Henry Schein working to resolve cybersecurity incident under new rules

Henry Schein is working to resolve an ongoing “cybersecurity incident,” the company said in a Security and Exchange Commission filing under new cyberattack disclosure rules.

On Saturday, the medical device manufacturer and distributor “determined that a portion of its manufacturing and distribution businesses experienced a cybersecurity incident,” it said in a Sunday regulatory filing. “Henry Schein promptly took precautionary action, including taking certain systems offline and other steps intended to contain the incident, which has led to temporary disruption of some of Henry Schein’s business operations.”

Henry Schein said it notified law enforcement and hired third-party experts in cybersecurity and forensic information technology “to help investigate any data impact and respond to this situation.”

The company said its practice management software used by customers was not disrupted, and thanked “customers and suppliers for their patience and understanding.”

New cyberattack disclosure rules for major medtech companies
If the incident had happened a year ago, it’s not clear whether Henry Schein would have informed investors so quickly — or at all. But new securities regulations require publicly traded companies in the U.S. — including medical device companies — to disclose significant cyberattacks within four days of determining that it has a material impact.

It should be noted that Henry Schein did not specifically call this incident a “cyberattack” or say in the securities filing that it would have a material impact on the company’s financial or operating performance. The company is the world’s 13th-largest device company, according to Medical Design & Outsourcing‘s Medtech Big 100 ranking by revenue.

Henry Schein also did not specify which law enforcement agencies are involved. The FBI asks companies that believe they’ve been targeted by a cyberattack to contact their local FBI field office or the Internet Crime Complaint Center (IC3).

The cybersecurity incident appears to be one of the first disclosed under the new regulations, which the SEC finalized this summer.

In August, Clorox similarly disclosed a cybersecurity incident that squeezed its order processing and manufacturing operations. Earlier this month, the company said it was still struggling to return to full capacity, with financial results taking a hit.

Watch for more details from Henry Schein in the coming weeks and months to see how the company is responding to the situation. The new SEC rules could also result in more disclosures from other medtech companies.

These SEC cyberattack disclosure rules are separate from the FDA’s new cybersecurity requirements for medtech developers and manufacturers. Medical Design & Outsourcing