Hospitals' risk of data breach doubles just before, after a merger deal, research shows

Between 2010 and 2022, U.S. hospitals on either side of a merger deal were twice as likely to report a data breach in the year before and after close, according to a recent analysis of government and proprietary data.

The peer-reviewed research, conducted by a University of Texas at Dallas doctoral student and presented at a July information security conference, found that the probability of a data breach was about 6% for buyers and sellers within the two-year deal window. Outside of that period, data breach probability was 3% among the same hospitals.

“The time leading up to and following the merger deal-signing is indeed a riskier period,” study author Nan Clement said in a release from the university.

The higher risk period represents two different effects occurring on either side of the deal’s close, Clement wrote in the research paper.

The first that occurs prior to the close is driven by “the vast amount of information released about the target hospitals and the buyers, which reduces information asymmetry on the hackers’ side,” Clement wrote. This period alone accounted for a 1.98 percentage point increase in hacking data breaches during hospital consolidations.

This trend, Clement wrote, aligns with prior research that hackers often use Google to find potential targets, as news of the impending deal would peak “as close as eight months before the merger signing date.”

The second high-risk window captures much of the time that the hospitals are integrating their IT systems. Here Clement found that data breaches due to differences in electronic health record systems rose by 1.62 percentage points.

Outside of the broader risks during the two-year merger window, Clement’s analysis showed that increases in data breaches during merger periods are “primarily driven by a rise in hacking incidents rather than insider misconduct breaches."

Additionally, the analysis showed that ransomware attacks on hospitals—which can lead to dangerous disruptions in patient care—also increased during the two-year window, but to a greater extent during the year prior to close.

Finally, Clement found evidence that the organizational capital of a hospital played a role in their data breach risk during a merger. Acquired hospitals that were not in financial distress, a publicly owned buyer, and in particular, publicly owned hospitals being acquired each had reduced risk of a data breach.

“Considering the rising cybersecurity costs for companies in recent years, the government should provide cybersecurity incident prevention warnings based on the hospital and health system size and market visibility,” Clement wrote. “Best practice managing post-merger information system risk control deserves more policy attention from the healthcare and financial market authorities.”

Clement’s main analysis leveraged cybersecurity breach reports from the Department of Health and Human Services’ Office for Civil Rights (OCR) and hospital merger information from an unnamed proprietary database.

The researcher noted that it represents one of “the first empirical attempts to test what may be a reason that some hospitals have data breaches rather than others,” and implies that merger events “reshape the hackers’ behavior.”

The healthcare sector saw roughly 295 breaches affecting over 39 million individuals during the first half of 2023, according to the OCR. Such breaches cost healthcare organizations an average of $10.1 million each during 2022, a 9.4% increase over 2021 that’s well above the average cost for any other sector of the economy.

In June, regional health network St. Margaret’s Health directly blamed the financial impact of a multi-week ransomware incident from 2021 for its decision to close a rural Illinois hospital. More recent weeks saw hospital chain HCA Healthcare disclose an 11 million-patient data breach, which has also led to several lawsuits from disgruntled patients.