As time permits, DataBreaches will take a deeper look at some of the findings reported in the Bluesight 2025 Breach Barometer. This post concerns business associates.
In September 2016, DataBreaches.net published its first cumulative attempt to look at business associate breaches in the healthcare sector. At the time, HHS did not have any way to indicate that a business associate was involved in a breach if it was reported by a provider. As one consequence, the number of breaches involving a business associate and the number of breached records for business associate breaches were underestimated. But for the first eight months of 2016:
- 30% of breaches reported on HHS’s public breach tool involved third parties, although we couldn’t really tell that from the public-facing tool;
- 35% of breached records – approximately 4.5 million records – were due to breaches involving third parties;
- For the first eight months of the year, insider breaches and external breaches were equally frequent for third parties; and
- Incidents involving third parties resulted in 27% more breached records per incident than incidents that did not involve a third party.
Ever since then, DataBreaches has continued to highlight the need for providers to be diligent in reviewing a vendor’s or business associate’s data security and compliance with HIPAA.
This week, Bluesight published the annual Breach Barometer — an industry report created originally by Protenus, Inc. in collaboration with DataBreaches.net and now provided by Bluesight in collaboration with this site.
One of the key takeaways from the 2025 Breach Barometer concerned business associate breaches. The Barometer analyzed the percent of breaches and percent of breached records in calendar years 2023 and 2024 for both HHS’s public breach tool and Bluesight’s more inclusive data set. We found that:
Providers were responsible for the majority of reports submitted to HHS in 2024, accounting for 73% of all reports. However, they represented only 24% of all breached records, highlighting a disparity between the volume of breaches and their overall impact.
Conversely, while business associates submitted only 16% of reports, they represented a staggering 66% of all breached records—a clear indication of the significant risks posed by third-party entities.
Analyzing the data from 2023 and 2024 underscores consistent trends in how entity types contribute to breaches. Across both years, business associates are found to be the leading source of breached records, with their share growing in 2024. Furthermore, breaches involving business associates (regardless of the reporting entity) accounted for 66% of breached records in HHS’s 2024 dataset. This trend was mirrored in the Breach Barometer data, which revealed that 77% of all breached records were linked to incidents involving business associates.
Comments
Comparing the 2016 data to the 2024 data suggests that reports of business associate breaches continue to represent a minority of reported breaches involving health data. But by now, they constitute the clear majority of breached records, even though many media reports and analyses continue to shine a brighter light on providers.
A threat actor once bluntly told DataBreaches that his favorite thing was to compromise a vendor or third-party administrator because that gave his group so many downstream opportunities for more hacks. The Cl0p ransomware gang serves as a useful example of that strategy. In the last few years, Clop has successfully compromised four file transfer applications or services used by healthcare providers: Accellion, GoAnywhere, MOVEit, and most recently, Cleo. Clop’s attacks affected thousands of entities using those services and millions of the clients’ patients’ PHI records.
Cl0p did not encrypt its victims’ files, but it did exfiltrate data and then demand payment to delete data. When payment was not forthcoming, data were leaked on the dark web and in torrents.
DataBreaches notes that all four of the affected file transfer services claim that they have encryption deployed by default, but it appears that Clop was able to bypass their encryption using zero days.
HHS is currently considering ways to clarify and strengthen compliance with the HIPAA Security rule. As part of its request for comments, it discusses encryption. But it should also consider that Clop has demonstrated that just mandating encryption may not be adequate or even close to sufficient. What else needs to be implemented — or omitted from patient records — to keep patient data involved in file transfers safer?
What options do providers have if they want to use third parties to handle insurance billing or other administrative services? How can they determine if a potential business associate really has adequate security and is testing their own security regularly? While providers may audit their own security and conduct periodic risk assessments, they need to be as vigilant — or even more vigilant — when it comes to their business associates because ultimately, it is the provider or covered entity who is held accountable and liable for breaches, isn’t it?