DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Business Associate breaches account for the largest percentage of breached patient records

Posted on February 26, 2025February 26, 2025 by Dissent

As time permits, DataBreaches will take a deeper look at some of the findings reported in the Bluesight 2025 Breach Barometer. This post concerns business associates. 

In September 2016, DataBreaches.net published its first cumulative attempt to look at business associate breaches in the healthcare sector. At the time, HHS did not have any way to indicate that a business associate was involved in a breach if it was reported by a provider. As one consequence, the number of breaches involving a business associate and the number of breached records for business associate breaches were underestimated. But for the first eight months of 2016:

  • 30% of breaches reported on HHS’s public breach tool involved third parties, although we couldn’t really tell that from the public-facing tool;
  • 35% of breached records  – approximately 4.5 million records – were due to breaches involving third parties;
  • For the first eight months of the year, insider breaches and external breaches were equally frequent for third parties; and
  • Incidents involving third parties resulted in 27% more breached records per incident than incidents that did not involve a third party.

Ever since then, DataBreaches has continued to highlight the need for providers to be diligent in reviewing a vendor’s or business associate’s data security and compliance with HIPAA.

This week, Bluesight published the annual Breach Barometer — an industry report created originally by Protenus, Inc. in collaboration with DataBreaches.net and now provided by Bluesight in collaboration with this site.

One of the key takeaways from the 2025 Breach Barometer concerned business associate breaches. The Barometer analyzed the percent of breaches and percent of breached records in calendar years 2023 and 2024 for both HHS’s public breach tool and Bluesight’s more inclusive data set. We found that:

Providers were responsible for the majority of reports submitted to HHS in 2024, accounting for 73% of all reports. However, they represented only 24% of all breached records, highlighting a disparity between the volume of breaches and their overall impact.

Conversely, while business associates submitted only 16% of reports, they represented a staggering 66% of all breached records—a clear indication of  the significant risks posed by third-party entities.

Analyzing the data from 2023 and 2024 underscores consistent trends in how entity types contribute to breaches. Across both years, business associates are found to be the leading source of breached records, with their share growing in 2024. Furthermore, breaches involving business associates (regardless of the reporting entity) accounted for 66% of breached records in HHS’s 2024 dataset. This trend was mirrored in the Breach Barometer data, which revealed that 77% of all breached records were linked to incidents involving business associates.

Comments

Comparing the 2016 data to the 2024 data suggests that reports of business associate breaches continue to represent a minority of reported breaches involving health data. But by now, they constitute the clear majority of breached records, even though many media reports and analyses continue to shine a brighter light on providers.

A threat actor once bluntly told DataBreaches that his favorite thing was to compromise a vendor or third-party administrator because that gave his group so many downstream opportunities for more hacks. The Cl0p ransomware gang serves as a useful example of that strategy. In the last few years, Clop has successfully compromised four file transfer applications or services used by healthcare providers: Accellion, GoAnywhere, MOVEit, and most recently, Cleo. Clop’s attacks affected thousands of entities using those services and millions of the clients’ patients’ PHI records.

Cl0p did not encrypt its victims’ files, but it did exfiltrate data and then demand payment to delete data. When payment was not forthcoming, data were leaked on the dark web and in torrents.

DataBreaches notes that all four of the affected file transfer services claim that they have encryption deployed by default, but it appears that Clop was able to bypass their encryption using zero days.

HHS is currently considering ways to clarify and strengthen compliance with the HIPAA Security rule. As part of its request for comments, it discusses encryption. But it should also consider that Clop has demonstrated that just mandating encryption may not be adequate or even close to sufficient. What else needs to be implemented — or omitted from patient records  — to keep patient data involved in file transfers safer?

What options do providers have if they want to use third parties to handle insurance billing or other administrative services? How can they determine if a potential business associate really has adequate security and is testing their own security regularly? While providers may audit their own security and conduct periodic risk assessments, they need to be as vigilant — or even more vigilant — when it comes to their business associates because ultimately, it is the provider or covered entity who is held accountable and liable for breaches, isn’t it?

Get the 2025 Breach Barometer Report

Category: Commentaries and AnalysesOf NoteSubcontractor

Post navigation

← Bluesight’s 2025 Breach Barometer Report Reveals Surge in Healthcare Data Breaches
Medical Billing Vendor Sued Over Health Data Leak ‘Gold Mine’ →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Lower Merion School District says a data breach was caused by a computer glitch
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.