Home health agency consolidation is accelerating. Private equity firms, regional health systems, and established agencies are acquiring smaller operators at a pace that has reshaped the industry over the past five years. For buyers, the standard due diligence process covers financials, regulatory compliance, clinical operations, and staff.
Cybersecurity due diligence is almost always an afterthought — or absent entirely.
This is an expensive mistake. An acquired agency's unresolved data breach, OCR investigation, or systemic HIPAA non-compliance becomes the acquirer's liability the moment the deal closes. Ransomware malware already present in the acquired agency's systems — in the reconnaissance phase of an attack that hasn't yet detonated — becomes a threat inside the acquirer's network the moment the networks are connected.
Cyber due diligence is not a technical formality. It is financial risk assessment.
What You Are Actually Buying
When you acquire a home health agency, you acquire:
The patient data. Potentially years of ePHI — patient records, care plans, diagnoses, billing histories. This data is both an asset (continuity of care for existing patients) and a liability (any past breach involving that data is now your responsibility).
The compliance posture. If the acquired agency has never completed a HIPAA risk analysis, has no security policies, and has not trained staff annually — those are your compliance gaps post-acquisition. OCR penalties for pre-acquisition non-compliance can follow the entity.
The technical environment. The acquired agency's devices, network infrastructure, EHR platform, and security tools (or lack thereof) either integrate cleanly with yours or create new attack surfaces. A network connection between your secure environment and their unmanaged network can introduce threats you have never seen before.
The vendor relationships. The acquired agency's billing company, clearinghouse, and technology vendors are now your business associates. Their BAAs, their security postures, and their existing compliance gaps are now your vendor risk.
The litigation and investigation history. Any pending OCR investigations, state regulatory actions, or civil litigation related to data breaches or HIPAA violations become your exposure post-acquisition.
The Cyber Due Diligence Checklist
Pre-Letter of Intent (Preliminary Assessment)
Before committing to a transaction, request from the seller:
- [ ] Whether any data breaches have been reported to HHS in the past five years (search the HHS breach portal for the agency's name)
- [ ] Whether any OCR investigations or state regulatory actions related to data security are pending
- [ ] The name of their current cybersecurity provider or IT vendor
- [ ] Whether they have a signed BAA with their EHR vendor and billing company
These four questions take less than 30 minutes to research and answer. They identify deal-breaking issues before you invest significant due diligence resources.
Post-LOI: Detailed Technical Assessment
Once exclusivity is established and you have NDA protection:
Documentation review:
- [ ] HIPAA Security Rule risk analysis (date, scope, currency)
- [ ] Written information security program / security policies
- [ ] Business associate agreements (complete list, all current)
- [ ] Staff security training records (past 24 months)
- [ ] Incident response plan
- [ ] Any prior breach investigation files
Technical environment assessment (conducted by your security team or ShieldForce):
- [ ] Device inventory and encryption status
- [ ] Network architecture review (segmentation, open ports, internet-facing systems)
- [ ] Active threat scan: assess whether any malware or threat actor presence exists in the environment
- [ ] Vulnerability scan: identify unpatched systems and configurations
- [ ] EHR access control review: who has access to what, and whether former employees have been properly deprovisioned
- [ ] Email security assessment: phishing susceptibility, MFA status, forwarding rules
- [ ] Dark web credential scan: whether any staff credentials from the acquired agency appear in breach databases
Vendor relationship review:
- [ ] EHR vendor: BAA current, security posture assessment
- [ ] Billing company: BAA current, any prior breach incidents
- [ ] IT vendors with system access: BAA current, access controls reviewed
Valuing Cybersecurity Risk in the Deal Structure
Cybersecurity findings from due diligence should inform deal valuation and structure:
Price adjustment: Material cybersecurity gaps — pending OCR investigation, evidence of a prior unreported breach, systemic HIPAA non-compliance — should reduce the purchase price to reflect the cost of remediation and regulatory exposure.
Escrow/indemnification: A portion of the purchase price held in escrow for 12–24 months to cover cybersecurity-related claims that emerge post-closing is standard deal protection for transactions with identified security gaps.
Representations and warranties: Require the seller to represent that no material cybersecurity incidents have occurred within a defined period, that all vendor BAAs are current, and that no regulatory investigations related to data security are pending. Breach of these representations triggers indemnification obligations.
Pre-close remediation: If significant gaps are identified but the transaction is otherwise compelling, require the seller to remediate specific issues as a closing condition — deploying MFA, executing missing BAAs, completing an overdue risk analysis.
Post-Acquisition Network Integration
The highest-risk moment in a home health agency acquisition, from a cybersecurity perspective, is the moment the networks are connected. Do not connect the acquired agency's network to yours until:
- The active threat assessment has confirmed no malware or attacker presence in the acquired environment
- MFA has been enforced on all accounts in the acquired environment
- Devices have been enrolled in your MDM and encrypted
- A vulnerability scan has been completed and critical findings remediated
- A new BAA has been executed between your combined entity and all vendors with ePHI access
The integration timeline should be driven by security readiness, not the closing schedule. Connecting a compromised environment to a clean one is the most avoidable cybersecurity disaster in M&A.
ShieldForce provides cybersecurity due diligence services for home health agency acquisitions. From pre-LOI screening to post-close network integration, we protect acquirers from hidden cyber liability.
Contact ShieldForce About M&A Due Diligence →
Explore our complete home health cybersecurity offerings.