The period during and after hospital mergers and acquisitions is an especially vulnerable time for patient data when the chance of a cybersecurity breach more than doubles, according to research by a University of Texas at Dallas doctoral student.

Just the announcement of a merger is enough to trigger increased data breaches, said Nan Clement, a Ph.D. candidate in economics in the School of Economic, Political and Policy Sciences.

Clement analyzed hospital merger records and archived data breach reporting from the Department of Health and Human Services from 2010 to 2022 and discovered that in a two-year window around hospital consolidation — one year before a deal is closed and one year after — the probability of data breaches in merger targets, buyers and sellers more than doubled. The probability of a data breach during the two-year window was 6%, compared with a 3% probability of a data breach for hospitals that merged over the course of the data set, but were not within the two-year window.
In July in Geneva, Clement presented her research in a peer-reviewed paper at The 22nd Workshop on the Economics of Information Security, a forum for interdisciplinary scholarship on information security and privacy. Her work was singled out for the Best Paper Award.

Clement said that while it is common knowledge in the cybersecurity and health care industries that mergers are a sensitive time for data vulnerabilities, the effect she found is dramatic.

“Mergers are a time that we should focus on and work toward security solutions,” she said.

Clement also found that hacking and insider misconduct increased when a hospital merger or acquisition was announced, even before any agreements were signed or consolidation of resources began. Using data from Google Trends, she found a connection between increases in searches for a target hospital’s name with increases in hacking activity, which she said might be linked to increased media attention to the affected hospitals.

Incompatibility between the two hospitals’ information systems also can lead to hacking vulnerabilities.

“When you merge two information systems, that’s a time hackers can take advantage,” Clement said. “Although most hospitals use electronic medical record systems, they might come from different vendors and have different features.”

Dr. Daniel G. Arce, Ashbel Smith Professor and program head of economics, said Clement’s research is important because it delves into the causes of cybersecurity breaches, rather than just correlations.

“Now that ransomware has become a big-game hunting phenomenon, and hospitals are in the crosshairs, lives are in the balance,” said Arce, who is Clement’s Ph.D. advisor.

Cyber Security Homepage