Currently Viewing:
The American Journal of Managed Care January 2019
The Gamification of Healthcare: Emergence of the Digital Practitioner?
Eli G. Phillips Jr, PharmD, JD; Chadi Nabhan, MD, MBA; and Bruce A. Feinberg, DO
From the Editorial Board: Rajesh Balkrishnan, PhD
Rajesh Balkrishnan, PhD
The Health Information Technology Special Issue: New Real-World Evidence and Practical Lessons
Mary E. Reed, DrPH
Inpatient Electronic Health Record Maintenance From 2010 to 2015
Vincent X. Liu, MD, MS; Nimah Haq, MPH; Ignatius C. Chan, MD; and Brian Hoberman, MD, MBA
Impact of Primary and Specialty Care Integration via Asynchronous Communication
Eric D. Newman, MD; Paul F. Simonelli, MD, PhD; Shelly M. Vezendy, BS; Chelsea M. Cedeno, BS; and Daniel D. Maeng, PhD
Mind the Gap: The Potential of Alternative Health Information Exchange
Jordan Everson, PhD; and Dori A. Cross, PhD
Patient and Clinician Experiences With Telehealth for Patient Follow-up Care
Karen Donelan, ScD, EdM; Esteban A. Barreto, MA; Sarah Sossong, MPH; Carie Michael, SM; Juan J. Estrada, MSc, MBA; Adam B. Cohen, MD; Janet Wozniak, MD; and Lee H. Schwamm, MD
Currently Reading
Understanding the Relationship Between Data Breaches and Hospital Advertising Expenditures
Sung J. Choi, PhD; and M. Eric Johnson, PhD
Alternative Payment Models and Hospital Engagement in Health Information Exchange
Sunny C. Lin, MS; John M. Hollingsworth, MD, MS; and Julia Adler-Milstein, PhD
Drivers of Health Information Exchange Use During Postacute Care Transitions
Dori A. Cross, PhD; Jeffrey S. McCullough, PhD; and Julia Adler-Milstein, PhD

Understanding the Relationship Between Data Breaches and Hospital Advertising Expenditures

Sung J. Choi, PhD; and M. Eric Johnson, PhD
A hospital data breach was associated with a 64% increase in annual advertising expenditures.

Hospital data breaches were associated with a 64% increase in annual hospital advertising expenditures relative to control hospitals, independent of observed hospital and area characteristics, such as bed size, revenue, and number of hospitals in the county. Hospital advertising expenditures were proportional to bed size and also skewed to the right due to relatively few high spenders. The relationship between advertising expenditure and bed size was positive; as seen in the Figure, the slope was positive for bed size up to 1000, then it flattened for bed size above 1500. Larger hospitals may have more market power and, therefore, may not need to spend as much on advertising compared with hospitals in competitive markets.

The descriptive characteristics of the full sample of hospitals in Table 1 showed that the breached hospitals were more likely to be larger teaching hospitals. This is consistent with previous studies that have described breached hospitals.27,28 The risk of a data breach increases with the size of the organization, as larger organizations tend to have more points of entry that are vulnerable to attackers (ie, more health IT infrastructure and devices that could be hacked, lost, or stolen).29 Additionally, teaching hospitals serve as an environment for education and, therefore, may have more interactions among clinicians that involve patient data in that capacity.

Propensity score matching adjusted for the potential sample selection bias due to observable differences between the breached and control hospitals.20-23 The SMDs between the breached and control groups were mostly below 0.1, indicating a reasonable balance between the groups, yet the difference in mean advertising expenditures between the breached and control hospitals remained in the matched sample.

Using the matched sample, the GLM model estimated that a breached hospital spent 64% more on annual advertising expenditures than a control hospital. Similarly, a breached hospital spent 79% more on 2-year advertising expenditures than a control hospital. The estimated relationship is multiplicative, which means that the annual advertising spending of breached hospitals was 1.64 times larger (2-year spending was 1.79 times larger) relative to control hospitals, independent of hospital characteristics such as bed size. Given the negative operating margins of the hospitals in this study (Tables 1 and 2), increased advertising spending associated with a data breach may divert resources and attention away from patient care.

Market competition is likely to confound the relationship between data breaches and advertising expenditure.30 Each additional short-term general hospital in a county was associated with an 8.1% increase in annual advertising expenditures, or a 17.3% increase in 2-year advertising expenditures (Table 3).

The data breaches studied in this paper were reported from 2011 to 2014, when ransomware attacks were rare. These types of attacks on hospitals emerged in 2016 and have become a serious threat to care delivery systems.31 They are considered to be more disruptive to hospitals than the breaches considered in this study, and, thus, ransomware may be associated with even larger advertising spending.

It should be noted that the findings of this study are limited to reported data breaches that affected more than 500 individuals. Smaller breaches involving fewer than 500 individuals are not published in the HHS database; however, there is a nontrivial number of such breaches that are reported to HHS.32 Smaller breaches are not subject to reporting and remediation actions and, therefore, are less likely to draw patient attention or motivate increased advertising.

To our knowledge, this paper is the first step in studying the relationship between data breaches and hospital expenditures with empirical data. The costs associated with breaches are not readily captured in hospital financial disclosures. Subsequent to a data breach, remediation efforts and corrective actions usually take 2 to 3 years to implement.33,34 The long time span over which remediation efforts are implemented adds to the challenge of attributing the costs of a breach to quarterly or annual financial data. An effective public relations response to a data breach is likely to begin soon after the breach is disclosed to the public. The timeliness of advertising expenditure data allowed us to overcome measurement challenges.


We found that breached hospitals were associated with significantly higher advertising expenditures. Repairing the affected hospital’s image and minimizing patient loss to competitors are potential drivers of the increased spending. Regardless of the motivation, breach response adds financial burden to hospitals and the healthcare system. Advertising and the efforts to fix the damages from a data breach increase healthcare costs and may divert resources and attention away from initiatives to improve care quality. Advertising costs subsequent to a breach are another cost to the healthcare system that could be avoided with better data security.

Author Affiliations: Department of Health Management and Informatics, University of Central Florida (SJC), Orlando, FL; Owen Graduate School of Management, Vanderbilt University (MEJ), Nashville, TN.

Source of Funding: This work was partially supported by a collaborative award from the National Science Foundation, award CNS-1329686.

Author Disclosures: The authors report no relationship or financial interest with any entity that would pose a conflict of interest with the subject matter of this article.

Authorship Information: Concept and design (SJC); acquisition of data (SJC); analysis and interpretation of data (SJC); drafting of the manuscript (SJC); critical revision of the manuscript for important intellectual content (SJC, MEJ); statistical analysis (SJC); obtaining funding (MEJ); administrative, technical, or logistic support (MEJ); and supervision (MEJ).

Address Correspondence to: Sung J. Choi, PhD, Department of Health Management and Informatics, University of Central Florida, 4364 Scorpius St, Orlando, FL 32816. Email:

1. Breach Notification Rule. HHS website. Published July 26, 2013. Accessed September 22, 2016.

2. Breach portal: notice to the Secretary of HHS breach of unsecured protected health information. HHS website. Accessed September 22, 2016.

3. Data breaches. Privacy Rights Clearinghouse website. Accessed September 1, 2017.

4. Town RJ, Currim I. Hospital advertising in California, 1991-1997. Inquiry. 2002;39(3):298-313. doi: 10.5034/inquiryjrnl_39.3.298.

5. Rosenthal E. Ask your doctor if this ad is right for you. The New York Times. February 27, 2016. Accessed September 22, 2016.

6. Vater LB, Donohue JM, Park SY, Schenker Y. Trends in cancer-center spending on advertising in the United States, 2005 to 2014. JAMA Intern Med. 2016;176(8):1214-1216. doi: 10.1001/jamainternmed.2016.0780.

7. American Society of Clinical Oncology. The state of cancer care in America, 2017: a report by the American Society of Clinical Oncology. J Oncol Pract. 2017;13(4):e353-e394. doi: 10.1200/JOP.2016.020743.

8. Vater LB, Donohue JM, Arnold R, White DB, Chu E, Schenker Y. What are cancer centers advertising to the public? a content analysis. Ann Intern Med. 2014;160(12):813-820. doi: 10.7326/M14-0500.

9. 2018 ad awards winners. Hospital Marketing National Southeast website. Accessed June 2, 2018.

10. 2017 ad award winners. Hospital Marketing National Southeast website. Accessed June 2, 2018.

11. Freeman L. Anthem settles a security breach lawsuit affecting 80M. USA Today. June 26, 2017. Accessed December 5, 2018.

12. Landi H. St. Joseph Health settles class action data breach lawsuit. Healthcare Informatics Institute website. Published March 16, 2016. Accessed September 11, 2018.

13. Romanosky S. Examining the costs and causes of cyber incidents. J Cybersecurity. 2016;2(2):121-135. doi: 10.1093/cybsec/tyw001.

14. Ponemon Institute. 2016 Cost of Data Breach Study: United States. Traverse City, MI: Ponemon Institute; 2016.

15. Kwon J, Johnson ME. The market effect of healthcare security: do patients care about data breaches? Workshop on the Economics of Information Security website. Published 2015. Accessed September 22, 2016.

16. The Voicetrak Report. Voicetrak website. Accessed September 10, 2018.

17. Cost reports. CMS website. Updated October 26, 2018. Accessed September 10, 2018.

18. Area Health Resources Files: county level data: SAS format. Health Resources and Services Administration website. Accessed September 11, 2018.

19. Mutter RL, Wong HS, Goldfarb MG. The effects of hospital competition on inpatient quality of care. Inquiry. 2008;45(3):263-279. doi: 10.5034/inquiryjrnl_45.03.263.

20. Rosenbaum PR, Rubin DB. The central role of the propensity score in observational studies for causal effects. Biometrika. 1983;70(1):41-55. doi: 10.1093/biomet/70.1.41.

21. Rosenbaum PR, Rubin DB. Constructing a control group using multivariate matched sampling methods that incorporate the propensity score. Am Stat. 1985;39(1):33-38. doi: 10.1080/00031305.1985.10479383.

22. Heckman JJ, Ichimura H, Todd PE. Matching as an econometric evaluation estimator: evidence from evaluating a job training programme. Rev Econ Stud. 1997;64(4):605-654. doi: 10.2307/2971733.

23. Dehejia RH, Wahba S. Causal effects in nonexperimental studies: reevaluating the evaluation of training programs. J Am Stat Assoc. 1999;94(448):1053-1062. doi: 10.1080/01621459.1999.10473858.

24. Austin PC. An introduction to propensity score methods for reducing the effects of confounding in observational studies. Multivariate Behav Res. 2011;46(3):399-424. doi: 10.1080/00273171.2011.568786.

25. Sekhon JS. Multivariate and propensity score matching software with automated balance optimization: the matching package for R. J Stat Softw. 2011;42(7):127-210. doi: 10.18637/jss.v042.i07.

26. Basu A, Manning WG. Issues for the next generation of health care cost analyses. Med Care. 2009;47(7)(suppl 1):S109-S114. doi: 10.1097/MLR.0b013e31819c94a1.

27. Bai G, Jiang JX, Flasher R. Hospital risk of data breaches. JAMA Intern Med. 2017;177(6):878-880. doi: 10.1001/jamainternmed.2017.0336.

28. Gabriel MH, Noblin A, Rutherford A, Walden A, Cortelyou-Ward K. Data breach locations, types, and associated characteristics among US hospitals. Am J Manag Care. 2018;24(2):78-84.

29. Liu V, Musen MA, Chou T. Data breaches of protected health information in the United States. JAMA. 2015;313(14):1471-1473. doi: 10.1001/jama.2015.2252.

30. Gaynor MS, Hydari MZ, Telang R. Is patient data better protected in competitive healthcare markets? Presented at: 33rd International Conference on Information Systems; December 16-19, 2012; Orlando, FL. Accessed September 11, 2018.

31. Hospitals are hit with 88% of all ransomware attacks. Becker’s Hospital Review website. Published July 27, 2016. Accessed January 20, 2017.

32. Heubusch K. Little breaches: OCR releases first “small breach” data. J AHIMA. 2011;82(10):56-57.

33. University of California settles HIPAA Privacy and Security case involving UCLA Health System facilities [news release]. Washington, DC: HHS; July 7, 2011. Accessed September 11, 2017.

34. Advocate Health Care settles potential HIPAA penalties for $5.55 million. HHS website. Published August 4, 2016. Accessed September 11, 2017.
Copyright AJMC 2006-2020 Clinical Care Targeted Communications Group, LLC. All Rights Reserved.
Welcome the the new and improved, the premier managed market network. Tell us about yourself so that we can serve you better.
Sign Up