Overview

Cybercriminals shifted their focus in the first half of 2026, concentrating attacks on healthcare service providers and business associates at a rate that more than doubled compared to the prior period, even as direct attacks on hospitals and clinics grew only modestly. The pattern suggests threat actors are exploiting the dense web of third-party relationships that surround healthcare delivery — finding that vendors, billing companies, and other support services often present softer targets than health systems with more mature security programs.

‍​‌​‌‍The trend is significant for independent practices, which rely heavily on outside vendors for functions ranging from revenue cycle management to electronic health records and transcription. A breach at any one of those partners can expose patient data held by practices that never experienced a direct attack themselves.

The concentration of criminal activity in the business associate layer also complicates breach response. ‍​​‌‌‍When an attack originates with a third party, covered entities frequently learn of the exposure late, limiting their ability to notify patients and regulators within HIPAA's required 60-day window.

Key developments

Business associate attacks more than doubled. While direct attacks on hospitals and clinics increased at a single-digit rate in the first half of 2026, attacks on healthcare service providers and other healthcare businesses grew by more than 100 percent over the same period, pointing to a deliberate shift in criminal targeting rather than an across-the-board escalation.

The supply chain is now the primary attack surface. The surge reflects a well-documented criminal calculus: a single business associate may hold data on patients across dozens or hundreds of client practices, making one successful intrusion more valuable than attacking individual providers one at a time.

‍​​​‌‍Independent practices carry concentrated third-party risk. Small and mid-size practices typically outsource more functions than large health systems and have fewer resources to vet vendors or monitor those relationships on an ongoing basis. That combination places them in the path of cascading exposure when an upstream partner is compromised.

Regulatory timelines clash with third-party discovery gaps. Business associate incidents routinely delay notification to the covered entities they serve, compressing the time those entities have to investigate, assess, and report the breach to HHS and affected individuals within the timeframes HIPAA requires.

‍​​​‌‍## Industry impact

The healthcare sector has carried the highest per-record breach cost of any industry for more than a decade. IBM's 2024 Cost of a Data Breach Report placed the average healthcare breach cost at $9.77 million — more than double the cross-industry average — a figure that reflects the combination of regulatory penalties, litigation, notification expenses, and operational disruption the sector faces. HHS Office for Civil Rights enforcement data show that business associate involvement is a recurring factor in large-breach reports filed on the HHS "Wall of Shame," and OCR has repeatedly signaled that covered entities bear responsibility for ensuring their associates adequately protect PHI, regardless of where an attack originates.

‍‌​‌‌‍The doubling of attacks in the business associate tier in a single six-month window adds urgency to guidance OCR has issued on third-party risk management and to HHS's broader HIPAA Security Rule modernization efforts, which as of 2025 proposed strengthening requirements around vendor oversight and technical safeguards.

What this means for independent practices

‍‌‌​​‍When a practice's breach risk is tied primarily to vendors rather than to its own internal systems, the day-to-day security discipline that matters most is third-party oversight: structured vetting before engagement, contractual accountability through BAAs, and periodic review of vendor controls rather than a one-time check at onboarding.

What would have prevented this

Third-party risk management program: A structured process for assessing vendor security before engagement and at regular intervals — including review of the vendor's own risk assessments and subcontractor relationships — reduces the likelihood that a weak link in the supply chain goes undetected until a breach occurs.

Contractual security requirements in BAAs: Business associate agreements that specify minimum technical safeguards, required incident response timelines, and the vendor's obligation to notify the covered entity within a defined window give practices enforceable leverage and reduce notification delays.

Least-privilege access controls: Limiting vendor access to only the specific systems and data elements required for the contracted service reduces the volume of records exposed if that vendor is compromised.

Continuous monitoring of third-party access: Logging and reviewing vendor access activity — rather than granting persistent, unmonitored connections — enables earlier detection of anomalous behavior originating from a business associate's credentials or systems.

Incident response planning that accounts for third-party scenarios: Tabletop exercises and written response plans that specifically address how the practice will react to a vendor-initiated breach — including how it will meet HIPAA notification deadlines when the underlying facts are controlled by an outside party — reduce the organizational confusion that extends harm after an incident is discovered.

Read the original at Dark Reading