Cyberattacks can affect any hospital but have a disproportionate effect on smaller hospitals.
Fitch Ratings recently took credit action on two nonprofit health systems, downgrading both after each experienced a crippling cyberattack.
While most cyber events to date have not materially affected a hospital's credit quality, Frederick Health Hospital in Maryland and Palomar Health in California are exceptions.
Both providers are comparatively small, with relatively weaker balance sheets and limited cushion for additional stress, when compared to other providers rated by Fitch, the agency said.
WHAT'S THE IMPACT
On March 14, Fitch downgraded Palomar's Issuer Default Rating (IDR) to 'B-'/RON from 'B'/RWN due to continued financial challenges. This followed a downgrade in December 2024 from 'BB+'/RON due to pressured financial performance, which was exacerbated by a significant cyber event.
Recovery lasted several months and severely disrupted operations and key billing functions, Fitch said. According to HIPAA Journal, hackers broke into Palomar's systems in late April of last year and likely used ransomware since some of the files on the network were unrecoverable.
Fitch downgraded Frederick Health's IDR to 'BBB'/RWN from 'BBB+' in February as a result of slower-than-expected recovery in operating performance. But Fitch said the RWN reflects uncertainty around the financial and/or reputational impact a recent cyberattack would have on the hospital.
Herald-Mail Media reported that Frederick Health has been dealing with an increased patient load and service delays following its ransomware attack.
Fitch believes the attack and potentially prolonged recovery may lead to a heightened level of stress and weaken financial metrics.
While Fitch said the rating actions underscore the importance of cyber resilience, it acknowledged that organizations with fewer resources may have more difficulty shoring up their current cyber defenses.
"Fitch may take negative rating action if a hospital's financial profile is deemed to be materially impaired, or at risk for impairment, in the aftermath of a cyber event," it wrote. "A cyberattack that affects a hospital's ability to provide service, including affecting relationships with physicians and staff, and/or hinders customer billing could temporarily reduce revenue generation for the system."
THE LARGER TREND
Often, longer-term recovery expenses outstrip the immediate costs associated with a cyber breach, said Fitch. Such expenses – including remediation and enhanced security measures, along with increased cybersecurity insurance premiums, legal costs, and staffing and compliance expenses – could add to a hospital's operating costs, erode liquidity and decrease funds available for debt service.
With nonprofit hospitals already struggling with inflation and labor costs, unexpected borrowing to bolster their cybersecurity infrastructure may weaken their credit quality, the agency said.
Jeff Lagasse is editor of Healthcare Finance News.
Email: jlagasse@himss.org
Healthcare Finance News is a HIMSS Media publication.