Technical Report Paper Website abstract bibtex
Data breach notification required by federal and state regulators has reduced information asymmetry on the effectiveness of information security programs. While pervasive media coverage of data breaches likely tarnishes an organization's reputation, there is little empirical evidence that shows how consumers react to such organizational failures. Focusing on the healthcare sector as one of the most information-intensive service industries, this paper investigates consumer reaction to data breaches by examining changes in patient visits consequent to breaches. Using a propensity score matching technique, we analyze a matched sample of 761 U.S. hospitals. We investigate how data breaches affect subsequent outpatient visits and admissions, accounting for the geographical-based competition within a Core Based Statistical Area (CBSA). We find that while data breaches do not affect patients' short-term choices, the cumulative effect of breach events over a three-year period significantly decreases the number of outpatient visits and admissions. Similarly, the cumulative number of breached records is negatively associated with outpatient visits and admissions. Further, the cumulative effects in competitive markets are significantly larger than those in non-competitive markets, which are insignificant. Our findings provide policy insights on effective security programs that induce providers to invest in security as they would for other market-based, brand-building initiatives.