As data breaches become an increasingly common risk, they are now a matter of “when” rather than “if.” While there has been active research on breaches, much of the work has focused on the antecedents and prevention of breaches, leaving the quantitative ramifications and variations in breach impact relatively unexplored. To address this gap, our study quantifies the impact of breaches on operational performance and identifies how operational, technological, and market factors moderate the impact. Using a quasi-experimental design with a difference-in-differences technique and propensity score matching, we analyzed a matched sample of 1,766 US hospitals, consisting of 883 breached hospitals and their non-breached peers from 2010 to 2017. We find that breached hospitals experience a 2.1% reduction in hospital admissions and a 0.28% decrease in market share. Moreover, network affiliation, decentralized governance, and cloud-based information technology services negatively moderate breach impacts, while IT security systems for detection, identity governance, and recovery provide mitigating effects. Additionally, we find that breaches in one hospital spillover to affect non-breached hospitals in the same local market. Our findings contribute to the operations management and security literature and provide managerial insights for enhancing breach resilience. Understanding these moderating factors can help hospital managers and policymakers formulate tailored mitigation strategies.
AndersonCLAgarwalR (2011) The digitization of healthcare: Boundary risks, emotion, and consumer willingness to disclose personal health information. Information Systems Research22(3): 469–490.
6.
AndritsosDATangCS (2014) Linking process quality and resource usage: An empirical analysis. Production and Operations Management23(12): 2163–2177.
7.
AngstCMBlockESD'ArcyJ, et al. (2017) When do it security investments matter? Accounting for the influence of institutional factors in the context of healthcare data breaches. MIS Quarterly41(3): 893–916.
8.
AugustTNiculescuMFShinH (2014) Cloud implications on software network structure and security risks. Information Systems Research25(3): 489–510.
9.
AutorDH (2003) Outsourcing at will: The contribution of unjust dismissal doctrine to the growth of employment outsourcing. Journal of Labor Economics21(1): 1–42.
10.
BarthelemyJ (2001) The hidden costs of it outsourcing. MIT Sloan Management Review42(3), 60.
11.
BazzoliGJShortellSMDubbsN, et al. (1999) A taxonomy of health networks and systems: Bringing order out of chaos. Health Services Research33(6): 1683–1717.
12.
BensoussanAMookerjeeVYueWT (2020) Managing information system security under continuous and abrupt deterioration. Production and Operations Management29(8): 1894–1917.
13.
BroughARNortonDASciarappaSL, et al. (2022) The bulletproof glass effect: Unintended consequences of privacy notices. Journal of Marketing Research59(4): 739–754.
14.
BurnsAJRobertsTLPoseyC, et al. (2022) Going beyond deterrence: A middle-range theory of motives and controls for insider computer abuse. Information Systems Research34(1): 342–362.
15.
CallawayBSant'AnnaPHC (2021) Difference-in-differences with multiple time periods. Journal of Econometrics225(2): 200–230.
16.
CampbellKGordonLLoebM, et al. (2003) The economic cost of publicly announced information security breaches: Empirical evidence from the stock market. Journal of Computer Security11(3): 431.
17.
CezarACavusogluHRaghunathanS (2017) Sourcing information security operations: The role of risk interdependency and competitive externality in outsourcing decisions. Production and Operations Management26(5): 860–879.
18.
CherkeslyMRancourtMESmilowitzKR (2019) Community healthcare network in underserved areas: Design, mathematical models, and analysis. Production and Operations Management28(7): 1716–1734.
CramWAD'ArcyJProudfootJG (2019) Seeing the forest and the trees: A meta-analysis of the antecedents to information security policy compliance. MIS Quarterly43(2): 525–554.
21.
DingSMKaminskyPM (2020) Centralized and decentralized warehouse logistics collaboration. Manufacturing & Service Operations Management22(4): 812–831.
22.
EftekhariSYaraghiNGopalRD, et al. (2023) Impact of health information exchange adoption on referral patterns. Management Science69(3): 1615–1638.
23.
FianuESAhelegbeyDFGrossiL (2022) Modeling risk contagion in the Italian zonal electricity market. European Journal of Operational Research298(2): 656–679.
24.
FloresWRAntonsenEEkstedtM (2014) Information security knowledge sharing in organizations: Investigating the effect of behavioral information security governance and national culture. Computers & Security43: 90–110.
25.
Gabbay-BenzivRBen-NatanMRoguinA, et al. (2023) When the lights go down in the delivery room: Lessons from a ransomware attack. International Journal of Gynecology & Obstetrics162(2): 562–568.
26.
Gal-OrEGhoseA (2005) The economic incentives for sharing security information. Information Systems Research16(2): 186–208.
27.
GonçalvesPFerrariPCrivelliL, et al. (2023) Model-informed health system reorganization during emergencies. Production and Operations Management32(5): 1323–1344.
28.
Goodman-BaconA (2021) Difference-in-differences with variation in treatment timing. Journal of Econometrics225(2): 254–277.
GuhaSKumarS (2018) Emergence of big data research in operations management, information systems, and healthcare: Past contributions and future roadmap. Production and Operations Management27(9): 1724–1735.
31.
GuoPFTangCSWangYL, et al. (2019) The impact of reimbursement policy on social welfare, revisit rate, and waiting time in a public healthcare system: Fee-for-service versus bundled payment. Manufacturing & Service Operations Management21(1): 154–170.
32.
HairJFTathamRLAndersonRE, et al. (2005) Multivariate Data Analysis (6th ed.). Upper Saddle River, NJ: Prentice Hall.
33.
HeckmanJJIchimuraHToddPE (1997) Matching as an econometric evaluation estimator: Evidence from evaluating a job training programme. Review of Economic Studies64(4): 605–654.
34.
HerathHSBHerathTC (2008) Investments in information security: A real options perspective with Bayesian postaudit. Journal of Management Information Systems25(3): 337–375.
HoehleHVenkateshVBrownSA, et al. (2022) Impact of customer compensation strategies on outcomes and the mediating role of justice perceptions: A longitudinal study of target's data breach. MIS Quarterly46(1): 299–340.
37.
HolmstromBMilgromP (1991) Multitask principal agent analyses—Incentive contracts, asset ownership, and jog design. Journal of Law Economics & Organization7: 24–52.
38.
HuXXGurnaniHWangL (2013) Managing risk of supply disruptions: Incentives for capacity restoration. Production and Operations Management22(1): 137–150.
39.
ImbensGWWooldridgeJM (2009) Recent developments in the econometrics of program evaluation. Journal of Economic Literature47(1): 5–86.
40.
JayaramanVNarayananSLuoYD, et al. (2013) Offshoring business process services and governance control mechanisms: An examination of service providers from India. Production and Operations Management22(2): 314–334.
41.
KimDJFerrinDLRaoHR (2008) A trust-based consumer decision-making model in electronic commerce: The role of trust, perceived risk, and their antecedents. Decision Support Systems44(2): 544–564.
42.
KimSHKwonJ (2019) How do EHRs and a meaningful use initiative affect breaches of patient information?Information Systems Research30(4): 1184–1202.
43.
KoxHStraathofB (2014) Economic Aspects of Internet Security. CPB Background Document.
44.
KumarSMallipeddiR (2022) Impact of cybersecurity on operations and supply chain management emerging trends and future research directions. Production and Operations Management31(12): 4488–4500.
45.
KumarSQiuLFSenA, et al. (2022) Putting analytics into action in care coordination research: Emerging issues and potential solutions. Production and Operations Management31(6): 2714–2738.
46.
KwonJJohnsonME (2013) Health-care security strategies for data protection and regulatory compliance. Journal of Management Information Systems30(2): 41–65.
47.
KwonJJohnsonME (2014) Proactive versus reactive security investments in the healthcare sector. MIS Quarterly38(2): 451–454.
48.
KwonJJohnsonME (2018) Meaningful healthcare security: Does “meaningful-use” attestation improve information security performance?MIS Quarterly, 42(4), 1043–10+.
49.
LuLXLuSF (2018) Distance, quality, or relationship? Interhospital transfer of heart attack patients. Production and Operations Management27(12): 2251–2269.
50.
MajchrzakAJarvenpaaSLBagherzadehM (2015) A review of interorganizational collaboration dynamics. Journal of Management41(5): 1338–1360.
51.
MassiminoBGrayJVLanYC (2018) On the inattention to digital confidentiality in operations and supply chain research. Production and Operations Management27(8): 1492–1515.
52.
McConnellCR (2020) Hospitals and Health Systems: What They and How They Work. Burlington, MA: Jones & Bartlett Learning.
53.
McCulloughJSParenteSTTownR (2016) Health information technology and patient outcomes: The role of information and labor coordination. Rand Journal of Economics47(1): 207–236.
54.
MockerMWeillPWoernerSL (2014) Revisiting complexity in the digital age. MIT Sloan Management Review55(4): 73–81.
55.
NaultBR (1998) Information technology and organization design: Locating decisions and information. Management Science44(10): 1321–1335.
56.
NeprashHTMcGlaveCCRydbergK, et al. (2024) What happens to rural hospitals during a ransomware attack? Evidence from Medicare Data. Journal of Rural Health40(4): 728–737.
57.
OhJHZhengZQBardhanIR (2018) Sooner or later? Health information technology, length of stay, and readmission risk. Production and Operations Management27(11): 2038–2053.
58.
RadanlievPDe RoureD (2022) Advancing the cybersecurity of the healthcare system with self-optimising and self-adaptative artificial intelligence (part 2). Health and Technology12(5): 923–929.
59.
RosenbaumPR (2002) Covariance adjustment in randomized experiments and observational studies. Statistical Science17(3): 286–304.
60.
SchmidtWRamanA (2022) Operational disruptions, firm risk, and control systems. Manufacturing & Service Operations Management24(1): 411–429.
61.
SenRChoobinehJKumarS (2020) Determinants of software vulnerability disclosure timing. Production and Operations Management29(11): 2532–2552.
62.
SinghKCDTerwieschC (2011) The effects of focus on performance: Evidence from California hospitals. Management Science57(11): 1897–1912.
63.
SomanchiSAdjeridIGrossR (2022) To predict or not to predict: The case of the emergency department. Production and Operations Management31(2): 799–818.
64.
SoniPPradhanJPalAK, et al. (2023) Cybersecurity attack—Resilience authentication mechanism for intelligent healthcare system. IEEE Transactions on Industrial Informatics19(1): 830–840.
65.
StraubDWWelkeRJ (1998) Coping with systems risk: Security planning models for management decision making. MIS Quarterly22(4): 441–469.
66.
TangQWhinstonAB (2020) Do reputational sanctions deter negligence in information security management? A field quasi-experiment. Production and Operations Management29(2): 410–427.
67.
TiwanaAKimSK (2015) Discriminating it governance. Information Systems Research26(4): 656–674.
68.
TuckerAL (2004) The impact of operational failures on hospital nurses and their patients. Journal of Operations Management22(2): 151–169.
69.
WillisonRWarkentinM (2013) Beyond deterrence: An expanded view of employee computer abuse. MIS Quarterly37(1): 1–20.
70.
WooldridgeJM (2010) Econometric Analysis of Cross Section and Panel Data. 2nd ed.Cambridge, MA: MIT Press.
71.
XueLRayGGuB (2011) Environmental uncertainty and it infrastructure governance: A curvilinear relationship. Information Systems Research22(2): 389–399.
72.
YangMWJacobVSRaghunathanS (2021) Cloud service model's role in provider and user security investment incentives. Production and Operations Management30(2): 419–437.
73.
YaraghiN (2016) Hackers, Phishers, and Disappearing Thumb Drives: Lessons Learned from Major Health Care Data Breaches. Brookings: The Brookings Institution.
74.
ZhangZNanGFTanY (2020) Cloud services vs. on-premises software: Competition under security risk and product customization. Information Systems Research31(3): 848–864.
Supplementary Material
Please find the following supplemental material available below.
For Open Access articles published under a Creative Commons License, all supplemental material carries the same license as the article it is associated with.
For non-Open Access articles published, all supplemental material carries a non-exclusive license, and permission requests for re-use of supplemental material or any part of supplemental material shall be sent directly to the copyright owner as specified in the copyright notice associated with the article.
