Presented by the Privacy and Data Security Litigation Practice Group

Third Party Business Associate Breaches Are Still a Major Concern for Health Care Providers

A recent report by Healthcare Info Security demonstrates the continued vulnerability health care providers have to data breaches that occur with their business associates. According to the report, business associates for health care providers have been responsible for at least 136 breaches in 2022 that affected almost 10 million individuals. Business associates were involved in almost half of all major health care data breaches this year and are responsible for almost half of the individuals whose personal information was affected. 

The report indicates that at least four of the top ten HIPAA breaches posted by the Department of Health & Human Services (HHS) involved business associates. It also indicates that cyber criminals are now increasingly focused on stealing records, and not directly disrupting medical care through ransomware attacks. Patient data can then be ransomed back and/or sold on the dark web for profit. 

As our readers are aware, business entities are always vulnerable, not only to their own computer systems being targeted and breached by threat actors, but they are just as much threatened by their vendors and other business associates being the target of threat actors. 

This report reinforces that all businesses, not just health care providers, must develop thorough and complete data security policies and demand procedural requirements of their business associates and vendors. In addition, as always, businesses must ensure that their vendors have robust cyber insurance as well. 


The material in this law alert has been prepared for our readers by Marshall Dennehey. It is solely intended to provide information on recent legal developments, and is not intended to provide legal advice for a specific situation or to create an attorney-client relationship. We welcome the opportunity to provide such legal assistance as you require on this and other subjects. If you receive the alerts in error, please send a note ATTORNEY ADVERTISING pursuant to New York RPC 7.1. © 2022 Marshall Dennehey. All Rights Reserved.