Data breaches in hospitals disrupt care, potentially leading to fatal consequences, violating privacy rights, and incurring significant costs to remedy. Mergers and acquisitions serve as an essential source of financing but also induce substantial management challenges. Using proprietary hospital merger records and archived data breach reporting from the Department of Health and Human Services from 2010 to 2022, I implement a stacked difference-in-differences estimation strategy to study whether and how hospital mergers increase the probability of a data breach. On average, the probability of a data breach in two years for pre-merger deals is approximately 3%, while for the hospitals undergoing the merging process, the data breach rate reaches 6%. The effect is robust to changes of the two-year window. The effect is robust in alternative control group constructions. The effect is also robust to the changes in sample size due to the data availability of the control variables and in how standard errors are clustered. Increased attention online one year before the merger deal is signed, identified with Google Trends score, causes a large increase in pre-signing hacks, especially in recent years through ransomware attacks. Such an effect does not extend to the post-signing period. The increase in post-signing hacks is due to the incompatibility of merging information systems. More complicated information system integration in multi-hospital systems leads to greater elevated post-signing breaches. Conversely, the complementary effect of organizational capital that improves internal risk control reduces the increase in data breaches. For example, mergers involving publicly traded hospitals can experience a decrease in data breaches during mergers. The dynamic analysis shows that the data breach situation during mergers is getting worse because of soaring cases of hacks, even though insider misconduct has become less of a problem since 2014. Recent post-signing hacks exhibit shorter attack cycles compared to conventional malware attacks. These faster cycles catch unprepared hospitals off guard before hospitals get integration in order.

Cloud services exist under a shared security environment; both cloud services providers (CSPs) and users contribute to overall security. We investigate the nature of shared security in a dynamic game where users' security contributions and cloud usage figure into their CSP's vulnerability. Furthermore, CSPs' own security contribution takes into account both their users as well as competition with other CSPs. The Markov Perfect Equilibrium reveals the long-term time patterns of security of the cloud. In particular, we identify a novel form of time-path strategic complementary between usage and a CSP's Markov state of security. This implies that cloud security is an unusual form of impure public good whereby individual contributions bolstering a CSP's security endow a selective incentive (private benefit) on others, rather than only providing a selective incentive to the contributors themselves. Since this increases usage, CSP vulnerability increases over time. At the same time, the CSPs' competition with security may lead to a welfare improvement, but the lock-in effect of security on the platforms shapes the CSP's security investment and, eventually, the security results.