Cyberattacks can cripple hospitals of any size, but they’re particularly damaging to smaller hospitals with fewer resources to recover, according to Fitch.
The ratings agency recently took action on two health systems, Fredrick Health Hospital in Frederick County, Md., and Palomar Health in Escondido, Calif., after both struggled financially in the wake of cyberattacks. The health systems had relatively weaker balance sheets compared to other health systems prior to the attacks, which further stressed their margins.
Fitch downgraded Palomar’s issuer default rating to B- after downgrading it to BB+ in December. It took several months for Palomar to recover from the attack, which “severely disrupted operations and key billing functions,” according to Fitch.
The company also downgraded Fredrick to BBB from BBB+ in February after its recovery from a cyberattack was also longer than expected. Fitch felt the attack and long recovery could weaken financial metrics.
“These rating actions underscore the importance of robust cyber resilience measures to withstand and quickly recover from cyber incidents, although issuers with fewer resources may have more difficulty improving current cyber defenses,” according to a report from Fitch.
Hospitals incur additional costs with extended recovery periods, including remediation and extra security measures as well as higher cybersecurity insurance premiums, according to the report. Those expenses hit liquidity and lower funds available for debt service.
“With [nonprofit] hospitals already facing greater demands on their budgets from inflation and labor costs, unexpected borrowing to bolster cybersecurity infrastructure, including updating compromised hardware and software systems, may weaken leverage metrics and erode credit quality,” according to the report.
