< + > When a Vendor Gets Breached, What Happens to Your Patient Data?

The following is a guest article by Kelly Goolsby from Nexcess

AT A GLANCE

• Most specialty practices secured their patient records system years ago. The breach risk today lives in the systems built around it.
• Scheduling platforms, intake forms, and billing integrations handle patient data every day. Most were never evaluated the way the core records system was.
• Federal regulators are expected to finalize the first major update to healthcare data security rules in over 20 years. It targets exactly these overlooked systems.
• When a vendor handling one of these systems is breached, the hosting environment determines how far the damage travels.
• The practices that move through this with the least disruption are the ones that made deliberate infrastructure decisions before a review forced the conversation.

Eight months before the hard questions arrived, a specialty practice had a breach. Not in the patient records system. That had been secured and documented. The breach came through a different system. One that had been handling patient data for years, sitting on hosting that was never evaluated for compliance. Nobody had looked.

Remediation took months. A new business relationship they had been trying to close was delayed while they rebuilt trust. Nothing about the breach was surprising. The system sat on shared hosting. No Business Associate Agreement (BAA) was on file. Nobody had audited it because nobody had thought of it as a compliance surface.

That practice is not an outlier. In February 2026, Integrated Pain Associates, a specialty pain practice in Texas, confirmed unauthorized access to patient data after a breach that went undetected for weeks. The systems creating the most exposure in specialty healthcare are the ones added during a growth phase and never revisited.

Where the Risk Lives

The patient records system is not where most specialty practices are exposed.

Three systems come up repeatedly. In each case, the hosting decision was never made with compliance in mind.

The scheduling platform was not chosen by anyone in IT or compliance. It was chosen by whoever needed it to work that week. The hosting decision behind it was never a decision at all.

The intake forms and patient messaging tools arrived one at a time, each attached to a vendor contract that felt routine. No single one seemed significant enough to flag. Together, they form a patient data surface that nobody mapped and nobody owns. According to the Verizon 2025 Data Breach Investigations Report, third-party vendor involvement in confirmed breaches doubled in a single year, from 15 to 30 percent of all incidents. Vendor-hosted tools added without documented oversight are where that growth is coming from.

The billing integration is where the exposure concentrates. It went live when the practice needed it to, in an environment that was inherited rather than selected. In February 2026, a breach at QualDerm Partners, a management services provider to 158 specialty practices across 17 states, exposed the records of more than 8 million patients. Not because the practices were breached. Because the vendor handling their billing environment was.

Each system got in because it solved an immediate problem. None of them went through the evaluation the records system did. That is where the gap lives.

Why the Pressure Is Increasing

The core security standards governing how patient data must be protected have not been significantly updated since 2003. A federal update now under active regulatory review proposes the most substantial changes in over two decades.

Three proposed changes matter most for specialty practices.

1. Encryption would become required. Every system storing patient data would need to encrypt it wherever it sits. The current option to document an alternative and move on would be eliminated.
2. Every system would need to be inventoried. A documented list of every system that stores or moves patient data would be mandatory. Not just the records system. All of them.
3. Every system must be accountable under a tighter response clock. The proposal would require organizations to restore critical systems within 72 hours of a security incident and notify relevant parties within 24 hours when access to patient data is changed or terminated.

The enforcement backdrop gives this weight. HHS has found organizations non-compliant in 67 percent of its investigations. That number reflects not negligence, but a set of requirements that outgrew the infrastructure decisions most practices made years ago. A final rule would make those gaps impossible to ignore.

The practices that will feel this first are the ones running patient data through hosting environments that were never chosen with compliance in mind.

What the Right Cloud Partner Does When a Vendor Is Attacked

A cloud partner that supports HIPAA-regulated workloads does not prevent a vendor’s software from being compromised. What it does is limit how far the damage travels from that entry point.

An isolated environment bounds the blast radius. In a shared hosting environment, a breach in one vendor’s access credentials can expose every tenant on that infrastructure. In a dedicated environment built for regulated workloads, your data is the only data there. An attacker who compromises a vendor’s access cannot move laterally to other organizations.

A signed Business Associate Agreement (BAA) answers the question before it gets asked. When something goes wrong in a vendor-hosted system, the first question from a reviewer is who owns what. A cloud partner who executes a BAA has documented that answer in advance. A shared generic hosting environment does not do that.

Encryption at rest limits the value of what gets taken. If a vendor’s credentials are compromised but the data sitting in the environment is encrypted, the attacker gets scrambled data they cannot read, not patient records.

The hosting environment determines whether a breach at the vendor level becomes a catastrophic exposure at the practice level.

Where to Start

Three actions. None of them require a major initiative.

1. Build the list. Write down every system outside the core records platform that stores or moves patient data. Scheduling, intake, billing, messaging, reporting.
2. Pull the agreements. For each system on the list, confirm whether a Business Associate Agreement exists and whether it specifies what the vendor owns when something goes wrong.
3. Ask where the data lives. For each vendor on the list, confirm whether patient data is stored in a shared environment or a dedicated one, and whether it is encrypted at rest.

The practices that move through the next round of reviews and compliance requirements with the least friction are the ones that already know their answers.

For teams working through these questions, Nexcess has built a set of resources specifically for healthcare organizations navigating infrastructure and compliance decisions.