For the second time in about 40 days, the BlackCat ransomware gang claimed to have hit Henry Schein with another cyberattack that disabled some of its applications for a few days and has shut down its e-commerce sites in Canada and Europe.
On November 27, the dental distributor announced that its e-commerce site in the U.S. had been restored following six days of unavailability. Its e-commerce sites in Canada and Europe “are expected to follow shortly,” according to a company press release dated November 27.
Schein representatives referred DrBicuspid back to its website for comments.
On November 22 -- a little more than a week after its business operations and e-commerce sites had been restored -- the company reported that it was dealing with another cybersecurity incident, which left its applications and e-commerce platforms unavailable. The dental distributor stated that BlackCat, which is the same group that reportedly admitted to infiltrating the company for the first time in October, claimed responsibility for this strike as well, according to a company press release dated November 22.
A day later, Henry Schein announced that it had identified the source of the problem and was taking advantage of prior work it had done to restore its systems following the first attack, and it expected any disruptions to be short term. Additionally, the company was continuing to ship orders to customers and was taking orders using alternative methods, according to a Henry Schein press release dated November 23.
BlackCat, a ransomware-as-a-service organization that is also known as ALPHV, has reportedly been playing with Henry Schein since October 14 when it struck the company, leading a one-month pause in most of its business operations.
Almost three weeks after the cyber hit, on November 2, BlackCat claimed on a leak site on the dark web that it had breached Henry Schein’s network and looted 35TB -- 1TB is equivalent to about 200,000 five-minute songs -- of sensitive data, which included payroll and shareholder information. Also, it threatened to dump the stolen data.
Furthermore, the cybercriminals alleged that its negotiations with the company had failed, so it reencrypted the healthcare giant’s devices again just as Henry Schein was close to restoring its systems. Not long after the gang took responsibility for the attack, BlackCat’s post on the leak site was deleted. The deletion of the post possibly indicated that Henry Schein had paid the ransom or that negotiations between the groups had resumed.
On November 13, Henry Schein announced that its e-commerce platforms and distribution businesses were fully operational. At the time, Schein informed customers and suppliers in the U.S. that the cyberstrike may have exposed their sensitive data, including bank account and credit card numbers, to third parties and encouraged both groups to be vigilant about changing passwords and monitoring their accounts for suspicious activity.
Also, Henry Schein announced that the cyberattack was expected to hurt its sales for 2023. The company’s full-year 2023 sales are expected to be approximately 1% to 3% lower than its total sales in 2022.
In more bad news for the company, it reported on November 16 that its cybersecurity mess led to the dental distributor’s noncompliance with the listing requirements of the Nasdaq Stock Market.
Henry Schein expected the notice because it had not filed its quarterly report, which is required by Nasdaq and the U.S. Securities and Exchange Commission (SEC), for the quarter that ended September 30 in a timely manner. The company notified the SEC that limited access to information, which was due to it having to take certain systems offline following the cyberstrike, prevented it from filing the report by the deadline.