The death rate among heart attack patients increased in the months and years afterward at hospitals that experienced a data breach. 

According to a study published in Health Services Research, the increased mortality is attributed to how healthcare systems adjust their cybersecurity after an attack, not because of the hackers. 

The aim of the study was to estimate the long-term relationship between breach remediation and care quality. Researchers analyzed a panel of nonfederal acute-care inpatient hospitals from 2012 to 2016 to evaluate patient outcomes and timeliness of care in the years sequent to a breach. The final study panel consisted of 3025 hospitals with 14,297 hospital-year observations. Within those hospitals, there were a total of 311 breaches, including:

  • Hacking/IT Incident - 44 incidents
  • Improper Disposal - 6 incidents
  • Loss - 60 incidents
  • Multibreach -6 incidents
  • Other - 13 incidents
  • Theft - 66 incidents
  • Unauthorized Access/Disclosure - 112

A total of 14,026,697 individuals were affected in the breaches. 

Hospital data breaches were associated with higher 30-day Acute myocardial infarction (AMI) mortality rates in the years following a breach. Over the past few years, overall improvements in AMI treatment have resulted in the 30-day AMI mortality rate decreasing about 0.4 percentage points annually from 2012 to 2014, says the report. On average, a data breach at a nonfederal acute-care inpatient hospital was associated with an additional 23-36 death per 10,000 AMI discharges per year. 

Health data breaches have significant consequences for patients, providers and payers and contribute to quality of care problems, notes the report. In its conclusion, the study states, "Protecting health information is an important responsibility of all parties in the healthcare industry. Our results indicate that breaches and the subsequent HHS-mandated corrective action s and hospital remediation may have adverse implications for quality of care. Breaches hospitals should carefully consider remedial security initiatives to limit inadvertent delay and disruptions associated with new processes, procedures and technologies."