Data breaches are in the news constantly, but they appear to have no long-term effect on consumers’ use of payment methods. Breaches might, however, spur some consumers to switch hospitals, according to researchers.
“Payment attitudes and payment behaviors are very, very sticky,” says Claire Greene, a payments analyst at the Federal Reserve Bank of Boston.
Greene was one of three panelists Monday at the “Consumer Reactions to Data Breaches” session at automated clearing house governing body NACHA’s Payments 2017 conference in Austin, Texas. Greene summarized findings on the topic from several Federal Reserve studies, including a Boston Fed annual study on consumer payment choice that happened to be under way when Target Corp. first disclosed its huge data breach in December 2013. That gave researchers an opportunity to compare results from separate groups that had answered security questions before and after the news broke.
The researchers found that consumers’ confidence in the security of credit and especially debit cards dropped after the Target disclosure. Regarding credit cards, 35% of those who answered the survey before the breach announcement felt their personal information was secure, but only 24% of the post-breach study group members felt that way. With debit cards, the respective before and after figures were 37% and 23%. And another measure of consumers’ perceptions of the safety of cash and payment cards showed a slight increase in the opinions about cash but decreases in those regarding the safety of credit and especially debit cards.
“After the breach consumers rated the security of personal information on debit cards quite a bit more poorly,” Greene said.
But did those changing perceptions affect consumers’ card usage? Citing other Fed research, Greene said payment card usage patterns, including debit card usage, showed no significant change in 2014 from the preceding year. “We recorded no decline at all in consumers’ decision to use or not to use their debit card,” she said.
Another panelist, Slava Mikhed, a senior industry specialist at the Federal Reserve Bank of Philadelphia’s Payment Cards Center, analyzed payment behavior by South Carolina consumers after the South Carolina Department of Revenue in October 2012 disclosed a massive data breach affecting more than 3.5 million residents representing 81% of the population. Thieves gained access to Social Security numbers, payment and bank information, names, addresses, and birth dates.
Mikhed, citing findings from a panel of consumers the Federal Reserve Bank of New York uses to monitor credit usage and also data from credit-reporting agency Equifax from right before and after the breach, discovered a nearly 50-fold increase in consumers using credit-watch services immediately after the breach, then a sharp drop-off. He did not find any significant changes in credit card line usage or related indicators by South Carolina consumers after the breach.
“We conclude … that consumers feel very confident in the payment card system,” Mikhed said.
Hospitals might actually be in more danger of losing patients after a data breach than banks are of losing cardholders. A third panelist, Eric Johnson, dean of the Owen Graduate School of Management at Vanderbilt University, reported on research findings from nearly 5,000 U.S. hospitals involved in 723 data breaches since federal regulations implemented under the 2009 Health Information Technology for Economic and Clinical Health Act forced medical providers to disclose more information about data compromises.
What Johnson, who studies medical fraud, and his research partners found was a 30% change in admissions trends at breached hospitals and a 32% change in their outpatient visits. So, if a hospital’s admissions had been growing by 10% annually, for example, growth slowed to about 7% post-breach. If admissions had been declining before a breach, “it would accelerate that loss,” he said.
But the change mainly affected hospitals that had suffered more than one sizable breach—single breaches had little effect—and were located in larger cities where patients have a choice of providers, according to Johnson. “The high-level result is that yes, patients will in fact move if there are multiple breaches, and there are big breaches, and they have a place to move,” he said.