Study: Healthcare data breaches change the way patients seek care

Over the past decade, healthcare has accounted for more than half of all data breaches across industries, according to research on a Machine Learning-Based Framework for Maintaining the Privacy of Healthcare Data. That trend shows no sign of slowing down. 

In fact, from January to July 2025 alone, there have been 107 healthcare breaches involving email, according to the Paubox report titled ‘2025 mid-year email breach data reveals there’s no slowing down.’

A new study on The impact of healthcare data breaches on patient hospital visit behavior takes a closer look at what happens after a breach. This study shows that when hospitals fail to protect patient data, people start staying away.

The hidden cost of a breach 

The study analyzed data breaches at 12 California hospitals over three years, using hospital visit records to understand how patients react. The researchers found that “patients who experience a healthcare data breach are less likely to visit hospitals in the following months.”

On average, a breach led to a 4.65% reduction in hospital visits. That may seem small, but across thousands of patients, it translates to a serious decline in care. What’s more, the researchers noted that “the impact of a data breach is greater when it is a more severe incident, such as those caused by employees or large-scale breaches.”

These findings show that patients protect their data by avoiding care. For a person managing chronic illness or needing follow-up treatments, that avoidance could come at a cost. As the study explains, “the effect is mitigated when discontinuing hospital visits could harm patients, especially those needing ongoing care for chronic conditions.”

Why healthcare data is so valuable

In industries like retail, leaked information can often be changed; for example, passwords can be reset, and cards can be replaced. In healthcare, it’s different. “Unlike user IDs and passwords that can be leaked from retail data breaches, patients’ health conditions are immutable information.”

The stolen medical records are particularly lucrative for criminals, who can use them “for an extended period for various purposes, including medical fraud and false insurance claims.” These consequences can affect both individuals and organizations.

According to IBM, the average cost of a healthcare data breach is a staggering $9.77 million, compared to $4.35 million in other industries. These costs cover everything from notifying patients to “investing in data security systems and training employees.” Beyond the money, hospitals face reputational damage and legal fallout. As the abovementioned study states, “healthcare data breaches also impact the reputation of healthcare providers and lead to related lawsuits against them.”

Fear, avoidance, and the psychology of protection

The researchers turned to an established model called the Technology Threat Avoidance Theory (TTAT) to explain this pattern. It’s a framework that helps predict how people react to perceived digital threats.

According to the study, TTAT describes two major processes: 

1. Threat appraisal 
2. Coping appraisal 

“The threat appraisal process involves customers assessing the perceived threat based on their perceived vulnerability to the potential negative consequences… and the severity of the event.” Once individuals perceive a threat, “they evaluate potential coping options and adopt appropriate safeguarding measures to avoid the threat (i.e., coping appraisal).”

In simple terms, when a hospital breach makes patients feel exposed, they may cope by withdrawing. In healthcare, that avoidance strategy can backfire. The study cautions that “while avoiding healthcare services may protect customers from potential risks related to medical data breaches, these safeguarding behaviors could pose greater risks, potentially affecting their overall well-being.”

Therefore, the paradox of protecting someone’s privacy at the cost of their health captures the emotional complexity of healthcare data breaches.

Why aren't all breaches equal?

The study also shows that the type and scale of a breach greatly influence how patients respond. More specifically, “The impact of a data breach is more pronounced when the breach size, measured by the number of records leaked, is larger. Additionally, breaches caused by employees or insiders have a greater effect compared to those caused by external actors.”

The difference between insider and outsider breaches shows that patients trust hospitals to protect their data from hackers, not from their own employees. So, when an internal error or malicious insider causes a breach, the betrayal cuts deeper. Still, the study found that “patients with more chronic conditions are less likely to reduce their hospital visits following a healthcare data breach.” 

Ultimately, those who need regular care often can’t afford to disengage even if they feel unsafe. For everyone else, the instinct to protect themselves often overrides the need for medical continuity.

Measuring the fallout

According to the research study, “the effects of a data breach tend to diminish over time, becoming insignificant after one year.” So, while patient avoidance spikes in the months following a breach, confidence eventually recovers.

However, “while retail customers often have the flexibility to find alternative services and products, healthcare customers may face significant challenges in finding suitable alternatives, especially when managing critical health issues.”

As the researchers put it, “understanding customer healthcare consumption behaviors after healthcare data breaches [is necessary to protect] their personal data [and] their health.”

Why do patients react differently?

Not every patient responds to a breach in the same way. The study states that “customers who rely more on services may face higher costs (e.g., health deterioration, higher future healthcare expenses), which can create barriers to adopting safeguarding measures.”

For relatively healthy patients or those with alternative care options, avoiding a hospital that’s been breached can be a reasonable precaution. These behavioral nuances explain why the overall reduction in visits of 4.65% hides large variations depending on individual circumstances.

Go deeper: Is it safe to keep using services from an organization after a data breach?

The way forward for hospitals

Since “the impact of health data breaches can extend beyond individual hospitals, "understanding the broader effects of a health data breach can help hospitals and local healthcare systems better prepare for such incidents.”

Preparation, in this case, also includes communication, reassurance, and transparency. The study warns that without those, “patients may miss the opportunity to receive timely healthcare by delaying their hospital visits.”

Hospitals, therefore, need to anticipate how fear will influence behavior. They must invest in cybersecurity and in patient reassurance strategies that incorporate safety, continuity, and support.

The human factor in data security

The previous study’s findings suggest that “insider-caused breaches have a greater impact; healthcare organizations should invest in training programs to raise employees’ awareness of data security.”

Insider threats can occur through negligence or malice and remain among the hardest to prevent. Since healthcare employees routinely handle protected health information (PHI), even small mistakes can expose thousands of patients. A misplaced email attachment, a stolen laptop, or a weak password can trigger cascading consequences.

That’s why healthcare organizations must offer ongoing employee education and strong internal policies. 

Learn more: The human factor in healthcare cybersecurity

Restoring patient confidence

Once trust is broken, rebuilding it takes time. Although the study’s results suggest that avoidance behavior tends to fade after a year, hospitals can be proactive to help speed up recovery.

That starts with honest communication. Patients deserve to know what happened, what was compromised, and what’s being done to prevent a repeat. Hospitals should also “encourage patients to continue visiting hospitals even after such an incident,” the authors recommend. 

“Understanding patient behaviors will enable healthcare providers to improve the process of notifying patients about healthcare data breaches and providing follow-up support.”

Tailored outreach may also be needed. As the study explains, “certain types of patients are more sensitive to data breach incidents, which underscores the importance of tailored support and targeted communication strategies for these individuals.” For example, a patient with a history of trauma or anxiety might need extra reassurance about data safety to feel comfortable returning.

A great way to improve patient-provider communication is to use HIPAA compliant emails to protect patient privacy while promoting a trusting patient-provider relationship.

What policymakers can learn

Regulators and policymakers must better enforce privacy standards, offer incentives for cybersecurity upgrades, and standardize breach-notification procedures to help reduce public backlash.

Going back to the study’s framework of combining threat appraisal and coping appraisal will give policymakers a guide for anticipating how patients react to different breach scenarios. As the authors explain, “while threat appraisal is the key mechanism when customers adopt a safeguarding measure to avoid threats, the severity of a data breach and the costs of a coping option must be considered to fully understand the impacts.”

Therefore, understanding those dynamics can help policymakers improve regulations so they don’t just punish violations but also encourage resilience and transparency.

Ultimately, the study reframes data breaches as IT failures, in addition to being a public health risk. When fear of exposure drives people away from care, they might not be able to get the healthcare they need. Healthcare providers must learn that cybersecurity is not separate from patient care; it is part of it. 

FAQs

What is a data breach?

A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.

See also: How to respond to a data breach

What types of information are usually exposed in a healthcare data breach?

Compromised data often includes patients’ names, contact details, Social Security numbers, medical histories, diagnoses, insurance details, and billing information. In some cases, prescription details or treatment notes may also be compromised, placing personal identity and medical privacy at risk.

What are the long-term consequences of healthcare data breaches?

In the long term, breaches can cause patients to delay or avoid care, increase public distrust in medical institutions, and lead to legal and regulatory penalties for healthcare providers.

Read also: The complete guide to HIPAA violations