VillageCareMAX has revealed a data breach involving a third-party vendor, which resulted in unauthorized access to the vendor's systems and exposed sensitive patient information.
VillageCareMAX, a managed long-term care health plan serving Medicare and Medicaid members, confirmed a data breach that exposed sensitive patient information after a third-party vendor experienced unauthorized system access. The breach originated at TMG Health, Inc., a vendor that provides administrative services to VillageCareMAX.
According to their breach notice, an unauthorized party accessed TMG Health’s systems between November 20, 2024, and September 19, 2025. TMG Health identified the intrusion in September 2025 and immediately shut down the unauthorized access. VillageCareMAX began notifying affected individuals by mail on January 13, 2026.
While VillageCareMAX’s internal systems were not compromised, patient data stored within TMG Health’s environment was exposed during the breach period. After learning of the incident, VillageCareMAX conducted a detailed review of the affected files to determine which individuals and data elements were involved. The investigation revealed that the exposed information varies by individual and may include:
Neither VillageCareMAX nor TMG Health had identified confirmed misuse of the compromised data. However, to mitigate risk, VillageCareMAX is offering impacted individuals complimentary credit monitoring and identity theft protection services.
In its notice to affected members, VillageCareMAX stated that it worked closely with TMG Health to investigate and contain the incident. The vendor terminated the unauthorized access as soon as it was discovered and implemented additional safeguards to strengthen system security.
Furthermore, VillageCareMAX stressed that the breach resulted from a vendor security failure, not a breach of its own network. The organization reiterated its commitment to protecting member information and said it continues to evaluate its vendor oversight and security practices. In the notice, the company noted that “this ongoing effort includes both technological and procedural enhancements designed to anticipate new risks and to strengthen controls across operations. In this particular case, TMG Health, Inc has noted its continued investment in the maturity of its security posture and its commitment to sustained improvement over time.”
Under HIPAA, responsibility for a data breach depends on who controls the PHI and where the failure occurred, but accountability is rarely limited to just one party.
Covered entities are ultimately responsible for ensuring that PHI is protected, even when they outsource services to third-party vendors. HIPAA requires covered entities to enter into business associate agreements (BAAs) with vendors that access PHI and to take reasonable steps to verify that those vendors implement appropriate safeguards. Additionally, business associates are also liable under HIPAA for breaches caused by their own security failures. They must comply with the HIPAA Security Rule, report breaches in a timely manner, and mitigate harm once an incident is discovered.
In third-party vendor breaches, both parties may face consequences. The vendor may be responsible for the technical failure that led to the breach, while the covered entity may be held accountable for inadequate vendor oversight, weak access controls, or failure to enforce HIPAA requirements. This shared responsibility is why HIPAA enforcement actions and lawsuits often examine the actions of both the healthcare organization and its vendors following a data breach.
Go deeper: Who is responsible for a data breach?
“Third parties are a frequent target of malicious actors because they may have more access than needed operationally, and often have access points into many HDOs [healthcare delivery organizations] (hack one system, breach many),” writes George A Gellert, et al., in the study Third-Party Access Cybersecurity Threats and Precautions: A Survey of Healthcare Delivery Organizations. The VillageCareMAX incident reflects this risk in practice, showing how a single vendor compromise can expose sensitive patient data across an entire healthcare organization.
Similar patterns have emerged in other recent incidents, including the Mission Neighborhood Health Center (MNHC) breach, where patient information was exposed after unauthorized access occurred at a downstream vendor rather than within the provider’s own network.
Together, these events indicate the systemic risks posed by vendor relationships and explains why HIPAA requires strong oversight, strict access controls, and ongoing risk management for business associates.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
Healthcare vendors often have broad system access and handle large volumes of protected health information, making them attractive targets for cybercriminals.
Yes. Under HIPAA, covered entities remain responsible for ensuring their business associates protect PHI, even if the breach occurs at the vendor level.