The healthcare sector is a prime target for data breaches. According to a summary by the HIPAA Journal, 32% of all data breaches between 2015 and 2022 were in the healthcare sector, “almost double the number recorded in the financial and manufacturing sectors.” Industry analysts cite to many reasons for this, including the sensitivity of health data and its value on the black market compared to other forms of data. Evidently, another driver of data breaches for healthcare entities is M&A activity.

A recent study suggests that the likelihood for hospitals to experience a data breach doubles during the year before and after a merger. As some expect an increase in hospital mergers in the coming year, one can expect the number of healthcare data breaches to increase.

According to the research, Nan Clement, a Ph.D. candidate in economics in the School of Economic, Political and Policy Sciences in the University of Texas at Dallas looked at reporting on data breaches from the Office for Civil Rights during the period 2010 to 2022. Based on her analysis, for the two-year period surrounding a transaction closing (one year before and after the closing date), the chances of a data breach was 6%, compared to 3% for hospitals that merged but were outside that two-year period.

The study also looked at some of the potential reasons for this uptick:

• Increase interest from hackers – data from Google Trends showed a “connection between increases in searches for a target hospital’s name with increases in hacking activity” which may stem from increased media attention around the merger.
• Incompatibility of information systems – trying to merge data on different electronic medical record (EMR) platforms.
• Increases in insider misconduct

Another reason may be simply a diversion of focus from the day to day administrative functions at the hospital considering how disruptive a merger can be. The FBI also issued a notification advising that ransomware actors target companies involved in significant, time-sensitive financial events to incentivize ransom payment by victims.

We have discussed here data security issues that can arise in the course of a transaction. For any entity involved in M&A activity, especially in the healthcare sector, it is critical to stay focused and realize that the organization may be more of a target at this time. Heightened awareness by the organization’s information security team and increased training and reminders to staff about phishing and other forms of attack could help avoid a data breach during this more vulnerable period. Additionally, the transacting parties might consider this risk and take appropriate steps during the due diligence stage both to protect against an attack, but also to be prepared to respond should one occur.