CommonSpirit Health added disclosure of a ransomware attack to its offering statements this week as the nation’s largest not-for-profit system prepares to enter the market with a $1.5 billion transaction, underscoring the acute threats posed to borrowers across the municipal spectrum.
The Chicago-based Catholic system created through the 2019 merger of Catholic Health Initiatives and Dignity Health will offer $500 million of tax-exempts through the Colorado Health Facilities Authority and $1 billion of index-eligible taxables with a corporate CUSIP.
JPMorgan, Citi, and Morgan Stanley are senior managers with another six firms as co-managers. Ponder & Co. is advisor and Polsinelli is counsel. The pricing is expected Tuesday.
The bonds carry ratings of Baa1 from Moody’s Investors Service and an A-minus from S&P Global Ratings and Fitch Ratings, after Fitch’s Sept. 21 upgrade.
“We feel like this is a really great vote of confidence in the strength of CommonSpirit in achieving a lot of what we hoped to do through the merger…and maintaining financial stability over the last few years,” Lisa Zuckerman, senior vice president of treasury and strategic investments, said in an investor presentation.
The system over the last two weeks has conducted in-person meetings in Boston and New York City and held other one-on-one investor calls stressing its long-term strengths despite reporting an operating loss of $1.04 billion for fiscal 2022, the status on merger balance sheet goals, and its Fitch upgrade.
The ransomware attack came to light earlier this month and CommonSpirit provided initial detail in an Oct. 4 investor discussion of its fiscal 2022 results and upcoming deal following up with some additional detail in press release Wednesday and then the preliminary official statement supplements Thursday.
“On or about Oct. 3, 2022, the system experienced an IT security incident at certain of the system’s facilities. Upon discovering the ransomware attack, the system took immediate steps to protect its IT systems, contain the incident, begin an investigation, and ensure continuity of care,” the supplement says.
The system’s protocol calls for taking some systems offline, such as electronic health records. Some patient appointments and procedures were rescheduled, leading cybersecurity specialists were engaged, and law enforcement authorities notified.
The system operates 142 hospitals with 2,200 care sites across 21 states that generated $34.4 billion of revenue in fiscal 2021.
“Due to the on-going investigation and response to this incident, the system is unable to predict or project with certainty the financial and operational impact on the system, taken as whole. There can no assurance that this matter will not adversely affect the financial condition or operations of the system, taken as a whole,” the supplement says.
The three graphs were added under the heading “cybersecurity risks” included in “Bondholders’ Risks.” The original disclosure notes a number of entities have undertaken highly sophisticated efforts to electronically circumvent network security as well as more traditional intelligence gathering and social engineering aimed at obtaining information necessary to gain access for the propose of misappropriating assets or information or cause operational disruptions.
The FBI has expressed concern that health systems are a prime target due to the mandatory electronic transition of medical records and high payouts for medical records in the black market, the disclosure says.
The potential fiscal costs include potential regulatory fines and penalties, liability for remediating the breaches, reputational damage, and business losses.
While CommonSpirit joins many other borrowers in dealing with such an attack, it’s ill-timed given the upcoming sale and shines a light on the growing risks governments and not-for-profits face.
“The timing of this cyber event was not optimal for sure. It does not appear as though it is going to play a role in the timing of the transaction, but it is definitely something that will be at the forefront of investors’ minds when assessing the credit,” Tom Kozlik, head of municipal research and analytics at Hilltop Securities Inc. said.
“Investors will want to know the latest status, what management is dealing with, and will likely want regular updates,” he said.
“Cyber-security and preparedness for cyberattacks is at the forefront of all public finance entities at this point. It cannot be avoided,” Kozlik said.
The taxable piece which is nearly all refunding will offer tranches in five, 10 and 30-year maturities with make-whole provisions. The new-money tax-exempt portion is tentatively expected to be divided between a long term 2052 maturity and possibly put bonds. The structure is dependent on market conditions.
The refinancing will bolster cash days on hand and cash and investments available to $16.8 billion from $16.2 billion. The new money will bring the system’s overall debt load to nearly $16 billion.
“After a very solid start to fiscal 2022, performance in the third and fourth quarter dropped off markedly,” Daniel Morissette, chief financial officer, said during an investor call on fiscal 2022 results and the bond sale.
The results tracked those seen across the sector as hospitals dealt with labor shortage-related costs, inflation, longer length of stays and an end to federal COVID-19 provider relief funds that had provided support. Expenses rose by 10%.
In its investor presentation, the system outlined positive balance sheet developments including $530 million in net proceeds from the sale of Iowa-based MercyOne and $390 million from a new California provider fee program.
The system has achieved $1.3 billion of $2 billion in targeted cost savings originally promoted as a benefit of the 2019 merger. Officials said its 8% operating goal might take longer than anticipated to achieve given the current operating struggles across the sector. Debt restructuring achieved a consolidated credit has resulted in hundreds of millions in present value and cash flow savings.
Labor remains the most acute challenge especially on the nursing front and the system has stepped up recruitment and other initiatives to retain nurses.
The system has set a goal of 2040 to achieve a net zero status on greenhouse emissions aiming to cut in half those emissions by 2030 from a baseline established in 2019. Emissions have been lowered 6% since 2019. In August, Wright Lassiter III took over as chief executive officer replacing Lloyd H. Dean, who retired.
Fitch looked beyond thefiscal 2022 operating loss in raising the rating.
“Fitch believes that CommonSpirit is still positioned to build on fiscal 2021’s improvements and make demonstrable progress toward its longer-term financial goal of achieving” its 8% target within four years, Fitch said. The system saw a margin of 8.7% in 2021.
The “significant improvements in unrestricted cash and liquidity levels…should continue during fiscal 2023, which support today’s upgrade to A-minus,” Fitch analysts wrote.
“The A-minus rating further reflects our view of CommonSpirit’s significant scale and leverage opportunities, healthy pro forma cash on hand, achievement of break-even operations in fiscal 2021, and adequate pro forma maximum annual debt service coverage in recent years,” S&P analyst Suzie Desai said.
“The Baa1 rating reflects the expectation that operating results will improve in 2023 following a more challenged 2022, that debt measures will improve over time, and that liquidity will not decline below current levels” excluding the repayment of Medicare Advance Payments and deferred payroll tax, Moody’s said.