Healthcare Data Breach Risk Doubles in 2-Year Window Around M&As
The risk of a data breach at hospitals doubles in the year before and after mergers and acquisitions (M&As), according to a recent study by University of Texas at Dallas PhD candidate, Nan Clement.
Clement analyzed data breach data from the HHS’ Office for Civil Rights (OCR) from 2010 to 2022 and compared the reported data breaches to M&A records over the same period and found that the probability of a data breach was 3% for hospitals that merged over the analyzed period, but the risk doubled to 6% for merger targets, buyers and sellers over a two year period – one year before and one year after the deal was closed. Clement also found that incidents involving hacking and insider misconduct increased when a hospital merger or acquisition was announced and that Google Trends data showed an increase in searches for the target hospital’s name following the announcement, and a connection was found with hacking activity.
Hacking and ransomware attacks at such a sensitive time were found to occur more frequently during the two-year window around M&As. At such a sensitive time, cybercriminals may feel that there is a higher probability that ransom demands will be paid, and there may be an increase in vulnerabilities that can be exploited due to incompatibilities between two hospitals’ information systems and vulnerabilities and mistakes by employees could easily be exploited by cybercriminals. The Federal Bureau of Investigation previously issued a warning to companies that hackers, and especially ransomware groups, often use significant financial events such as M&As to target companies, as it gives them more leverage. Clement also found an increase in insider misconduct during the two-year period around M&As.
According to the recently published Cost of a Data Breach Study by IBM Security, healthcare data breaches now cost almost $11 million per incident – more than data breaches in any other sector and the HHS’ Office for Civil Rights breach portal data shows there has been a massive increase in hacking incidents in the past few years. “Given the significant cost of data breaches, it is crucial for hospital managers, cybersecurity experts, and health, defense, and finance authorities to work together to enhance cybersecurity measures in hospitals,” suggests Clement in the paper. Clement found that mergers involving publicly traded hospitals often experience a decrease in data breaches during mergers. “Hospital managers should consider adopting the risk management processes commonly employed by professional investors and publicly traded hospitals. This integration of risk management practices can lead to improved overall organizational capital for protecting the hospitals.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The findings from the peer-reviewed paper, M&A Effect on Data Breaches in Hospitals: 2010-2022, were presented at the 22nd Workshop on the Economics of Information Security in Geneva last month.
