DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Business Associate breaches account for the largest percentage of breached patient records

Posted on February 26, 2025February 26, 2025 by Dissent

As time permits, DataBreaches will take a deeper look at some of the findings reported in the Bluesight 2025 Breach Barometer. This post concerns business associates. 

In September 2016, DataBreaches.net published its first cumulative attempt to look at business associate breaches in the healthcare sector. At the time, HHS did not have any way to indicate that a business associate was involved in a breach if it was reported by a provider. As one consequence, the number of breaches involving a business associate and the number of breached records for business associate breaches were underestimated. But for the first eight months of 2016:

  • 30% of breaches reported on HHS’s public breach tool involved third parties, although we couldn’t really tell that from the public-facing tool;
  • 35% of breached records  – approximately 4.5 million records – were due to breaches involving third parties;
  • For the first eight months of the year, insider breaches and external breaches were equally frequent for third parties; and
  • Incidents involving third parties resulted in 27% more breached records per incident than incidents that did not involve a third party.

Ever since then, DataBreaches has continued to highlight the need for providers to be diligent in reviewing a vendor’s or business associate’s data security and compliance with HIPAA.

This week, Bluesight published the annual Breach Barometer — an industry report created originally by Protenus, Inc. in collaboration with DataBreaches.net and now provided by Bluesight in collaboration with this site.

One of the key takeaways from the 2025 Breach Barometer concerned business associate breaches. The Barometer analyzed the percent of breaches and percent of breached records in calendar years 2023 and 2024 for both HHS’s public breach tool and Bluesight’s more inclusive data set. We found that:

Providers were responsible for the majority of reports submitted to HHS in 2024, accounting for 73% of all reports. However, they represented only 24% of all breached records, highlighting a disparity between the volume of breaches and their overall impact.

Conversely, while business associates submitted only 16% of reports, they represented a staggering 66% of all breached records—a clear indication of  the significant risks posed by third-party entities.

Analyzing the data from 2023 and 2024 underscores consistent trends in how entity types contribute to breaches. Across both years, business associates are found to be the leading source of breached records, with their share growing in 2024. Furthermore, breaches involving business associates (regardless of the reporting entity) accounted for 66% of breached records in HHS’s 2024 dataset. This trend was mirrored in the Breach Barometer data, which revealed that 77% of all breached records were linked to incidents involving business associates.

Comments

Comparing the 2016 data to the 2024 data suggests that reports of business associate breaches continue to represent a minority of reported breaches involving health data. But by now, they constitute the clear majority of breached records, even though many media reports and analyses continue to shine a brighter light on providers.

A threat actor once bluntly told DataBreaches that his favorite thing was to compromise a vendor or third-party administrator because that gave his group so many downstream opportunities for more hacks. The Cl0p ransomware gang serves as a useful example of that strategy. In the last few years, Clop has successfully compromised four file transfer applications or services used by healthcare providers: Accellion, GoAnywhere, MOVEit, and most recently, Cleo. Clop’s attacks affected thousands of entities using those services and millions of the clients’ patients’ PHI records.

Cl0p did not encrypt its victims’ files, but it did exfiltrate data and then demand payment to delete data. When payment was not forthcoming, data were leaked on the dark web and in torrents.

DataBreaches notes that all four of the affected file transfer services claim that they have encryption deployed by default, but it appears that Clop was able to bypass their encryption using zero days.

HHS is currently considering ways to clarify and strengthen compliance with the HIPAA Security rule. As part of its request for comments, it discusses encryption. But it should also consider that Clop has demonstrated that just mandating encryption may not be adequate or even close to sufficient. What else needs to be implemented — or omitted from patient records  — to keep patient data involved in file transfers safer?

What options do providers have if they want to use third parties to handle insurance billing or other administrative services? How can they determine if a potential business associate really has adequate security and is testing their own security regularly? While providers may audit their own security and conduct periodic risk assessments, they need to be as vigilant — or even more vigilant — when it comes to their business associates because ultimately, it is the provider or covered entity who is held accountable and liable for breaches, isn’t it?

Get the 2025 Breach Barometer Report

Category: Commentaries and AnalysesOf NoteSubcontractor

Post navigation

← Bluesight’s 2025 Breach Barometer Report Reveals Surge in Healthcare Data Breaches
Medical Billing Vendor Sued Over Health Data Leak ‘Gold Mine’ →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • A state forensics lab was leaking its files. Getting it locked down involved a number of people.
  • CoinMarketCap Hacked, Scrambles to Remove Malicious Wallet Verification Popup
  • Montana Attorney General launches investigation into Lee Enterprises data breach
  • AT&T gets preliminary approval for $177 million data breach settlement
  • Aflac notifies SEC of breach suspected to be work of Scattered Spider
  • Former JBLM soldier pleads guilty to attempting to share military secrets with China
  • No, the 16 billion credentials leak is not a new data breach — a wake-up call about fake news (Updated)
  • Tonga’s health system hit by cyberattack (1)
  • Russia Expert Falls Prey to Elite Hackers Disguised as US Officials
  • Proposed class action settlement in In re Netgain Technology litigation

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data
  • US Judge Invalidates Biden Rule Protecting Privacy for Abortions
  • DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities
  • 23andMe fined £2.31 million for failing to protect UK users’ genetic data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.