Health Data Theft: Cases Under Active Investigation & How Hackers Exploit Third-Party Vendors

Healthcare organizations rely heavily on third-party partnerships to streamline core business functions and deliver on various points in the patient care continuum. Leaning on vendors gives providers the benefit of focusing on what they do best – delivering excellent patient care. 

But where each business associate represents a significant point of weakness in an organization’s security perimeter, involving more specialized vendors than any other industry has made healthcare the #1 victim of third-party data breaches.  

The List You Don’t Want to Make

Breaches of protected health information (PHI) must be reported to the U.S. Department of Health and Human Services (HHS) within 60 calendar days of discovery, and section 13402(e)(4) of the HITECH Act gives the public access to a list of all reported incidents that affected more than 500 people.  

Upon reviewing this list in the department’s Breach Portal, we found that approximately 100 breaches involving third-party business associates and affecting more than 500 individuals have been reported so far this year. These breaches alone have exposed the health data of nearly 10M patients. 

Under Active Investigation

The following summaries detail three third-party breaches of health data under active investigation as of April 2024. There is nothing extraordinary about the circumstances surrounding these agencies and their breaches – that is to say, it’s not a matter of “if” but “when” hackers exploit third-party vendors to access your patients’ data.  

Be alarmed!

Debt Collection Agency

Southern California

In March 2024, a Southern California debt collection agency reported a hacking/IT incident that resulted in unauthorized access to the PHI of 129,584 patients. The health data in question was stored within the business’ digital environment for an unspecified period and was presumably entrusted to the agency by local healthcare organizations that outsourced past-due payment operations to the collector. The agency did not divulge details regarding when the breach first occurred or how long it lasted.  

Medical Billing Service

New York

In March 2024, one New York medical billing service reported a hacking/IT incident that first occurred in June 2023 and went undetected for approximately 10 months, during which time the PHI of 284,326 patients was compromised. This breach allowed hackers to download patients’ names, Social Security numbers, financial information, addresses, medical billing and insurance information, medical information, and demographic data all stored within the company’s digital environment. 

Ophthalmology Administrative Service


In February 2024, a November 2023 hacking incident was reported to HHR by an Arizona business that provides administrative services to local ophthalmology practices. During this incident, unauthorized parties accessed PHI belonging to patients of the business’ clients for approximately one month. The group reported that leaked information may include the names, contact information, birthdates, medical information and history, clinical records and medications, Social Security numbers, and the insurance information of approximately 2.4M affected patients. 

The Impact

Due to the sensitive nature of the information healthcare organizations are entrusted with, health data breaches are particularly devastating. Once compromised, PHI is often sold and leveraged as collateral in blackmail, extortion, and identity fraud. When that happens, patients can only blame the provider they trusted to protect their privacy. 

When healthcare organizations partner with third parties that aren’t well-prepared to protect patient data against a barrage of targeted attacks, they risk massive financial consequences and potentially irreparable damage to their reputations.  

Fortifying Your Vendor Network

When healthcare providers partner with third-party vendors, those vendors become an extension of their security perimeter – most often the weakest links. A healthcare provider’s security strategy must encompass third-party vendors, that’s why investing in the right security platform and service providers is just as important as selecting the right vendors to begin with. By looping third-party vendors into their overall security blueprint, healthcare organizations can ensure their “weakest links” are as strong as possible.  

BeyondID Vendor Selection and Digital Identity Blueprint can help make your fortification journey simple. While you focus on what you do best, we’ll guide your digital transformation journey and work to identify the most secure, talented partners to help you do everything else.  

Each recommendation we make is informed by the latest technologies, addresses a clearly defined threat landscape, meets regulatory compliance standards, provides robust defenses against current and emerging cyberthreats, and supports a Secure Total Experience. 

Contact us today to learn more about fortifying your vendor network.  

Picture of Erin Moore
Erin Moore

Leave a Reply

Your email address will not be published. Required fields are marked *

Signup for our newsetter