s bondholders from the trustee, WesBanco Bank, which stated that: “The Hospital has provided to the Trustee information with respect to the reason the Hospital did not meet the rate covenant in Section 521 of the Loan Agreement for such Fiscal Year and certain actions recently taken by the Hospital. The Hospital has represented that the shortfall was largely the result of a ransomware cyber-attack and declining patient volumes….”

Insurance Journal interviewed Craig Gilliland, the hospital’s chief financial officer, who said the virus entered the hospital’s system via e-mails sent 10 months before the cyber criminals demanded ransom. The information the criminals held for ransom did not contain patient data or confidential data, he added.

Because of the attack, the hospital was forced to spend about $1 million on new computer equipment and infrastructure improvements, Gilliland told the journal. That cost, along with declining patient volume, caused the hospital’s debt service coverage for the fiscal year that ended on Sept. 30 to fall to 78 percent, below the 120 percent the loan agreement requires, according to the material notice to bondholders.

“When we had the cyber attack, we didn’t have the sophisticated anti-virus software that we needed,” Gilliland told Insurance Journal. “Cyber attacks are effective on smaller hospitals and smaller government agencies who do not have the resources and do not spend the money to proactively get ahead of the curve.”

The article stressed that the hospital did not miss any payments to bond investors. Gilliland told Insurance Journal that he was not aware of whether or not payments were made to the perpetrators because the attack was managed by cyber liability insurance carrier Beazley Group. A media relations person for Beazley Group told Insurance Journal via e-mail that the company does not comment on specific client matters.

Ironically, cyber insurance may be contributing to the problem rather than alleviating it. As the Emsisoft report notes, “organizations that have cyber insurance may be more inclined to pay ransom demands, which results in ransomware being more profitable than it would otherwise be and incentivizes further attacks.”

Sponsored Recommendations

How Digital Co-Pilots for patients help navigate care journeys to lower costs, increase profits, and improve patient outcomes

Discover how digital care journey platforms act as 'co-pilots' for patients, improving outcomes and reducing costs, while boosting profitability and patient satisfaction in this...

5 Strategies to Enhance Population Health with the ACG System

Explore five key ACG System features designed to amplify your population health program. Learn how to apply insights for targeted, effective care, improve overall health outcomes...

A 4-step plan for denial prevention

Denial prevention is a top priority in today’s revenue cycle. It’s also one area where most organizations fall behind. The good news? The technology and tactics to prevent denials...

Healthcare Industry Predictions 2024 and Beyond

The next five years are all about mastering generative AI — is the healthcare industry ready?