Business Associates Face Increased Regulatory Scrutiny as Vendor Breaches Soar
The healthcare industry has the highest rate of third-party data breaches out of any sector, according to the Verizon Data Breach Investigations Report (DBIR), and third-party data breaches are increasing.
The HHS’ Office for Civil Rights (OCR) publishes information on data breaches impacting 500 or more individuals on its data breach portal. Currently, the breach portal shows that in the 9 years from 2009 to 2017, an average of 20% of healthcare data breaches had business associate involvement. For the following 9 years, from 2018 to 2026, an average of 34% data breaches had business associate involvement. In the first 6 months of 2026, that percentage rose to 43%.
Modern healthcare relies heavily on third-party vendors to perform a huge range of functions. Vendors are used for revenue cycle management, transcription, medical supplies, telemedicine, IT services, cybersecurity, and provide a huge range of software solutions, SaaS platforms, AI tools, and electronic medical records. A typical U.S. health system could have anywhere from 500 to 2,000 active vendors and a massive attack surface to defend. Each vendor is a potential security weak point, and threat actors are actively targeting vendors, as there are often vulnerabilities that can be easily exploited.
A cybercriminal operation can target a healthcare provider, gain access to their network, steal a huge amount of patient data, and demand a ransom payment to prevent the leaking of that data. Data encryption with ransomware is often thrown into the mix to cause maximum disruption.
An attack on a vendor can be much more profitable for the threat actor. Vendors are often provided with large amounts of protected health information from their various healthcare clients to allow them to perform their contracted duties. Breaching a vendor’s network can give the threat actor access to that data, and potentially privileged access to the networks of each of the business associate’s clients. It takes far less effort to attack a vendor and abuse the vendor’s access to clients’ systems than to attempt to breach each client’s network individually.
In 2015, 5% of individuals affected by healthcare data breaches had their data compromised in incidents involving business associates. That percentage jumped to 65% in 2025, highlighting why business associates are such attractive targets. Two of the top three healthcare data breaches of all time occurred at business associates: The 2024 hack of Change Healthcare and the 2025 attack on Conduent Business Services, which combined, affected almost 255 million individuals.
Vendors Facing Increased Regulatory Scrutiny
The HIPAA Omnibus Rule of 2013 made business associates directly liable under HIPAA for violations of the HIPAA Security Rule and certain requirements of the HIPAA Privacy Rule. In recent years, business associates have faced increased regulatory scrutiny, and OCR has imposed several financial penalties to resolve HIPAA compliance failures. In the past two years, OCR has imposed financial penalties on Consociate, Inc., MMG Fusion, BST & Co. CPAs, Comstar, Health Fitness Corporation, USR Holdings, Virtual Private Network Solutions, and Elgon Information Systems to resolve alleged HIPAA violations.
OCR has been encouraging covered entities to address vendor risk through its voluntary cybersecurity performance goals, and mandatory new requirements are now due to be finalized. The proposed update to the HIPAA Security Rule contains several provisions for addressing third-party risks from business associates and their subcontractors in an effort to reduce the volume of third-party data breaches.
The proposed measures include greater vendor security oversight, written verifications from business associates that their cybersecurity measures meet or exceed HIPAA requirements, and for those requirements to be certified by a person of authority at the business associate. Further, the proposed elimination of the distinction between addressable and required implementation specifications removes a great deal of the flexibility of the current Security Rule, which means greater investment in cybersecurity for business associates.
The proposed rule has progressed through the comment period and is edging close to a final rule, with the provisional May 2026 release date already having passed. Over the coming 12 months, business associates can expect more prescriptive regulatory cybersecurity requirements, upstream pressure for verification of cybersecurity measures, and further regulatory scrutiny from federal and state regulators.
Now is the Time for Action
While business associates are likely to be given at least 8 months to comply with the new Security Rule requirements, there is no better time than the present to improve security and reduce the risk of cyberattacks, data breaches, and regulatory penalties. One of the best places to start is a comprehensive risk analysis and assessment of the current state of cybersecurity to feed into your risk management plan, and an assessment of your current HIPAA compliance program to ensure you are fully compliant and to identify the areas where action is required to comply with the proposed security requirements.
