Healthcare organizations face double jeopardy when trying to protect patient data. They need to manage both internal and third-party risks. Business associate breaches account for a disproportionate share of healthcare data breaches and affect millions more individuals.

Recent history proves the point. The following are all business associate breaches.

• In 2023, the MOVEit data breach affected over 90 million individuals.
• In 2024, the Change Healthcare data breach affected 192.7 million individuals, the largest ever reported.
• In 2025, the Conduent data breach affected over 25 million individuals.

In 2026, data on breaches reported to the U.S. Department of Health and Human Services (HHS) continue the trend. From January 1, 2026, to June 1, 2026:

179 breaches have been reported to HHS, affecting 18.8 million individuals.

48 of them, or 27% of the total, had a business associate present.

That 27% accounts for 40% of the total number of individuals affected across all breaches.

The 48 breaches affected 7.6 million individuals.

The five largest of those 48 breaches account for 94% of the individuals affected by BA-associated breaches.

Business Associates Have Troves of Patient Data

Because business associates typically have multiple healthcare customers, they have thousands more files at hand. A data-rich environment like this is an attractive target for cybercriminals, who can obtain more valuable information with a single successful strike. One hack provides access to data from many other organizations.

The five largest business associate breaches so far this year affected more than 7.2 million individuals:

TriZetto Provider Solutions, affecting more than 3.4 million

Navia Benefit Solutions, Inc., affecting more than 2.1 million

OpenLoop Health, Inc., affecting more than 716 thousand

ApolloMD Business Services, LLC, affecting more than 626 thousand

Minnesota Department of Human Services, affecting more than 303 thousand

Each of these business associates is being investigated by HHS for potential HIPAA violations. But that doesn’t mean their covered entity customers are off the hook.

HIPAA requires covered entities to conduct due diligence before engaging a business associate (BA) to provide services. They must ensure that the BA has HIPAA policies and procedures, has done a proper risk analysis, and will sign a business associate agreement (BAA).

Failure to perform due diligence can result in civil penalties for the covered entity’s noncompliance. Due diligence goes beyond initial onboarding. Third-party vendor risk management should continue throughout the contract life cycle.

The 2026 Verizon Data Breach Investigation Report (DBIR) underscores the risks posed by third-party vendors in healthcare. The DBIR notes that nearly one-third (32%) of healthcare breaches now involve a third party.

Healthcare Organizations Struggle to Manage Business Associate Risk

HealthCareInfoSecurity highlighted a recent report from the research firm KLAS, which shows that while healthcare organizations seem to be doing better at onboarding new third-party vendors, they do not perform as well in ongoing vendor management.

KLAS refers to a November, 2025 report from Ernst & Young, which found that three out of four healthcare organizations “reported having been impacted by a third-party breach in the previous 24 months, underscoring the urgency of this issue.”

The new research is based on interviews with 44 healthcare organizations of all types and sizes. The interviews explored the critical third-party risks they face and how they manage them. The report identified a variety of reasons for the failures, including:

• the failure to enforce cybersecurity requirements in contracts;
• dependence on high-risk vendors with limited alternatives;
• inconsistent vendor assessments; and
• limited internal resources.

Smaller Healthcare Organizations Face an Even Bigger Challenge

While most healthcare organizations struggle to oversee their HIPAA business associates and other critical third-party vendors, the problems are often most pronounced among smaller healthcare organizations, which make up the vast majority of healthcare providers in the U.S. With fewer resources, they are more vulnerable and easier targets for cybercriminals.

Ninety percent of healthcare organizations are classified by the government as small businesses. Small healthcare organizations are the most vulnerable and, because of the interconnected nature of healthcare delivery, also enable criminals to access large ones.

Senior Management is Responsible

Regardless of a healthcare organization’s size, senior management and boards of directors are fully responsible for information security, including breaches stemming from third-party vendor incidents.

Senior management can delegate authority to implement privacy and security compliance protocols, but they cannot delegate or disregard their oversight responsibilities. If an organization is investigated or sued, senior management’s role will be scrutinized. Did they establish a culture of compliance, provide the resources, and monitor whether cybersecurity protocols remained up to date? A poor oversight record can increase the organization’s exposure.

Today, that oversight requires prioritizing third-party vendor risk management because these risks are woven throughout the healthcare ecosystem.