EXPRESS: Unraveling the Impact of Data Breaches: Evidence from the U.S. Healthcare Sector

As data breaches become an increasingly common risk, they are now a matter of "when" rather than "if." While there has been active research on breaches, much of the work has focused on the antecedents and prevention of breaches, leaving the quantitative ramifications and variations in breach impact relatively unexplored. To address this gap, our study quantifies the impact of breaches on operational performance and identifies how operational, technological, and market factors moderate the impact. Using a quasi-experimental design with the difference-in-differences technique and propensity score matching, we analyzed a matched sample of 1,766 U.S. hospitals, consisting of 883 breached hospitals and their non-breached peers from 2010 to 2017. We find that breached hospitals experience a 2.1% reduction in hospital admissions and a 0.28% decrease in market share. Moreover, network affiliation, decentralized governance, and cloud-based information technology services negatively moderate breach impacts, while IT security systems for detection, identity governance, and recovery provide mitigating effects. Additionally, we find that breaches in one hospital spill over to affect non-breached hospitals in the same local market. Our findings contribute to the operations management and security literature and provide managerial insights for enhancing breach resilience. Understanding these moderating factors can help hospital managers and policymakers formulate tailored mitigation strategies.