Run the numbers on the largest healthcare data breaches of the past several years and a pattern shows up that should change how every healthcare organization evaluates vendor risk. Roughly 80% of stolen patient records came from third-party vendors, not from hospital systems or provider organizations themselves.
That is not a minor detail. It is the operational reality of healthcare cybersecurity in 2026. The hospitals are not the soft target. The vendors they work with are.
Where the Pattern Comes From
The HHS Office for Civil Rights maintains a public ‘wall of shame’ (the HIPAA Breach Reporting Tool) listing every reported breach affecting 500 or more individuals. Pulling the top breaches by individuals affected over the past three years and grouping by the type of entity reporting the breach surfaces the pattern clearly.
Change Healthcare in February 2024. TriZetto, disclosed in early 2026 (3.4 million records). Multiple smaller-but-significant breaches at RCM vendors, billing companies, and healthcare technology platforms. The named victims are usually the providers and patients whose data was exposed. The actual entry point, the system that was breached, is overwhelmingly the third-party vendor sitting between provider and payer.
This is not a coincidence. It is structural. A single healthcare technology vendor often processes data on behalf of thousands of provider organizations. Compromising one vendor exposes the records of every provider that vendor serves. The leverage for an attacker is enormous.
Why Vendors Are the Concentration Point
Three factors make healthcare technology vendors disproportionately attractive targets:
- Data concentration. A single clearinghouse, RCM platform, or EHR vendor aggregates protected health information for thousands of providers and millions of patients. Breaching the vendor is, in effect, breaching every customer simultaneously.
- Trust relationships. Healthcare vendors operate inside the provider’s trust boundary. They have authenticated, often high-privilege access to provider systems. Once an attacker compromises the vendor, lateral movement into provider environments is far easier than starting from a cold external attack.
- Inconsistent security posture. Provider organizations have spent years investing in cybersecurity infrastructure under regulatory and reputational pressure. Some healthcare technology vendors, particularly smaller or newer entrants, have not invested at the same pace. Attackers gravitate toward the weakest link.
What ‘Vendor Risk’ Actually Looks Like in Practice
For a billing company, practice, or RCM operation, the third-party risk surface is wider than most organizations realize. It typically includes:
- Your clearinghouse
- Your practice management or EHR system vendor
- Any payment processing or merchant services provider that touches ePHI
- Any RCM, coding, or denial management platform
- Statement printing and mailing vendors
- Patient communication and messaging platforms
- Cloud storage, backup, and file transfer services
- Specialty vendors for credentialing, prior authorization, or denial appeals
Every one of those should be on a Business Associate Agreement. Every one is a potential breach entry point. And the practical question is whether your organization actually knows the security posture of each of them, or whether you took it on faith when the BAA was signed.
The Due Diligence Bar Has Moved
Given the pattern of the past two years, vendor due diligence in 2026 should look different than it did in 2022. Practical things to add:
- Ask about breach detection capability, not just attestations of compliance. The TriZetto breach went undetected for approximately eleven months. The relevant question is no longer ‘are you compliant’ but ‘how quickly would you know if you were breached, and what is your detection and response capability.’
- Verify HIPAA covered entity or business associate status formally. Not every healthcare technology vendor is structured the same way. The BAA structure determines how risk allocates if a breach occurs. Confirm what you signed.
- Ask for evidence of independent security audits or certifications. A vendor that has invested in HITRUST, ISO 27001, or comparable third-party validation has measurably higher security posture than one operating on self-attestation alone.
- Review the vendor’s track record. Has the vendor experienced a comparable breach? How did they handle disclosure and remediation? Public records are a meaningful signal.
- Reassess annually, not just at contracting. A vendor that was strong at contract signing may have weakened since. Annual review of the BAA portfolio is the right cadence as the threat environment continues to evolve.
How HSC Approaches Vendor Trust
Harris Secure Connect operates as a HIPAA covered entity, backed by the institutional rigor of our Harris Computer parent and the resources of Global Payments. We have routed healthcare transactions for 26 years without a comparable disruption. That continuity is not a marketing claim. It is the result of decades of investment in security infrastructure, breach detection capability, and the operational discipline of a publicly traded parent’s compliance posture.
If the past two years have changed how you think about vendor concentration risk, our team is happy to walk through what stronger infrastructure looks like at the clearinghouse layer of your stack.
Related Resources
- HHS Office for Civil Rights HIPAA Breach Reporting Tool
- HIPAA Journal annual healthcare breach reports
- HHS HIPAA business associate guidance
If you have not formally reviewed your business associate portfolio in the past 12 months, this is the year to do it. Reach out if your team wants to talk through how to structure that review.