TriZetto Provider Solutions, QualDerm Partners, Healthcare Interactive, and Insightin Health experienced just 1.9% of the quarter’s total reported incident count for cybersecurity incidents, yet they made up 67.6% of the patient impact, according to Paubox’s analysis of the vetting problem this data addresses. Each of those four companies was a business associate, under a signed business associate agreement (BAA) with the healthcare organizations it served.
The first half of the year did not reverse the trend, as from January to June 2026, the HHS Office for Civil Rights breach portal reported 189 large healthcare breaches affecting more than 19 million individuals. Seven of the ten largest incidents involved either a business associate or vendor system. A hospital’s own network is reasonably well-defended, and it can still absorb a breach notification because it was a claims processor, a benefits administrator, or a billing vendor, two contractual steps removed, that got compromised first.
Why one vendor breach becomes hundreds of notifications
In incident data, the mechanism behind these numbers is considered a platform and business associate cascade. An intrusion at an upstream vendor cascades downstream to every covered entity that relies on it. The TriZetto compromise is a good illustration of the shape of the problem. The downstream impact included about 700,000 more patient notifications tied to OCHIN, one of TriZetto's own customers, in addition to TriZetto's own reported breach population of more than 3.4 million.
In early 2026, Seattle-based employee benefits administrator Navia Benefit Solutions said an intruder gained access to its systems for about three weeks, exposing data on over 2 million people, including health insurance enrollment information linked to COBRA. Navia is not a hospital or health plan. It is a business associate that most patients whose data it holds had never heard of, which is part of the compliance problem in and of itself. As Paubox noted when reporting on the incident, many organizations’ vendor relationships look compliant on paper, but the security promises that go along with them are not always followed through in practice.
Delayed notification increases exposure. But when Nevada-based medical billing company La Perouse filed a notice with the California Attorney General in May 2026 about a breach affecting at least seven healthcare providers, the notice revealed that unauthorized access had actually begun nearly a year earlier, in July 2025. The delay was due to the vendor relationships that were involved. La Perouse had to work with the entity that was actually breached before it could notify its own healthcare clients. Paubox’s coverage of the incident plainly noted that the resulting confusion is often left in place for patients affected by business associate breaches, as they are unsure of who to contact or how the breach even happened, as multiple different organizations were involved. A covered entity that depends on a vendor’s exact notification time frame is outsourcing its breach clock to an entity it does not control.
The regulatory exposure sits with the covered entity too
It is a shared problem by design within HIPAA’s structure. The HITECH Act made business associates directly liable for violations of HIPAA, but it did not relieve covered entities of responsibility for the vendors they choose. It is supported empirically by research on healthcare breach patterns. An Online Research Journal Perspectives in Health Information Management cyber-analytics study of healthcare breach discriminants showed that “Additional analyses of variance revealed that covered entity type and business associate presence were significant predictors, while the geographic region of a breach occurrence was insignificant.” The type of organization you are and who you contract with are equally necessary to your risk profile.
In April, the OCR announced four separate settlement agreements for violations of the HIPAA Security Rule in connection with ransomware investigations involving Axia Women’s Health, Assured Imaging, Consociate Health and a Star Group health benefits plan, impacting more than 427,000 individuals collectively for $1,165,000. In each case, OCR’s investigation found no accurate and comprehensive risk analysis. The cases show that organizations cannot treat a good and complete risk analysis as a paper exercise, and that requirement extends to understanding the risk a vendor brings.
What the research says about why oversight fails
A recent Applied Clinical Informatics survey of healthcare delivery organizations is specific about why. More than half of surveyed organizations, 56%, have experienced a third-party breach in the last 12 months, and two-thirds expect third-party breaches to increase over the next two years. Respondents identified insufficient resources at 48% as the leading barrier to effective oversight, followed by a lack of centralized control over third-party relationships across the organization at 36%, difficulty managing multiple vendor relationships at 28%, and high third-party turnover at 22%. The same survey summarized the structural risk as a vendor with access to multiple healthcare delivery organizations is a common attack surface; one successful intrusion can hack one system and breach many.
From a different angle, another study of breach patterns by organization type came to a compatible conclusion, recommending that covered entities implement continuous, ongoing third-party risk management programs rather than one-time vendor reviews, and pointing to frameworks like NIST CSF and HITRUST CSF as structured ways to assess business associates against controls that go beyond the HIPAA Security Rule’s baseline language. The common thread in this research is that a signed BAA creates a legal relationship, but does not provide evidence that a vendor’s security practices are adequate, current, or verified.
What this means if you are the vendor
The majority of the guidance above is written from the covered entity’s perspective, but developers and vendors building healthcare-adjacent products have a mirrored obligation. It is no longer a hypothetical scenario to be listed as a downstream subcontractor in someone else’s BAA disclosure. It is the exact mechanism that regulators and covered entities are asking about directly.
A vendor that cannot produce a current HITRUST certification or SOC 2 Type II report, cannot name its own subcontracted business associates, or cannot describe how it would meet the pending Security Rule’s encryption, multifactor authentication (MFA), and vulnerability-scanning requirements should expect that gap to surface during procurement. The practical implication for engineering teams building systems that will touch protected health information (PHI) is to design access control, audit logging, and encryption from the start, rather than retrofitting them once a healthcare customer’s compliance team asks for evidence.
Where secure communication fits, and where it does not
Encrypted email is just one control. A HIPAA compliant email service encrypts messages and attachments in transit and at rest, has its own BAA, and reduces the risk that PHI sent to a business associate is disclosed in an intercepted message. Paubox’s 2026 Healthcare Email Security Report found that 53% of healthcare breaches occurred on Microsoft 365, up from 43% the year prior, and that 41% of breached organizations were assessed as high risk, up from 31% in 2024, with 74% of breached domains showing ineffective DMARC protection.
Encryption in transit, however, does not vouch for a vendor’s internal controls over access, nor does it attest to whether a subcontractor is also touching the data. Nor does it replace the audit and monitoring practices the research above points to. A secure email gateway is a defensible component of a vendor risk program, but not the program. Covered entities and business associates who think “we encrypt our email” equals “we have vendor oversight” are solving one part of a bigger problem while ignoring the access-management, subcontractor-disclosure, and continuous-monitoring needed for effective compliance.
FAQs
How did the HITECH Act change the rules for business associates?
Before the HITECH Act, business associates’ HIPAA responsibilities were primarily imposed through their contracts with covered entities.
Are business associates directly liable for HIPAA violations?
Business associates can be directly liable for violations such as failing to comply with the Security Rule and making impermissible uses or disclosures of PHI.
Does signing a BAA make a vendor HIPAA compliant?
A BAA creates legally required contractual obligations, but signing one does not automatically establish compliance. The business associate must implement the administrative, physical, and technical safeguards required by the Security Rule.
