Researcher explores effect of hospital mergers on data breaches

The period during and after hospital mergers and acquisitions is an especially vulnerable time for patient data when the chance of a cybersecurity breach more than doubles, according to research by a University of Texas at Dallas doctoral student.

Just the announcement of a merger is enough to trigger increased data breaches, said Nan Clement, a Ph.D. candidate in economics in the School of Economic, Political and Policy Sciences.

Clement analyzed hospital merger records and archived data breach reporting from the Department of Health and Human Services from 2010 to 2022 and discovered that in a two-year window around hospital consolidation—one year before a deal is closed and one year after—the probability of data breaches in merger targets, buyers and sellers more than doubled.

The probability of a data breach during the two-year window was 6%, compared with a 3% probability of a data breach for hospitals that merged over the course of the data set, but were not within the two-year window.

"The time leading up to and following the merger deal-signing is indeed a riskier period," Clement said.

In July in Geneva, Clement presented her research in a peer-reviewed paper at The 22nd Workshop on the Economics of Information Security, a forum for interdisciplinary scholarship on information security and privacy. Her work was singled out for the Best Paper Award.

Clement said that while it is common knowledge in the cybersecurity and health care industries that mergers are a sensitive time for data vulnerabilities, the effect she found is dramatic.

"Mergers are a time that we should focus on and work toward security solutions," she said.

Dr. Daniel G. Arce, Ashbel Smith Professor and program head of economics, said Clement's research is important because it delves into the causes of cybersecurity breaches, rather than just correlations.

"Now that ransomware has become a big-game hunting phenomenon, and hospitals are in the crosshairs, lives are in the balance," said Arce, who is Clement's Ph.D. advisor.

Clement also found that hacking and insider misconduct increased when a hospital merger or acquisition was announced, even before any agreements were signed or consolidation of resources began. Using data from Google Trends, she found a connection between increases in searches for a target hospital's name with increases in hacking activity, which she said might be linked to increased media attention on the affected hospitals.

Incompatibility between the two hospitals' information systems also can lead to hacking vulnerabilities.

"When you merge two information systems, that's a time hackers can take advantage," Clement said. "Although most hospitals use electronic medical record (EMR) systems, they might come from different vendors and have different features."

Ransomware attacks, which disrupt health care services, occur more frequently during this period of time as well, she noted, and understanding the reasons for large-scale data breaches in the health care industry is particularly important to avoid public health emergencies and maintain financial market stability.

"Hospitals are critical infrastructure that touches every American," Clement said. "What if there's a critical surgery needed, but suddenly there's a ransomware attack, and everything is down, and the next-nearest hospital is 100 miles away?" she said. "I'm focused on finding best practices for protecting hospital data from ransomware attacks and hacking, but, unfortunately, I don't think we can 100% prevent data breaches or hacking activities."