DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Business Associate breaches account for the largest percentage of breached patient records

Posted on February 26, 2025February 26, 2025 by Dissent

As time permits, DataBreaches will take a deeper look at some of the findings reported in the Bluesight 2025 Breach Barometer. This post concerns business associates. 

In September 2016, DataBreaches.net published its first cumulative attempt to look at business associate breaches in the healthcare sector. At the time, HHS did not have any way to indicate that a business associate was involved in a breach if it was reported by a provider. As one consequence, the number of breaches involving a business associate and the number of breached records for business associate breaches were underestimated. But for the first eight months of 2016:

  • 30% of breaches reported on HHS’s public breach tool involved third parties, although we couldn’t really tell that from the public-facing tool;
  • 35% of breached records  – approximately 4.5 million records – were due to breaches involving third parties;
  • For the first eight months of the year, insider breaches and external breaches were equally frequent for third parties; and
  • Incidents involving third parties resulted in 27% more breached records per incident than incidents that did not involve a third party.

Ever since then, DataBreaches has continued to highlight the need for providers to be diligent in reviewing a vendor’s or business associate’s data security and compliance with HIPAA.

This week, Bluesight published the annual Breach Barometer — an industry report created originally by Protenus, Inc. in collaboration with DataBreaches.net and now provided by Bluesight in collaboration with this site.

One of the key takeaways from the 2025 Breach Barometer concerned business associate breaches. The Barometer analyzed the percent of breaches and percent of breached records in calendar years 2023 and 2024 for both HHS’s public breach tool and Bluesight’s more inclusive data set. We found that:

Providers were responsible for the majority of reports submitted to HHS in 2024, accounting for 73% of all reports. However, they represented only 24% of all breached records, highlighting a disparity between the volume of breaches and their overall impact.

Conversely, while business associates submitted only 16% of reports, they represented a staggering 66% of all breached records—a clear indication of  the significant risks posed by third-party entities.

Analyzing the data from 2023 and 2024 underscores consistent trends in how entity types contribute to breaches. Across both years, business associates are found to be the leading source of breached records, with their share growing in 2024. Furthermore, breaches involving business associates (regardless of the reporting entity) accounted for 66% of breached records in HHS’s 2024 dataset. This trend was mirrored in the Breach Barometer data, which revealed that 77% of all breached records were linked to incidents involving business associates.

Comments

Comparing the 2016 data to the 2024 data suggests that reports of business associate breaches continue to represent a minority of reported breaches involving health data. But by now, they constitute the clear majority of breached records, even though many media reports and analyses continue to shine a brighter light on providers.

A threat actor once bluntly told DataBreaches that his favorite thing was to compromise a vendor or third-party administrator because that gave his group so many downstream opportunities for more hacks. The Cl0p ransomware gang serves as a useful example of that strategy. In the last few years, Clop has successfully compromised four file transfer applications or services used by healthcare providers: Accellion, GoAnywhere, MOVEit, and most recently, Cleo. Clop’s attacks affected thousands of entities using those services and millions of the clients’ patients’ PHI records.

Cl0p did not encrypt its victims’ files, but it did exfiltrate data and then demand payment to delete data. When payment was not forthcoming, data were leaked on the dark web and in torrents.

DataBreaches notes that all four of the affected file transfer services claim that they have encryption deployed by default, but it appears that Clop was able to bypass their encryption using zero days.

HHS is currently considering ways to clarify and strengthen compliance with the HIPAA Security rule. As part of its request for comments, it discusses encryption. But it should also consider that Clop has demonstrated that just mandating encryption may not be adequate or even close to sufficient. What else needs to be implemented — or omitted from patient records  — to keep patient data involved in file transfers safer?

What options do providers have if they want to use third parties to handle insurance billing or other administrative services? How can they determine if a potential business associate really has adequate security and is testing their own security regularly? While providers may audit their own security and conduct periodic risk assessments, they need to be as vigilant — or even more vigilant — when it comes to their business associates because ultimately, it is the provider or covered entity who is held accountable and liable for breaches, isn’t it?

Get the 2025 Breach Barometer Report


Related:

  • PowerSchool commits to strengthened breach measures following engagement with the Privacy Commissioner of Canada
  • Two more entities have folded after ransomware attacks
  • British institutions to be banned from paying ransoms to Russian hackers
  • Global hack on Microsoft product hits U.S., state agencies, researchers say
  • More than 100 British government personnel exposed by Ministry of Defence data leak
  • North Country Healthcare responds to Stormous's claims of a breach
Category: Commentaries and AnalysesOf NoteSubcontractor

Post navigation

← Bluesight’s 2025 Breach Barometer Report Reveals Surge in Healthcare Data Breaches
Medical Billing Vendor Sued Over Health Data Leak ‘Gold Mine’ →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Scattered Spider Hijacks VMware ESXi to Deploy Ransomware on Critical U.S. Infrastructure
  • Hacker group “Silent Crow” claims responsibility for cyberattack on Russia’s Aeroflot
  • AIIMS ORBO Portal Vulnerability Exposing Sensitive Organ Donor Data Discovered by Researcher
  • Two Data Breaches in Three Years: McKenzie Health
  • Scattered Spider is running a VMware ESXi hacking spree
  • BreachForums — the one that went offline in April — reappears with a new founder/owner
  • Fans React After NASCAR Confirms Ransomware Breach
  • Allianz Life says ‘majority’ of customers’ personal data stolen in cyberattack (1)
  • Infinite Services notifying employees and patients of limited ransomware attack
  • The safe place for women to talk wasn’t so safe: hackers leak 13,000 user photos and IDs from the Tea app

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Congress tries to outlaw AI that jacks up prices based on what it knows about you
  • Microsoft’s controversial Recall feature is now blocked by Brave and AdGuard
  • Trump Administration Issues AI Action Plan and Series of AI Executive Orders
  • Indonesia asked to reassess data privacy terms in new U.S. trade deal
  • Meta Denies Tracking Menstrual Data in Flo Health Privacy Trial
  • Wikipedia seeks to shield contributors from UK law targeting online anonymity
  • British government reportedlu set to back down on secret iCloud backdoor after US pressure

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.