About 10 years ago, the private equity industry received a generous gift from the federal government in the form of the Affordable Care Act (ACA). One of the better-known changes the law brought to the health care industry was an incentive program to digitize medical records, with the goal of making patient data easier to track over time and accessible to multiple providers.
Although the technology behind electronic medical records (EMRs) was available at the time the ACA was drafted, adoption was less than expected, despite the obvious cost-cutting benefits. In the run-up to the law’s passage, EMRs were low-hanging fruit that were about to be implemented on a national scale.
Sensing an opportunity, private equity investors jumped in, sparking a wave of leveraged buyout activity involving EMR providers between late 2010 and early 2011. As an asset class, PE thrives on predictability, especially when it’s backed by the government. But in this case, the excitement wasn’t centered on government spending per se, as there was relatively little of it on electronic records. Instead, the incentives and attention on the issue were enough to draw private capital. Hospitals and health care providers that didn’t use electronic records would now stick out like a sore thumb.
Over time, a large swath of the medical community migrated online. Today’s industry is largely digitized, hence PE activity with EMRs plateaued between 2011 and 2014 before falling off over the past few years.
“MEDICAL RECORDS ARE WORTH 10 TIMES MORE THAN CREDIT CARD NUMBERS ON THE BLACK MARKET.”
Today, most records are stored online, and protecting them has become paramount. According to health care cybersecurity adviser Clearwater, individual medical records are worth 10 times more than credit card numbers on the black market. In the past few years, dozens of hospital systems have been attacked by hackers and data breaches. The Department of Health and Human Services counted more than 400 “major breaches” from 2017 to 2018, and other experts predict many more are on the way.
This impacts private equity on a number of levels. Cybersecurity certainly presents another investment opportunity, and one that PE will likely take advantage of over the next few years. Perhaps more immediate is the impact on firms’ existing portfolios, which still include many electronic record providers. But many of those companies’ systems are no longer state-of-the-art, and given enough time, hackers will find a way to break into just about any database. Tens of thousands of these valuable medical records are stored by PE-backed hospitals, providers or third-party vendors.
If a portfolio company is hacked, bad publicity is only part of the fallout. PE firms have a fiduciary responsibility to limited partners to protect their companies as much as possible. That’s now a tall order for health care investors, who have become significant stakeholders in an industry they helped digitize—and one that’s now increasingly vulnerable to cyberthreats.
This edition of Midpoints originally appeared in the May/June 2019 issue of Middle Market Growth. Find it in the MMG archive.