Reports filed with the U.S. Department of Health and Human Services Office for Civil Rights (HHS-OCR) show a concerning pattern about cybersecurity in healthcare. As of October 3, 2025, there were 364 documented hacking incidents affecting over 33 million Americans’ health records. These numbers show a growing problem that needs close attention from healthcare administrators.
One important fact is that more than 80% of stolen Protected Health Information (PHI) was not taken directly from hospitals. Instead, the data was taken from third-party vendors, business associates, software providers, and other non-hospital groups like health plans. This shows the weak points in healthcare supply chains and the dependence on outside service providers.
A large breach happened at Change Healthcare in early 2024. A ransomware attack by the Russian hacking group Blackcat/ALPHV affected about 192.7 million Americans’ records. This single event greatly raised the total stolen PHI reports for 2024 to 259 million records. The attack showed how targeting third parties can disrupt healthcare work and cause big data loss.
Healthcare groups face problems controlling third-party risks for many reasons. Many third-party providers have special access to sensitive systems to do their jobs, making them a target for cyber criminals. Unfortunately, the way these providers handle data and security varies a lot. Some do not use proper encryption, access controls, or track where data is stored.
More than 90% of hacked health records were stolen outside of electronic health record systems (EHRs). In many cases, data was stored without encryption or was exposed because login details were stolen. This points to weak spots in how healthcare data is protected after leaving the hospital’s main IT systems.
Another problem is the lack of complete data mapping. Healthcare groups often cannot clearly see where patient data is located within their network of third-party providers. This lack of knowledge makes it hard to watch and control data access well.
Also, managing third-party permissions and remote access takes a lot of work from internal staff. A recent survey found that 45% of healthcare workers agree that handling these permissions is overwhelming, using up time and staff efforts that could go to patient care and key operations.
Although many healthcare organizations use Vendor Privileged Access Management (VPAM) tools and other access management systems, almost all say having these tools alone is not enough. Only 36% of healthcare IT workers said their groups have a clear and fully used strategy for managing privileged access risks.
This gap often comes from unclear roles and duties about giving and watching third-party access. Different departments—like IT, legal, and HR—may share responsibilities, leading to uneven policy use, governance problems, and security holes.
Regulators have tightened their watch on third-party breaches and added fines and penalties for healthcare groups that do not protect patient data. In the past year, 49% of healthcare workers said their groups faced fines because of third-party data breaches. This pressure has made many organizations cut ties with vendors after breaches; 47% stopped working with third parties after such events.
Experts suggest healthcare groups use cybersecurity frameworks like the Department of Health and Human Services Cybersecurity Performance Goals (CPGs), the Healthcare Industry Cybersecurity Practices (HICP), and the NIST Cybersecurity Framework 2.0. These frameworks help healthcare groups improve data encryption, audit controls, patch management, and identity access management.
Jill McKeon, an expert on cybersecurity risk in healthcare, says many groups have low trust in their third-party risk solutions. She points out that just buying VPAM tools does not solve access management problems. Healthcare groups face a tough challenge in fully using effective risk programs.
McKeon stresses the need to create a clear, group-wide plan that always applies access controls to all third-party connections, especially those with special access to sensitive systems. Only with this plan can healthcare groups lower how often and how badly data breaches happen.
John Riggi and Scott Gee from the American Hospital Association highlight how important it is to keep patient data records and network and device mapping up to date. They say regular checks are needed to find weak spots and risks caused by third-party ties.
The effects of third-party data breaches on healthcare are serious and wide. Beyond fines and costs to fix breaches, there are interruptions that affect how patients get care.
Many healthcare providers lose patient trust after breaches. Because health information is private, patients expect it to be protected, and breaches hurt reputations. Sometimes, groups had to stop working with important vendors, which may break supply chains and affect business.
Financially, these breaches cause costly penalties, legal cases, and spending on better security systems. Studies show 60% of healthcare workers lost or had information stolen due to third-party breaches, showing how common these threats are.
As technology grows, artificial intelligence (AI) and workflow automation offer ways to lower third-party data breach risks and reduce work in healthcare.
AI can watch access logs and network activity all the time. It can spot unusual events that might show unauthorized third-party access or unusual data moves. Finding suspicious activities early lets security teams react faster and stop big breaches.
AI-driven workflow tools can also help manage vendor permissions and access rights better. Automating these tasks cuts human mistakes, keeps policy use steady, and frees IT staff for more important jobs. For example, automated systems can handle giving and taking away access and checking permissions in real time. This keeps a clear record of who has access.
Also, AI-based risk systems can check third-party software parts using Software Bill of Materials (SBOM) data. This helps healthcare groups see weak spots in vendor software components and take steps to prevent problems.
Using AI fits well with healthcare regulations. Automated reports help keep audits and documents on vendor access and security policies current and correct.
Healthcare administrators can use AI and automation made for healthcare settings. These tools show third-party relationships clearly and help follow government cybersecurity rules.
By focusing on these points, healthcare groups in the United States can start fixing the tough problems linked to third-party data breaches. Good management lowers not only the chance of costly incidents but also helps protect patient information, keep trust, and make sure care services continue without stops.
The year in review shows that improving third-party cybersecurity in healthcare needs ongoing attention, a steady plan, and the use of modern technology solutions.
Third-party risk management is crucial in healthcare as nearly half of organizations face data breaches due to third-party network access, leading to operational and financial disruptions.
In a recent survey, 44% of healthcare organizations reported experiencing a third-party data breach or cyberattack within the last year.
Only 36% of health IT respondents reported that their organizations have a consistently applied strategy to address privileged access risks.
Consequences include loss or theft of confidential information, severed relationships with third parties, regulatory fines, and business disruptions.
Over 40% of respondents anticipate an increase in data breaches caused by third parties in the next 12 to 24 months.
Top barriers include lack of governance, budget constraints, insufficient visibility, and low confidence in solution efficacy.
All healthcare respondents reported having a VPAM or privileged access management solution, but employing such tools alone is insufficient for effective risk management.
Organizations struggle with defining roles and responsibilities, leading to inconsistent management of third-party access rights across IT, legal, and HR teams.
Third-party vendors often have privileged access to sensitive systems, making them attractive targets for cybercriminals seeking to exploit these access rights.
Organizations are recognizing threats and initiating steps to ensure proper access control for high-value assets, but they must apply these strategies consistently.
Simbo is using AI agents to automate all phone related workflows. Connect now to know more.
Schedule AI Agents Demo Now© Since 2019, Simbo AI.
