The Change Healthcare breach. The MoveIt Transfer vulnerability that hit dozens of healthcare vendors simultaneously. The Connexure breach affecting multiple home health billing systems. The pattern repeating across 2023, 2024, and 2025 is unmistakable: the largest healthcare data breaches are no longer happening at covered entities — they are happening at the vendors covered entities depend on.
Your home health agency may have excellent internal security. Strong MFA. Behavioral EDR. 24/7 monitoring. Immutable backups. And still experience a patient data breach — because your billing company, your cloud storage vendor, or your EHR integration partner was compromised.
This is supply chain risk. And it is the most underaddressed cybersecurity vulnerability in home healthcare.
Why Vendor Breaches Hit Home Health Agencies Hard
Home health agencies are operationally dependent on a stack of third-party vendors in a way that many other healthcare organizations are not:
Billing companies: Process claims containing complete patient demographics, insurance information, diagnosis codes, and service records. A breach at your billing company exposes every patient for whom a claim was submitted.
EHR vendors: Cloud-hosted EHRs store your complete clinical records. While major EHR vendors invest significantly in security, smaller or regional platforms may have vulnerabilities. An EHR platform breach can expose records for every patient ever documented in the system.
Clearinghouses: Claim clearinghouses (like Change Healthcare) process transactions from thousands of covered entities simultaneously. A single breach at a clearinghouse exposes data from every provider submitting through that clearinghouse.
Scheduling and care coordination platforms: Third-party platforms used for visit scheduling, family communication, or care coordination may store patient names, addresses, diagnoses, and care plans.
Cloud storage and collaboration tools: Microsoft 365 and Google Workspace are generally well-secured — but third-party add-ins, integrations, and smaller cloud storage solutions connected to your primary systems can create vulnerabilities.
Remote monitoring and telehealth vendors: Platforms that connect to patient devices or facilitate remote care may have access to real-time health data and patient location information.
The HIPAA Framework for Vendor Risk
HIPAA addresses vendor risk through the Business Associate Agreement framework. Every vendor with access to your ePHI is a business associate, and every business associate must sign a BAA establishing their HIPAA compliance obligations.
But a BAA is a legal instrument, not a security audit. A vendor can sign a BAA and still have inadequate security. The BAA establishes accountability after a breach — it does not prevent one.
Effective vendor risk management goes beyond BAAs to assess the actual security posture of vendors before they access your data and on an ongoing basis thereafter.
A Practical Vendor Risk Management Framework for Home Health
Tier 1: Critical Vendors (Access to Complete ePHI)
These are the vendors whose compromise would expose your complete patient population: your EHR vendor, your billing company, and your primary clearinghouse.
For Tier 1 vendors, require:
- Signed BAA with specific security standards clause
- Annual evidence of SOC 2 Type 2 certification or equivalent independent security audit
- Documentation of MFA enforcement on all accounts that access your data
- Written incident response plan with your notification timeline
- Evidence of cyber insurance coverage (ask for certificate of insurance)
Ask these questions annually — not just at contract signing. Vendor security posture changes. An annual review ensures you know about significant changes.
Tier 2: Significant Vendors (Access to Some ePHI)
Scheduling platforms, telehealth vendors, care coordination tools, and third-party integrations that access patient information but not complete clinical records.
For Tier 2 vendors, require:
- Signed BAA
- Security questionnaire responses (industry standard questionnaires like SIG Lite or VSA)
- Evidence of encryption in transit and at rest
- MFA enforcement documentation
Tier 3: Administrative Vendors (No Direct ePHI Access)
Vendors who provide services to your agency but do not directly access ePHI — office supplies, non-clinical software, facilities management. Lower risk, but assess whether any indirect ePHI exposure exists (do they have physical access to your offices? Do they support systems that contain ePHI?).
What to Do When a Vendor Is Breached
When a business associate notifies you of a breach — or you learn of a breach through news reports or HHS's breach portal — you have both legal and operational obligations:
Legal obligations:
Determine whether your patients' ePHI was included in the breach. Your business associate has an obligation to notify you, but if the breach is publicly reported before you receive notification, begin your own assessment immediately.
Assess whether the breach triggers your own notification obligations under HIPAA. A breach at your business associate that exposes your patients' ePHI is a breach involving your covered entity — you may have independent notification obligations.
Operational obligations:
If the breached vendor is critical to your operations (billing company, clearinghouse), activate your business continuity plan for that vendor's function. Identify backup options. Communicate with staff about operational changes during the disruption.
Reassess whether to continue the vendor relationship. A vendor that has experienced a significant breach has demonstrated a security gap. The quality of their breach response — what they are communicating, how quickly, and what remediation they are implementing — is the most important factor in your decision to remain or find an alternative.
ShieldForce includes vendor risk management as part of our comprehensive home health security program. We assess your critical vendor relationships, help you build appropriate security requirements into contracts, and monitor vendor breach notifications on your behalf.
Explore Home Healthcare Cybersecurity →
Get a free vendor risk assessment as part of your HIPAA review.