In this study, we examine the relationship between reported data breaches and nonprofit healthcare entities’ donations and grants. Unsurprisingly, data breaches are a major concern across global markets as the complexity and bandwidth of information technologies continue to evolve and grow at an extremely fast pace (Cheong, Yoon and Cho 2021; Calderon and Gao 2020). It is well established in the literature that consequential outcomes associated with data breaches include long lasting financial and reputational losses for organizations (Liu, Huang, and Lucas 2020). For example, cybersecurity ventures reports that in 2021 cybercrimes cost companies an estimated six trillion dollars. This amount is expected to reach approximately 11 trillion dollars annually by 2025 (Morgan 2020).
As suggested by the Securities Exchange Commission (SEC), data breaches are one of [if not] the most significant systematic risk facing businesses (SEC 2022). Accounting research echoes this sediment by suggesting that over the past several years data breaches have become one of the most significant risk challenges for whole nations, industries, and organizations (e.g., Haapamaki and Sihvonen 2019).
When looking specifically at industry effects, data breaches are projected to be among the costliest in the health care sector (IBM 2022; Liu, Musen, and Chou 2015). This industry is a target, in large part, due to two reasons. It has a vast amount of highly confidential and sensitive information that is collected, digitalized, and transmitted electronically (e.g., patients’ health, social security, birth, and financial information). Related, the healthcare industry represents a significant amount of the United States (U.S.) gross domestic product at 17.8% with approximately three trillion dollars spent annually (Lorenze, Olson, and Dull 2017).
It is estimated that between 2009 and 2021, over 4,419 healthcare data breaches (of over 500 or more records) have been reported. The number of health records impacted totals a staggering 314 million. This is approximately 94.6% of the 2021 U.S. population (HIPPA 2020). In 2021, the average number of healthcare breaches reported (of 500 or more records) has jumped to almost two per day. Forbes (2021) reports that in 2021, approximately 45 million individuals were impacted by healthcare data breaches.
Remarkably, while the health care industry is one of [if not the] the most desired and vulnerable for data breach attacks, we know little about how data breaches are associated with healthcare entities’ accounting at the time of reported breaches. In the current study we investigate this issue. In particular - we look at two specific facets. Fist, we focus attention on the largest sector within the healthcare industry, the nonprofit sector. This sector represents over 57% of total community hospitals in the U.S. (American Hospital Association 2020) and has a broad reach across heterogeneous populations. Second, we focus attention on the association between reported data breaches and nonprofit healthcare entities’ contributions and grants (a non-patient source of revenue). This allows us to gauge the relationship between the breaches and “more” discretionary (i.e., non-patient) sources of revenue streams.
The motivation for our study comes from two sources. First, is the call from the public, legislators, and regulators who are pushing for more transparency and accountability for data breaches. This is especially the case in the healthcare sector where vast amounts of private information are held. Second is the call for accounting research to enhance our understanding of factors associated with data breaches. Seemingly, if research can find elements associated with data breaches, then legislators and regulators can have a better understanding of forces that surround the data breaches and better align accounting guidance and regulation to improve outcomes.
What is unique in our study is that we are looking outside of the information technology and internal controls framework literature (e.g., Janvrin and Wang 2022). We specifically look at accounting factors (i.e., donations and contributions) associated with reported data breaches. To address our research question, we collect and analyze breach data from Privacy Rights Clearinghouse data along with nonprofit hospitals’ tax filings over the periods of 2010-2018. Our variables of interest include quantifiable measures of data breach – an indicator variable 1 if the entity experiences a data in past two years.
Overall, we find that subsequent to a data breach, healthcare entities receive higher donations and/or grants. Our results indicate that a data breach calls for external support and responding to those calls donors increase donations to improve the existing, or establish a new, internal control mechanism that could potentially reduce the likelihood of data breach in future. Our results support the lack of beneficiary separation hypothesis and indicate that donors and/or grantors may expect to be the recipient of the nonprofit’s service at some point-in-time in future. We further find that breach entities strengthen their internal governance by appointing more voting members in its board.
