For Petersen Health Care, a data breach became the tipping point; it was the last thing their precarious financial situation needed.
Petersen Health Care, an elder care company with over 90 facilities in Illinois, Iowa, and Missouri, recently filed Chapter 11 bankruptcy in Delaware after facing a data breach. The company has over 6,796 residents, 4,000 employees, and made $339.7 million in revenue in 2023.
According to a Reuters news report, the nursing home operator owes more than $295 million in debt. $45 million was insured by the U.S. Department of Housing and Urban Development (HUD).
As part of their bankruptcy process, Petersen secured $45 million in bankruptcy loans to pay operating expenses.
The organization was in the process of restructuring its debt, but its plan was heavily disrupted by a cyberattack that devastated its infrastructure and caused severe delays.
As a result, the operator failed to make payments under the HUD-insured loans, leading to lenders placing some properties into receivership, meaning that the facilities are placed under the control of a trustee to assist in meeting financial obligations.
Unfortunately, failure to pay the HUD loans or the cyberattack was far from the first challenge Petersen Health Care faced.
Since COVID-19, nursing home demand in rural areas has significantly declined, with many opting for at-home care. Conversely, qualified nurses are in high demand and can be difficult to find and competitive to hire. Placing further financial strain are unreimbursed Medicaid costs from a 2015-2017 budget impasse in Illinois.
Several financial problems have plagued the medical industry, particularly nursing home operators and rural areas. To get through the troubling times, operators need a robust financial strategy.
For Petersen Health Care, a data breach became the tipping point; it was the last thing their precarious financial situation needed.
In October 2023, Petersen Health Care fell victim to a breach linked to the ransomware organization, Cactus. The group is relatively new, first spotted in March of 2023, but has successfully attacked organizations across the globe. The organization has been spotted both encrypting data, making it unreadable by the victimized organization, and exfiltrating data to sell.
Cactus claimed the attack when it added the health group to its dark web leak site. Cactus released screenshots of identity documents, including passports, to confirm the attack.
Limited information is available regarding the incident; it was unclear if information published on the dark web was related to employees or patients. No medical records were released and Cactus did not state if any files or systems were encrypted in the attack.
According to one report, the leak followed Petersen’s refusal to pay the ransom, a popular and well-supported strategy to prevent victimized companies from being re-targeted. Petersen said that a substantial number of business-related records were lost, adding complexity to the billing process for customers and insurers. The result was significant delays in reimbursement for services provided by Petersen.
The attack led to multiple Petersen facilities falling into receivership, but it wasn’t the only security issue Petersen faced.
The devastating Change Healthcare incident left relatively few healthcare organizations unimpacted. February 2024, the Blackcat attack caused lengthy payment processing delays for multiple healthcare organizations, including Petersen.
With looming debt, security issues, and operating costs, Petersen decided to file bankruptcy in hopes of continuing to provide residents care.
The company has remained fairly tight-lipped regarding the attacks; no official statement can be found on their website and the notice of data breach is not available on the Department of Health and Human Services’ website.
In a statement from Petersen, the company remains confident that it will recover from bankruptcy. “Petersen will operate as usual, and our team remains committed to continuing to provide first-rate care for our residents,” said the Company’s Chief Restructuring Officer, David Campbell. “We will emerge from restructuring as a stronger company with a more flexible capital structure. This will enable us to continue as a first-choice care provider and a reliable employer for our staff.”
Petersen has also said that they will be working with Getzler Henrich and Associates as well as Winston and Strawn LLP for financial and legal advice.
Further information on the specifics of the bankruptcy case is available online.
According to experts, the bankruptcy is likely to result in Petersen dividing assets. Currently, the company plans to sell at least some of its nursing homes to new care providers, dividing assets among multiple buyers.
Petersen estimates that the homes will be worth between $215 million and $305 million. The nursing home facilities plan to continue operations and provide care to residents.
Petersen’s attorney, Dan McGuire, said the following in a recent court appearance, “It isn’t blunt and up front in the pleadings, but let me be blunt and up front now–this is a sale case… I don’t think it’ll be one buyer. I think the homes will be sold in chunks to a bunch of different buyers who can recapitalize them and continue on with the care level that our residents need.”
McGuire further said that keeping the facilities running is a high priority, “That is an incredibly important focus for us in this case, is keeping these homes running, keeping these people cared for in the level of care that they deserve.”
The $45 million bankruptcy loan is designed to help operations continue while the sales take place, ensuring the company can maintain its value.
Time will tell if and how Petersen recovers from the massive changes and restructuring. While the case highlights the compounding effects of financial problems for vulnerable industries like elder care, it also points to the devastating impact of cyber attacks.
Unfortunately, attacks are difficult to predict and never take place at a good time. Petersen is far from the first organization to go under following an attack.
The cost of resolving an attack has especially skyrocketed–not only do companies have to find ways to recover lost files, which could lead to delays and operating costs, but they also have to pay legal fees associated with class action suits, bankruptcy, or HHS fines. Approximately 26% of organizations reported having to close down for some period of time following an attack.
The impact isn’t just felt by the hospital; patients are directly impacted. A study found that during an attack, the number of patients treated drops by 20%. Revenue drops by 40%. When patients can’t receive the care they need, real lives are affected. It’s estimated that between 2016 and 2021, ransomware attacks indirectly led to between 42 and 67 deaths of Medicare patients. With increasing attacks, the statistics have likely risen.
One report found that 60% of small to medium sized-businesses go out of business following a breach. With 66% of healthcare organizations being hit by ransomware attacks, detecting and responding to these attacks early on is key to preventing a successful attack.
Cloudticity ransomware protection solutions for healthcare enable organizations to identify and stop attacks before they penetrate systems and recover quickly. We’ve been managing protected health information in the cloud since 2011 and we’ve never had a breach.
Learn more about our ransomware solution by scheduling a free consultation today.