According to a recent examination of public and proprietary information between 2010 and 2022, hospitals merger agreements in the U.S. were two times more likely to announce a breach of data in the year before and after completion.

Data breaches within the two-year contract window have a likelihood of around 6%, according to research undertaken by a PhD student at the University of Texas at Dallas. Outside of that time frame, the likelihood of a data breach at those same hospitals was 3%.

The study author, Nan Clement, stated that the period leading up to and after a merger deal has been shown to be quite risky. There are two distinct outcomes that might happen before and after the sale closes, both of which pose a higher risk.

Outcomes of Hospital Mergers

  • The first outcome happens prior to the closing, when hackers have more information to work with because of the flood of publicly available data on the hospitals and the purchasers. 
  • There was a 1.98 percentage point spike in hacking incidents over this time period, which corresponded with hospital consolidation.
  • According to Clement’s analysis, interest in the merger would peak about eight months before the official signing date, which is consistent with previous studies showing that hackers frequently utilize Google to locate possible targets.
  • In the second high-risk window, hospitals spend considerable time integrating their IT infrastructure. 
  • Clement discovered here that there was an increase of 1.62 percentage points in data breaches caused by incompatibilities across EHR systems.

Clement’s study found that outside of the larger risks over the two-year merger period, a rise in hacking events rather than insider fraud breaches is the primary driver of an increase in data breaches throughout merger phases.

The data also revealed an uptick in ransomware attacks on hospitals – which may result in potentially life-threatening interruptions to patient care – both overall and particularly in the year leading up to the closing date.

Clement also discovered proof that a hospital’s organizational capital influenced the danger of a data leak during a merger. The likelihood of a data breach was lower for purchased hospitals that weren’t in financial crisis, those that had a publicly owned purchaser, and, in particular, for publicly owned hospitals being purchased.

According to the Office for Civil Rights, there were almost 300 breaches in the healthcare industry in the first half of 2023, impacting over 39 million people. In 2022, the average cost of a data breach to a healthcare business was $10.1 million, a 9.4% rise from 2021 and far more than the mean cost for any other industry.

Leave a Reply