The management and provision of healthcare in the United States remains one of the most divisive topics among its citizens. Emblematic of the heated debate is the continued battle over former President Obama’s signature domestic policy program, the Patient Protection and Affordable Care Act (ACA), also known as “Obamacare”, the constitutionality of which has been argued in front of the Supreme Court four separate times and which holds the distinction of being the most challenged statute in the nation’s history [1,2].

Interestingly, despite the scrutiny afforded to the healthcare-related aspects of the statute, its societal implications beyond healthcare have received circumspect empirical consideration (with some notable exceptions [3,4]). Indeed, while researchers point to increased vaccination rates, improved medical coverage among the nation’s youth, and coverage in underserved communities [5–7], little attention has been paid to its wider implications. This is striking given the aftereffects that traditionally spill from such a large injection of capital into dispersed and heterogeneous markets. In this work, we begin to close this gap by investigating an outcome that often characterizes expansive government spending: moral hazard and the fraud that accompanies it [8–11]. We do so by investigating the effect of Medicaid expansion on rates of consumer fraud and identity theft.

The theoretical relationship between Medicaid expansion, consumer fraud, and identity theft is somewhat opaque. On the one hand, the conventional view would be that fraud and identity theft will rise with the expansion. To the extent that the expansion of Medicaid brought with it tremendous increases in coverage, the creation of individual health insurance markets, and an intense digitization of records [12,13], the value of the concentrated records that could be stolen increases by construction. And when coupled with the ACA’s push to reform delivery systems through digitization (viz. through electronic health records and health information exchanges (HIEs)), the concern is evident. Because a larger number of patients are being treated within the bounds of hospitals [7], where the encounter typically generates a digital record (initially due to the HITECH Act and further propelled by the ACA), there is more and richer data to steal. When discussing the reach of the ACA and its digitization efforts, Fontenot [14] notes: “With an electronic record, the patient’s entire transition through life and treatment becomes available far beyond that patient and their encounters with the health care system” [p. 74].

On the other hand, this inference does not account for extant knowledge of digitization and the efficacy of statutes designed to limit malfeasance. Numerous scholars have noted that while digitization can result in negative externalities like insurance upcoding, it also streamlines the auditing process, making it easier to detect and correct misconduct [15–17]. Similar views have been advanced regarding fraud detection in a digitized healthcare system (i.e., analytical auditing) [14]. Moreover, to the extent that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates rigorous protections of personal health data to limit leakage, data loss might also fall. Insofar as health care systems expanded to accommodate newly-covered patients, it is likely that IT security investments were made. If this were the case, the total amount of consumer fraud and identity theft might drop due to the increased data security and oversight of personal health information brought on by the expansion of Medicaid.

In this same vein, recent research shows that IT governance structures can reduce the risk of breach in the future [18,19] and statutory attempts to limit the prevalence of breaches, either through more aggressive law enforcement or through mandatory disclosure, can effectively deter cybercriminals [20–23]. Perhaps unsurprisingly, these findings are not uniform, with empirical work also showing no relationship between statutory interventions and consumer data loss [24]. Further complicating things, there can be communication issues with consumers. D’Arcy, Adjerid [25], for example, demonstrate that firms increase their risk of data breach when activists believe they are greenwashing by engaging in symbolic corporate social responsibility activities. To explore these competing perspectives, we leverage the phased implementation of Medicaid expansion after the passage of the ACA using a difference in difference approach [26,27].

Study data and methods

Data and sample

To investigate the effect of Medicaid expansion on rates of consumer fraud and identity theft, we construct a unique data set from three sources. First, we gather data on the expansion of Medicaid from the Kaiser Family Foundation. These data are compiled in Appendix Exhibit A1 and indicate the year of Medicaid expansion for each state (if at all). Second, we draw data on claims of fraud and identity theft from the FTC’s Consumer Sentinel Network Reports. These data have been consistently used in empirical research to measure rates of fraud and identity theft [22,24]. We first focus on instances of fraud and identity theft, as opposed to data breaches, because there are varying requirements for breach reporting, breaches vary in the potential harm posed to the public, and many breaches go completely undetected (making classifying the attack vector impossible). For example, an employee of a health insurer could steal one or two patients’ information each week; detecting this attack and tying it back to the insurance company could be very difficult, but the fraud or identity theft that resulted would be reported. Identifying the attack vector is often difficult or impossible, reinforcing our approach focusing on instances of identity theft and fraud. However, to ensure robustness we also investigate the effect of Medicaid expansion on breached consumer data using the Privacy Rights Clearinghouse [25,28]. Data are organized at the state-year level from 2005 to 2018. Consistent with prior work, we treat the District of Columbia as an independent member of the panel. As this paper relies entirely on secondary analysis of publicly available data that is aggregated at the state level with no way to deidentify an individual, it does not qualify as human subjects research and IRB approval was not required.

Analytical approach

To identify the effect, we estimate a two-way fixed effect difference in difference estimation [27]. As the dependent variable is a non-negative integer count, we use a Poisson Psuedo Maximum Likelihood (PPML) estimator [29]. Formally, we estimate Equation 1, expressed in linear form:

where y_jt first takes on the number of identity thefts and then the reported number of cases of consumer fraud. ∂is the vector of state fixed effects (j). γ is the vector of year fixed effects (t). ε is the error term. The constant term is not estimated due to the inclusion of the two-way fixed effect structure. All states are included, whether they were ultimately treated or not, providing power to establish the parallel trend estimate (missing counterfactual) and assess pre-treatment trends [30]. Robust standard errors are clustered on the state (i.e., the unit of treatment) [31]. Results are in Table 1.

[Figure omitted. See PDF.]

Before discussing our results, several items bear note. The chief concern with any difference in difference estimation is the assessment of pre-treatment trends in the dependent variable [26,32]. The concern is that if heterogeneity exists across the treatment and control groups prior to treatment, we might inappropriately attribute post-treatment difference to the treatment instead of some pre-existing factor. In context, such a concern is not outlandish. If access to healthcare markets influences changing rates of fraud and identity theft, the expansion of Medicaid might be correlated with such factors a priori, resulting in a biased estimate, even if the expansion of Medicaid by state legislators as a direct response to general fraud is implausible. To assess this possibility, we estimate a variant of the Autor [33] leads and lags framework, which has become popular in empirical work [34–36]. In doing so, we create a series of relative time dummies that capture the temporal distance between treatment in the current period t versus treatment in state j (conditioned upon the absolute time fixed effects and the location fixed effects). By estimating the effect semi-parametrically, we can visualize the effect over time both pre- and post-treatment. To mitigate power issues in the tails, we collapse all indicators more than 5 years from treatment into a single coefficient. The period immediately prior to treatment is omitted to avoid the dummy variable trap. Results are in Table 2.

[Figure omitted. See PDF.]

Study results

In Columns 1–4 in Table 1, we observe a general decrease in rates of identity theft and fraud after Medicaid expansion, although the effects cross beyond the traditional thresholds of significance in Column 3 once controls are added. Still, most columns indicate a negative relationship. Intuitively, this suggests that Medicaid expansion decreases rates of malfeasance. Numerous mechanisms are plausible, ranging from the increased security associated with granting previously uninsured persons access to healthcare markets, to increased security through the digitization of these records (a consistent occurrence after the expansion of Medicaid), to increased oversight on the treatment of medical records which accords with federal intervention in the market. Economically, estimates indicate a drop in identity theft between ~5.2% and ~7.1%. Similarly, estimates indicate a decrease in fraud between ~9.6% and ~16.2%.

We turn next to the event study model (Table 2). As can be seen, there is a consistent negative effect of treatment on fraud in Column 2, with negative and significant estimates emerging. Further, as can be seen, there is little in the way of significant pre-treatment trends, although there is a marginally significant difference five years prior to treatment. Further, and consistent with Table 1, in Column 1 we observe no consistent pre- or post-treatment effect, suggesting a de minimis relationship between Medicaid expansion and identity theft.

Data breaches

To ensure the robustness of the above results it is worth considering alternate measures of data loss. As discussed previously, one popular measure in the empirical literature is to consider the prevalence of reported data breaches and the number of the records stolen [24,25,28]. While this outcome is more distal from our measures of consumer harm, evaluating the number of breaches offers a valuable check on a potential mechanism, i.e., decreased breaches overall.

To execute these tests, we draw data from the Privacy Rights Clearinghouse, a publicly available repository of historical breaches. The Privacy Rights Clearinghouse began collecting data in 2005, but nationwide data is thin prior to 2010. Table 3 reports analysis using the full sample. Exhibit A2 in the Statistical Appendix reports results restricting the sample to the years 2010 onward; results remain consistent. We then replicate Equation 1, replacing the number of fraudulent claims and identities stolen with the total number of reported breaches and the total number of breached records. In deference to the number of breaches and the number of records compromised, we log the DV and interpret the effect elastically. The estimator is OLS.

[Figure omitted. See PDF.]

Results are in Table 3. As can be seen, effects are consistent. There is a significant and negative effect on both the number of breaches which have occurred and the total number of compromised records. Two critical takeaways from these estimations are evident. First, these estimations corroborate prior measures and suggests a beneficial effect of Medicaid expansion on data security beyond claims of fraud. Second, and more importantly, they offer suggestive evidence of the mechanism behind the effect, i.e., increased security. To the extent that the rate of breaches and breached records are declining in Medicaid expanding states, it appears that this expansion is slowing data loss by decreasing the number and extent of breaches.

The phased treatment (being implemented at different times in different states) raises an issue of measurement bias, because during a phased treatment implementation, the effect shifts, becoming a weighted average of early vs. late treatment, treated vs. never treated, and so forth. As a result, the individual weights of the components of the estimate may invert, yielding a biased coefficient which can even invert the sign of the coefficient, notably when the individual treatments differ in size and grow with time. To address this concern, we include a Goodman-Bacon [37] decomposition, and a Callaway and Sant’Anna [38] estimation in the Supporting Information Appendix. In the interest of space, we refer the interested reader to this Appendix for further details on the robustness checks including placebo tests and sample truncation. Results are consistent with our main findings.

Discussion

In this work, we investigate the relationship between the expansion of Medicaid provisions under the ACA and data security in the form of fraud and identity theft. The relationship between these concepts is theoretically opaque. On the one hand, the injection of hundreds of billions of dollars into the healthcare market materially raises the attractiveness of such targets to malicious actors, notably as this period saw an increased rate of personal data digitization [12]. As a result, it is plausible that thefts might rise, with the personal information of millions of Americans spilling into secondary markets for the sale of personal data like the dark web [39]. On the other hand, there are reasons to believe that cases of identity theft and fraud might fall. Numerous scholars have highlighted the increased security and monitoring which accompanies the digitization of records, and the expansions associated with ACA rollout may have stimulated investments in IT security. Coupled with the fact that patients themselves are now formally covered by insurance, there is an incentive for them to formally engage with the medical system and not misrepresent themselves to physicians.

Upon exploring these competing perspectives, results are three-fold. First, we find that the number of reported cases of fraud significantly declines after the expansion of Medicaid. Second, we find no material or robust change in the number of identities stolen. Third, in deference to traditional approaches to measuring population level data security, we also find a decline in the number of data breaches and stolen or compromised records after the expansion of Medicaid. Taken in sum, these findings suggest that the mechanism by which the effect manifests is likely increased oversight, which comes with creating formal markets for underserved communities, and results in increased data security and diminished rates of fraud.

Policy implications

While the injection of capital into markets has historically raised the specter of fraud and malfeasance, these concerns appear to be limited when appropriate technological safeguards are implemented. Put simply, risks of moral hazard and fraud have near universally accompanied large infusions of capital into markets [8–11] for obvious reasons. Not only are targets more attractive, because there are more consumers tracked by them [7], but the richness of healthcare data and the interconnected nature of the emergent exchanges has long been thought to lead to data security vulnerabilities [40,41]. Yet, this simplistic view ignores the effect of proactive steps organizations can take [42,43], and the benefits of direct guidance from federal entities when it comes to safeguarding data (i.e., HIPPA). As a result, to the extent that these organizations appear to be integrating security with organizational and institutional practices [28], they are able to better safeguard consumer data than pre-digitized organizations.

Further, to the extent that any federal program which bluntly injects large amount of capital has been met with skepticism, and raises reasonable concerns of downstream fraud, our findings underscore the importance of coupling capital injection with appropriate controls. Contrast, for example, Medicaid expansion (where tight controls existed) with the Trump Administration’s injections of capital into the economy during the Covid-19 pandemic (e.g., the Paycheck Protection Program (PPP)). To date, the Government Accountability office [44] and NGOs [45] have associated these programs with tens of billions of dollars of fraud against U.S. taxpayers. As a result, numerous federal agencies (ranging from Treasury, to HHS, to the Department of Justice) have been compelled to initiate massive ex post efforts to recover these dollars (each of which is also expensive). And while it is beyond the scope of this work to second guess the necessity of capital injections during a global public health emergency, the absence of such controls only bolsters the importance of our findings for policy makers.

Our work also underscores the importance of technological safeguards and regulating inappropriate access. One concern following the digitization of patient records has been that the proliferation of data sharing across organizations could lead to inappropriate use. This is a consistent concern when balancing the size of digital security programs at the local vs. state and federal level. Examples are easy to come by, ranging from the inappropriate search of celebrity health records by medical practitioners [46] to the illegal search of Barack Obama’s records by Philadelphia police officers [47]. On the one hand, permitting smaller jurisdictions to manage data is intuitively appealing, because the attractiveness of the target is lower (viz., because fewer records are tracked). However, these entities may not have the resources or technical knowhow to properly safeguard data and limit access, and decentralization may require an unpalatably high ratio of IT investment to overall expenses within each jurisdiction. This once again pushes back on the longstanding assumption that a larger aggregation will lead to an increased likelihood of data loss, notably when aggregation is coupled with superior data controls. We further hope this work serves as a call for future scholarship that investigates the conditions under which greater data aggregation can materially benefit consumer security.

Limitations

These findings are not without limitation. First, due to the secondary nature of the empirical investigation, we are unable to uncover the exact mechanism by which the decline in fraud manifests. Although our evidence suggests that the number of breaches is declining, it could also be that malicious actors may not be targeting the particular hospitals or physicians’ offices which tend to treat a larger number of Medicaid patients for fear of federal enforcement. It is also possible that formal participation in insurance markets results in fewer cases of fraud on the part of patients (uninsured patients traditionally being without a general practitioner and therefore being less incentivized to engage truthfully with healthcare providers). A third possibility is that physician prevalence for upcoding under digital regimes is declining under Medicaid expansion, again suggesting an enforcement mechanism. We leave further determination of the mechanism to future scholars. A related line of inquiry relates to the both the breach vector (e.g., physical versus digital) and the type of fraud or identify theft exploiting the leaked information (e.g., credit card or loan fraud, tax or benefit fraud, health care fraud); the available data does not provide this level of granularity.

Second, we are reliant on diagnostic methods to ensure the validity of the difference in difference. While the absence of pre-treatment trends and the success of the various falsification tests suggest that the exogeneity assumptions of the DID are met (i.e., treatment can be considered exogenous once conditioned upon controls), this cannot be assured in the absence of laboratory conditions. Bearing this in mind, legislative histories are, to the best of our understanding, devoid of references to data security when state legislatures were debating the expansion of Medicaid. Third, the ACA was expanding coverage in an aggressively changing market, making it difficult to ignore the possibility of an omitted variable bias, despite the successful robustness checks. While the fixed effect structure should minimize the effect of other federal laws which were implemented nationwide (such as the HITECH Act which was implemented universally across the country and affects both the treated and untreated states in the sample), the possibility of other state level initiatives remains a possibility which would impact the causal interpretation of our results. Fourth, and importantly, we are unable to uncover the source of the associated fraud, or connect an individual breach with a subsequent reported fraud. Future work would do well to consider not only the types of individual frauds which are occurring, but the source of that malfeasance based on the type of breach which occurred (e.g., external hacks, employee data theft, etc.).

Conclusion

This work addresses the possibility that the expansion of Medicaid under the ACA had a material effect on the security of citizen’s personal data. We find no evidence of increased fraud. Instead, we observed rates of fraud declining in Medicaid expanding states, with breaches and breached records declining as well. We hope this work serves as a call to action for researchers on two fronts. First, to consider the effect of Medicaid expansion on broader social issues besides healthcare. While some scholars are beginning to take this approach [3,4,48], it remains an underserved area of research for one of the largest federal programs in U.S. history. Second, we hope this work pushes scholars to break the mold of focusing solely on data breaches in favor of investigating instances of fraud and identity theft (i.e., materialized harm to consumers). While the focus on breaches is appealing, it is potentially problematic because breach discovery is not 100%, and not all breaches result in material harm, which can result in inconsistent reporting. Pivoting away from this approach, and towards observable instances of harm, offers the opportunity for researchers to begin resolving this discrepancy between measures and constructs.

Supporting information

S1 File. S1 Appendix, S2 Exhibit A1- S8 Exhibit A7.

https://doi.org/10.1371/journal.pone.0307015.s001

(DOCX)

References

1. 1. Jost T. The Supreme Court throws out the ACA lawsuit, not the ACA. Commonwealth Fund Blog. 2021.

2. 2. Gluck AR, Scott-Railton T. Affordable Care Act Entrenchment. Geo LJ. 2019;108:495.

* View Article

* Google Scholar

3. 3. Bailey J. Health insurance and the supply of entrepreneurs: new evidence from the affordable care act. Small Bus Econ. 2017;49(3):627–46.

* View Article

* Google Scholar

4. 4. Willage B. Unintended consequences of health insurance: Affordable Care Act’s free contraception mandate and risky sex. Health Econ. 2020;29(1):30–45. pmid:31701617

* View Article

* PubMed/NCBI

* Google Scholar

5. 5. Aris E, Montourcy M, Esterberg E, Kurosky SK, Poston S, Hogea C. The adult vaccination landscape in the United States during the affordable care act era: results from a large retrospective database analysis. Vaccine. 2020;38(14):2984–94. pmid:32115298

* View Article

* PubMed/NCBI

* Google Scholar

6. 6. Barbaresco S, Courtemanche CJ, Qi Y. Impacts of the affordable care act dependent coverage provision on health-related outcomes of young adults. J Health Econ. 2015;40:54–68. pmid:25594956

* View Article

* PubMed/NCBI

* Google Scholar

7. 7. Sommers BD, Gunja MZ, Finegold K, Musco T. Changes in self-reported insurance coverage, access to care, and health under the affordable care act. JAMA. 2015;314(4):366–74. pmid:26219054

* View Article

* PubMed/NCBI

* Google Scholar

8. 8. Ferraz C, Finan F. Electoral accountability and corruption: evidence from the audits of local governments. American Economic Review. 2011;101(4):1274–311.

* View Article

* Google Scholar

9. 9. Einav L, Finkelstein A, Ryan S, Schrimpf P, Cullen MR. Selection on Moral Hazard in Health Insurance. Am Econ Rev. 2013;103(1):178–219. pmid:24748682

* View Article

* PubMed/NCBI

* Google Scholar

10. 10. Bourgeon J-M, Picard P. Fraudulent claims and nitpicky insurers. American Economic Review. 2014;104(9):2900–17.

* View Article

* Google Scholar

11. 11. Okura M. The relationship between moral hazard and insurance fraud. Economic Review. 2012;53(5):941–73.

* View Article

* Google Scholar

12. 12. Adler-Milstein J, DesRoches CM, Kralovec P, Foster G, Worzala C, Charles D, et al. Electronic health record adoption in US hospitals: progress continues, but challenges persist. Health Aff (Millwood). 2015;34(12):2174–80. pmid:26561387

* View Article

* PubMed/NCBI

* Google Scholar

13. 13. Atasoy H, Greenwood BN, McCullough J. The digitization of patient care: a review and paths forward on electronic health records research. Annual Review of Public Health. 2019;40(1):487–500.

* View Article

* Google Scholar

14. 14. Fontenot SF. The affordable care act and electronic health care records. Physician Executive. 2013;39(6):72–6.

* View Article

* Google Scholar

15. 15. Ransbotham S, Overby EM, Jernigan MC. Electronic trace data and legal outcomes: the effect of electronic medical records on malpractice claim resolution time. Management Science. 2021;67(7):4341–61.

* View Article

* Google Scholar

16. 16. Ganju KK, Atasoy H, Pavlou PA. Do electronic health record systems increase medicare reimbursements? the moderating effect of the recovery audit program. Management Science. 2022;68(4):2889–913.

* View Article

* Google Scholar

17. 17. Greenwood BN, Funk R. The Doctor will See You Elsewhere: Enterprise Information Systems and the Changing Control of Firm Activities. Available at SSRN 3481443. 2019.

18. 18. Liu CW, Huang P, Lucas H. IT centralization, security outsourcing, and cybersecurity breaches: evidence from the US higher education. 2017.

19. 19. Pang M-S, Tanriverdi H. Strategic roles of IT modernization and cloud migration in reducing cybersecurity risks of organizations: The case of U.S. federal government. The Journal of Strategic Information Systems. 2022;31(1):101707.

* View Article

* Google Scholar

20. 20. Hui K-L, Vance A, Zhdanov D. Securing digital assets. MIS Quarterly Research Curations, Ashley Bush, ed, 2016. http://misqorg/research-curations

21. 21. Png IP, Wang CY, Wang QH. The deterrent and displacement effects of information security enforcement: international evidence. J Manage Inform Syst. 2008;25(2):125–44.

* View Article

* Google Scholar

22. 22. Romanosky S, Telang R, Acquisti A. Do data breach disclosure laws reduce identity theft?. J Policy Anal Manage. 2011;30(2):256–86.

* View Article

* Google Scholar

23. 23. Buckman J, Bockstedt J, Hashim MJ, Woutersen T, editors. Do organizations learn from a data breach. Workshop on the Economics of Information Security; 2017.

24. 24. Greenwood BN, Vaaler P. All for naught: An empirical examination of the impact of breach notification laws. 2022. https://ssrn.com

25. 25. D’Arcy J, Adjerid I, Angst CM, Glavas A. Too good to be true: firm social performance and the risk of data breach. Information Systems Research. 2020;31(4):1200–23.

* View Article

* Google Scholar

26. 26. Bertrand M, Duflo E, Mullainathan S. How much should we trust differences-in-differences estimates?. The Quarterly Journal of Economics. 2004;:249–75.

* View Article

* Google Scholar

27. 27. Wooldridge J, Imbens G. Difference-in-differences estimation. Lecture notes. 2007;10.

28. 28. Angst CM, Block ES, D’Arcy J, Kelley K. When Do IT security investments matter? accounting for the influence of institutional factors in the context of healthcare data breaches. MISQ. 2017;41(3):893–916.

* View Article

* Google Scholar

29. 29. Santos Silva JMC, Tenreyro S. Further simulation evidence on the performance of the Poisson pseudo-maximum likelihood estimator. Economics Letters. 2011;112(2):220–2.

* View Article

* Google Scholar

30. 30. Roth J, Sant’Anna PHC, Bilinski A, Poe J. What’s trending in difference-in-differences? A synthesis of the recent econometrics literature. Journal of Econometrics. 2023;235(2):2218–44.

* View Article

* Google Scholar

31. 31. Colin Cameron A, Miller DL. A practitioner’s guide to cluster-robust inference. J Human Resources. 2015;50(2):317–72.

* View Article

* Google Scholar

32. 32. Angrist JD, Pischke JS. Mostly harmless econometrics: an empiricist’s companion. Princeton University Press. 2008.

33. 33. Autor DH. Outsourcing at will: the contribution of unjust dismissal doctrine to the growth of employment outsourcing. Journal of Labor Economics. 2003;21(1):1–42.

* View Article

* Google Scholar

34. 34. Wolfers J. Did unilateral divorce laws raise divorce rates? A reconciliation and new results. American Economic Review. 2006;96(5):1802–20.

* View Article

* Google Scholar

35. 35. Burtch G, Carnahan S, Greenwood BN. Can you gig it? an empirical examination of the gig economy and entrepreneurial activity. Management Science. 2018;64(12):5497–520.

* View Article

* Google Scholar

36. 36. Azoulay P, Zivin JSG, Wang J. Superstar Extinction. Quarterly Journal of Economics. 2010;125(2):549–89.

* View Article

* Google Scholar

37. 37. Goodman-Bacon A. Difference-in-differences with variation in treatment timing. National Bureau of Economic Research; 2018. Report No.: 0898-2937.

38. 38. Callaway B, Sant’Anna PH. Difference-in-differences with multiple time periods. Journal of Econometrics. 2020.

* View Article

* Google Scholar

39. 39. Steel CM. Stolen identity valuation and market evolution on the dark web. International Journal of Cyber Criminology. 2019;13(1):70–83.

* View Article

* Google Scholar

40. 40. Li H, Yoo S, Kettinger WJ. The Roles of IT Strategies and Security Investments in Reducing Organizational Security Breaches. Journal of Management Information Systems. 2021;38(1):222–45.

* View Article

* Google Scholar

41. 41. Tanriverdi H, Du K. Corporate strategy changes and information technology control effectiveness in multibusiness firms. MISQ. 2020;44(4):1573–617.

* View Article

* Google Scholar

42. 42. Kim SH, Kwon J. How do EHRs and a meaningful use initiative affect breaches of patient information?. Information Systems Research. 2019;30(4):1184–202.

* View Article

* Google Scholar

43. 43. Kwon J, Johnson ME. Meaningful healthcare security: does meaningful-use attestation improve information security performance?. MISQ. 2018;42(4):1043–67.

* View Article

* Google Scholar

44. 44. GAO. Unemployment insurance: DOL needs to address substantial pandemic UI fraud and reduce persistent risks. 2023. https://www.gao.gov/products/gao-23-1065862023

45. 45. Fine G. Fighting fraud, waste, and abuse—COVID-19 pandemic relief expenditures. In: Institute TB, editor. https://www.brookings.edu/articles/fighting-fraud-waste-and-abuse-covid-19-pandemic-relief-expenditures/2022.

46. 46. Ornstein C. Celebrities’ medical records tempt hospital workers to snoop. National Public Radio. 2015.

* View Article

* Google Scholar

47. 47. News a. Cop in trouble for running check on Obama. ABC Action News. 2009.

* View Article

* Google Scholar

48. 48. Courtemanche C, Marton J, Yelowitz A. The Full Impact of the Affordable Care Act on Political Participation. RSF: The Russell Sage Foundation Journal of the Social Sciences. 2020;6(2):179.

* View Article

* Google Scholar

Citation: Clement J, Greenwood BN, D’Arcy J, Angst C (2025) Expanding risks: Medicaid expansion and data security. PLoS One 20(7): e0307015. https://doi.org/10.1371/journal.pone.0307015

About the Authors:

Jeffrey Clement

Roles: Formal analysis, Methodology, Writing – original draft, Writing – review & editing

E-mail: [email protected]

Affiliation: Management Information Systems Area, School of Business and Economics, Augsburg University, Minneapolis, Minnesota, United States of America

ORICD: https://orcid.org/0000-0002-4500-7260

Brad N. Greenwood

Roles: Conceptualization, Data curation, Formal analysis, Investigation, Methodology, Project administration, Resources, Supervision, Writing – original draft, Writing – review & editing

¶‡ The authors thank Joshua Wright for his feedback during the development of this manuscript.

Affiliation: Information Systems and Operations Management Area, Costello College of Business, George Mason University, Fairfax, Virginia, United States of America

ORICD: https://orcid.org/0000-0002-0772-7814

John D’Arcy

Roles: Formal analysis, Methodology, Writing – original draft, Writing – review & editing

Affiliation: Department of Accounting and Management Information Systems, Alfred Lerner College of Business & Economics, University of Delaware, Newark, Delaware, United States of America

Corey Angst

Roles: Data curation, Formal analysis, Methodology, Writing – original draft, Writing – review & editing

Affiliation: Department of IT, Analytics and Operations, Mendoza College of Business, University of Notre Dame, Notre Dame, Indiana, United States of America

[/RAW_REF_TEXT]

[/RAW_REF_TEXT]

[/RAW_REF_TEXT]

[/RAW_REF_TEXT]

[/RAW_REF_TEXT]

[/RAW_REF_TEXT]

[/RAW_REF_TEXT]

[/RAW_REF_TEXT]

[/RAW_REF_TEXT]

[/RAW_REF_TEXT]

[/RAW_REF_TEXT]