An event study of data breaches and hospital IT spending

Abstract

Patient data breaches are a serious concern to hospital administrators. We investigated the changes in hospital health information technology spending subsequent to a data breach. U.S. hospitals are required to notify the Department of Health and Human Services following a significant breach of protected health information. The relationship between a data breach and health information technology spending was estimated using a difference-in-differences regression. We estimated changes in health information technology spending from two years before a breach to three years after a breach. The California Office of Statewide Health Planning and Development data provided hospital characteristics and financial variables. The Department of Health and Human Services provided the reported date of hospital data breaches. Datasets were merged for years 2012 to 2016. The study sample included general acute care hospitals with 100 or more licensed beds, yielding an unbalanced panel of 245 hospitals with 1,130 unique hospital-year observations. The breached group had 147 hospital-years and the control group had 983 hospital-years. Health information technology spending was associated with a 26.0% increase at one year after the breach. Specifically, data breaches were associated with a short-run increase in health information technology capital spending, and a long-run increase in health information technology labor spending. Our results indicate that data breaches are associated with higher health information technology spending. This may be attributed to capital and labor spending to improve security and remedy the damages due to a data breach.