A recent Emsisoft report on the state of ransomware in the United States found that 764 healthcare providers were hit in 2019. A fascinating story recently published in Insurance Journal opened a window on the financial burden these attacks are having.
A ransomware attack on Pleasant Valley Hospital in West Virginia was partly responsible for the hospital’s breach of its covenant agreement with bondholders, according to the story. The journal cited a report to the hospital’s bondholders from the trustee, WesBanco Bank, which stated that: “The Hospital has provided to the Trustee information with respect to the reason the Hospital did not meet the rate covenant in Section 521 of the Loan Agreement for such Fiscal Year and certain actions recently taken by the Hospital. The Hospital has represented that the shortfall was largely the result of a ransomware cyber-attack and declining patient volumes….”
Insurance Journal interviewed Craig Gilliland, the hospital’s chief financial officer, who said the virus entered the hospital’s system via e-mails sent 10 months before the cyber criminals demanded ransom. The information the criminals held for ransom did not contain patient data or confidential data, he added.
Because of the attack, the hospital was forced to spend about $1 million on new computer equipment and infrastructure improvements, Gilliland told the journal. That cost, along with declining patient volume, caused the hospital’s debt service coverage for the fiscal year that ended on Sept. 30 to fall to 78 percent, below the 120 percent the loan agreement requires, according to the material notice to bondholders.
“When we had the cyber attack, we didn’t have the sophisticated anti-virus software that we needed,” Gilliland told Insurance Journal. “Cyber attacks are effective on smaller hospitals and smaller government agencies who do not have the resources and do not spend the money to proactively get ahead of the curve.”
The article stressed that the hospital did not miss any payments to bond investors. Gilliland told Insurance Journal that he was not aware of whether or not payments were made to the perpetrators because the attack was managed by cyber liability insurance carrier Beazley Group. A media relations person for Beazley Group told Insurance Journal via e-mail that the company does not comment on specific client matters.
Ironically, cyber insurance may be contributing to the problem rather than alleviating it. As the Emsisoft report notes, “organizations that have cyber insurance may be more inclined to pay ransom demands, which results in ransomware being more profitable than it would otherwise be and incentivizes further attacks.”