This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.

The healthcare sector continues to grapple with an unrelenting wave of cyberattacks, with a notable shift in 2024 and 2025 toward targeting third-party vendors and business associates entrusted with sensitive protected health information (“PHI”). This trend has led to a surge in data breaches, affecting tens of millions of Americans and prompted heightened regulatory scrutiny over how healthcare providers manage and oversee their vendor relationships. 

A Shift in Cybercriminal Tactics 

While 2024 saw an unprecedented spike in healthcare data breaches, affecting 184 million individuals, preliminary data from 2025 indicate a substantial drop in the total number of people impacted.¹ In the first half of 2025 alone, over 31 million individuals were affected by breaches.² Although this is significantly lower than the previous year’s total, it still represents one of the highest mid-year figures on record. This suggests that, even as the overall scale of breaches has decreased from the extraordinary levels of 2024, the frequency and impact of cyber incidents in 2025 remain among the highest in recent history.³ 

Vendor Interdependence and the Expanding Attack Surface 

The healthcare industry’s interdependence with a vast network of vendors and technology partners means that supply chain risk remains a central challenge.⁴ When a hospital or health system relies on dozens, or even hundreds of different vendors, the security of the entire operation is only as strong as its weakest link.⁵ If one supplier’s software has a vulnerability, or if a vendor’s employee falls victim to a phishing attack, attackers can use that entry point to access larger healthcare networks, as seen in several high-profile breaches.⁶ 

The risk is heightened by the increasing use of connected medical devices and cloud-based health applications, which often integrate third-party software components that may not be subject to the same rigorous security standards as the healthcare provider’s own systems.⁷ For example, a compromised medical device manufacturer or a billing processor can inadvertently provide cybercriminals with access to patient records, financial data, or even hospital operations.⁸ 

This interconnectedness, where data and systems flow among multiple organizations, creates a broad “attack surface” for cybercriminals. As a result, supply chain risk is not just about managing direct vendors but also requires understanding and controlling the risks introduced by those vendors’ subcontractors and software suppliers. Because of this complexity, effective cybersecurity in healthcare demands robust vendor management, continuous monitoring, and a proactive approach to identifying and mitigating risks across the entire supply chain. 

Regulatory Scrutiny and the Need for Oversight 

With the surge in third-party breaches, regulators have intensified their focus on provider oversight of business associates. Proposed updates to the HIPAA Security Rule would require healthcare organizations to implement multifactor authentication, data encryption, and proactive security testing, not just internally, but also across their vendor ecosystem.⁹ 

Experts stress that healthcare organizations cannot “outsource accountability” when it comes to safeguarding patient data and complying with HIPAA requirements, even if much of their data processing or management is handled by third-party vendors.¹⁰ While a written business associate agreement (“BAA”) between a covered entity and a business associate vendor is legally required, BAAs alone do not absolve the covered entity of responsibility if a breach occurs at the vendor level. 

Healthcare organizations are expected to conduct thorough due diligence before engaging vendors, including verifying the vendor’s security posture, HIPAA training, certifications, and incident response protocols.¹¹ Ongoing monitoring, periodic security assessments, and integrating vendors into the organization’s own incident response planning are also considered essential practices. Failure to rigorously vet and monitor vendors can leave organizations exposed to both cyber threats and regulatory penalties. Ultimately, vendors should be treated as true extensions of the organization, with clear roles, responsibilities, and accountability mechanisms in place to protect sensitive health information and maintain patient trust. 

Contact us

If you have questions about healthcare supply chain cybersecurity risks or need assistance with regulatory compliance, our team offers comprehensive, solution-oriented counsel. 

For further details or additional information, please contact Noreen Vergara or another member of the Husch Blackwell Healthcare Privacy and Security Work Group.

1. Tim Broderick, Finding Some Good News After a Bad Year for Cyberattacks, Modern Healthcare (Jan. 17, 2025). ↩︎
2. Tim Broderick, Healthcare Organizations Still Facing High Cyberattack Rates, Modern Healthcare (July 11, 2025). ↩︎
3. Tim Broderick, Finding Some Good News After a Bad Year for Cyberattacks, Modern Healthcare (Jan. 17, 2025).  ↩︎
4. Stephanie Snyder Frenier, A Favorable Prognosis—Healthcare at the Forefront of Cyber Risk, Insurance Journal (Wells Media). J., May 5, 2025. ↩︎
5. Greg Freeman, Manage Third-Party Vendor Relationships Carefully, Healthcare Risk Management, May 14, 2025. ↩︎
6. Steve Alder, More Than One-Third of Data Breaches Due to Third-Party Supplier Compromises, HIPAA J., Mar. 28, 2025. ↩︎
7. Cybersecurity In Focus: Device Connectivity, AI And Supply Chain Pose Largest Risks To Medical Devices, Regulation And Staff Training Key To Security, Business Monitor Online (Fitch Solutions), Nov. 13, 2025. ↩︎
8. Id. ↩︎
9. Stephanie Snyder Frenier, A Favorable Prognosis—Healthcare at the Forefront of Cyber Risk, Insurance Journal (Wells Media). J., May 5, 2025. ↩︎
10. Greg Freeman, Manage Third-Party Vendor Relationships Carefully, Healthcare Risk Management, May 14, 2025. ↩︎
11. Id. ↩︎