Why the Most Dangerous Data Breaches Are Still the Least Regulated

While the Change Healthcare ransomware attack drew national attention in 2024, its implications extend far beyond a single event. It spotlighted a structural vulnerability in the healthcare sector that continues to grow unchecked: the underregulation of business associates.

Business associates ranging from billing vendors to cloud service providers have become central players in the digital healthcare ecosystem. These entities now control and process vast amounts of protected health information (PHI), often with fewer compliance safeguards and less oversight than the covered entities they serve. The Change Healthcare incident was not the exception. It was the largest breach of the year because it reflected a broader pattern of risk displacement.

The Exposure Gap Between Covered Entities and Business Associates

Office for Civil Rights (OCR) data from 2024 shows a widening disparity between breach scope and accountability. Although business associate breaches represented a smaller share of total breach reports, they accounted for more than 70% of individuals affected. That imbalance underscores the systemic risk posed by third parties operating with elevated access but limited transparency.

Despite handling critical infrastructure, many business associates fall into regulatory blind spots. HIPAA compliance is technically required, but enforcement is inconsistent and reactive. Even as OCR expands its investigations, the agency lacks the resources to preemptively monitor a fragmented vendor ecosystem.

Contractual Compliance Is Not Operational Governance

Health systems often assume that business associate agreements (BAAs) are sufficient to manage downstream risk. In reality, BAAs are legal instruments, not security controls. They do little to ensure that vendors are conducting timely risk analyses, maintaining system segmentation, or executing breach response plans under pressure.

As the complexity of data-sharing arrangements grows, so does the potential for breach propagation. A single compromise at a central vendor can ripple across dozens or hundreds of connected organizations. Without standardized auditing, performance monitoring, or shared incident reporting, providers are left blind to the practices of those handling their most sensitive data.

Risk Concentration Without Regulatory Precision

The regulatory frameworks governing PHI were not designed for the current threat landscape. HIPAA focuses on the handling of patient data, but offers little in terms of evaluating the systemic importance of an entity or the cumulative risk it may pose to the healthcare system.

A small hospital with 50,000 records is held to the same compliance expectations as a vendor with access to hundreds of millions of records across the country. This misalignment fails to account for concentration risk, which arises when too much infrastructure is managed by a single third-party with weak controls.

OCR has made public statements about expanding its enforcement strategy, particularly through its 2025 risk analysis initiative. However, without additional statutory authority or funding, it remains unlikely that vendor oversight will become meaningfully proactive.

What Healthcare Leaders Can Do Now

The regulatory lag does not absolve health systems of responsibility. Executive leaders, including CIOs, legal counsel, and compliance officers, should adopt a more assertive posture toward vendor governance:

• Establish independent security assessments for high-impact vendors beyond BAA compliance.
• Classify vendors by data access tier and require breach simulation participation.
• Implement shared accountability clauses that link performance penalties to governance failures.
• Use procurement as leverage to enforce minimum cyber hygiene and reporting standards.

Business associate relationships should be seen not as static partnerships, but as dynamic risk vectors. Without active scrutiny, even trusted vendors can become conduits for systemic failure.

Toward a More Accountable Ecosystem

The current regulatory architecture assumes that compliance is a shared responsibility. But in practice, it too often allows risk to concentrate where visibility is weakest. The result is a two-tiered system: one where covered entities are highly scrutinized, and another where third-party vendors operate under thin layers of legal abstraction.

As the healthcare sector becomes more digitally integrated, that gap is no longer tenable. A breach at a business associate is not a peripheral issue; it is a core threat. The rules, tools, and expectations must align with that reality.

Until federal policy catches up, the onus falls on providers to enforce accountability. That means moving beyond documentation and toward verification, from assumed compliance to continuous oversight. The most dangerous breaches are not just those that occur. They are those no one is prepared to prevent.