Vendor Got Hacked? Step-by-Step Response Plan

On February 21, 2024, a ransomware group called ALPHV/BlackCat broke into Change Healthcare — the payment processing clearinghouse that handled roughly one-third of all medical transactions in the United States. The attackers used stolen credentials on a remote access portal that didn’t have multi-factor login checks. They were inside the network for nine days before anyone noticed.

By the time it was over, 190 million people had their health data exposed — nearly two-thirds of the US population. UnitedHealth Group later confirmed the final count reached 192.7 million, making it the largest healthcare data breach in history. The total cost to UnitedHealth exceeded $3.1 billion. Thousands of medical habits couldn’t process insurance claims for weeks. Some rural providers came close to shutting down entirely.

Change Healthcare was the largest, but it wasn’t alone. Perry Johnson & Associates — a medical transcription vendor — was breached in 2023, exposing 14 million patient records across dozens of healthcare groups including Concentra Health Services (4 million patients) and Northwell Health. The MOVEit file transfer weak spot let the Clop ransomware gang hit over 2,500 companies, stealing data on nearly 100 million people. Kaiser Foundation Health Plan discovered tracking technologies on their website had been leaking data on 13.4 million members to Google, Microsoft, and X.

These aren’t isolated incidents. In 2024, third-party vendors were involved in over 60% of major healthcare data breaches. According to HIPAA Journal’s breach reports, a total of 276.7 million healthcare records were breached that year — a 64% jump from the previous year’s already record-breaking total.

Your vendor will get hit at some point. Here’s your step-by-step playbook for when it happens.

Why a Vendor Breach Is Your Problem Under HIPAA

Under HIPAA, you handle protecting patient data even when it’s in someone else’s hands. Your billing company, your EHR vendor, your transcription service, your cloud storage provider — any company that creates, receives, maintains, or transmits protected health information on your behalf is a Business Associate. Their breach is your problem.

The law doesn’t let you outsource the liability. If your business associate is breached and patient PHI is exposed, you have the same notice duties as if your own systems were hacked. You must notify affected patients, report to HHS OCR, and in some cases alert the media.

What you can control is how fast and how cleanly you respond. Speed and written records are your two best defenses. groups that respond properly tend to land in Tier 1 or Tier 2 penalty territory — or avoid fines altogether. Those that fumble the response end up in Tier 3 or worse.

Step 1: Confirm Your Exposure (First Hour)

The moment you learn your vendor has been breached — whether from a vendor notice, a news report, or a patient complaint — do not assume it doesn’t affect you. Start the clock.

Call the vendor directly. Don’t rely on their press release or status page. You need answers to five questions:

1. Was your group’s data involved?
2. Which of your patients were affected, and how many?
3. What categories of PHI were exposed? (names, SSNs, dates of service, clinical data, insurance information)
4. When did the breach occur and when did the vendor discover it?
5. Is the attack contained, or is it still ongoing?

Get this in writing. An email or formal written statement from the vendor, not just a phone call summary. You’ll need written records for everything that follows.

During the Change Healthcare breach, many habits didn’t get clear answers from UnitedHealth Group for weeks. That’s common — vendors often don’t know the full scope right away. Document what you asked, when you asked it, and what the vendor told you. The timeline matters.

Step 2: Activate Your Incident Response Team (First Hour)

If you have a written incident response plan, open it now. If you don’t — and many habits don’t — here’s your ad hoc team:

• Privacy Officer: Leads the response and makes notice decisions
• Practice Manager or Administrator: Handles day-to-day disruptions
• IT Contact (internal or outsourced): Assesses tech exposure
• Legal Counsel: Advises on notice duties and liability (if you have a healthcare attorney, now is when you call them)

For a small practice, this might be two people wearing multiple hats. That’s fine. What matters is that someone is clearly in charge of the response and someone else is handling day-to-day operations so the practice doesn’t grind to a halt.

Open a dedicated incident log. Date and time-stamp every action from this point forward: who you called, what they said, what decisions were made and why. This log is your protection if OCR investigates later. The first 72 hours after a cyber incident are when most written records failures happen.

Step 3: Pull Your Business Associate Agreement (First 4 Hours)

Find your BAA with the breached vendor. It should specify:

• The vendor’s duty to notify you of a breach. HIPAA requires business associates to notify the covered group within 60 days of discovering a breach, but many BAAs specify a shorter window (30 days, 10 days, or “without unreasonable delay”). The proposed 2026 HIPAA Security Rule changes may tighten this to 24 hours.
• Who handles notifying affected people — you or the vendor.
• What security standards the vendor agreed to keep.
• Indemnification clauses — whether the vendor bears financial duty for breach costs.

If you don’t have a BAA with this vendor, that’s a separate HIPAA breach you need to address. But don’t let it distract from the immediate response — deal with it in parallel.

Step 4: Determine If PHI Was Actually Compromised (First 24 Hours)

Not every vendor security incident is a HIPAA breach. Before you trigger the notice process, conduct the four-factor risk review that HIPAA’s Breach notice Rule requires:

1. The nature and extent of the PHI involved. Were Social Security numbers exposed, or just names and appointment dates? The more sensitive the data, the higher the risk.
2. Who accessed it. Was it a nation-state hacking group that will sell the data? An opportunistic attacker who may not have even looked at it? A researcher who reported the weak spot?
3. Whether the PHI was actually acquired or viewed. Data being on a compromised server doesn’t on its own mean it was accessed. data scrambling matters here — if the data was encrypted and the data scrambling wasn’t compromised, you may have a safe harbor.
4. The extent to which the risk has been mitigated. Did the vendor recover the data? Did the attacker’s systems get seized by law enforcement?

Document this analysis in writing. If you can show a low probability that PHI was compromised, you may not have a reportable breach. But the analysis has to exist on paper, not just in your head. OCR will ask for it.

Step 5: Take the Vendor Offline If Necessary (First 24 Hours)

If the breach is ongoing — the vendor’s systems are still compromised — and you’re actively sharing data with them, stop the connection. Suspend data feeds, disable integrations, and halt any automated transfers.

Yes, that might mean manual claims processing, paper workflows, or temporary day-to-day disruptions. That’s far less painful than continuing to feed PHI into a compromised setting.

Change Healthcare taught thousands of habits they had a single point of failure. While your primary vendor is down:

• Identify backup vendors or manual workarounds. For claims processing, know your backup clearinghouse options.
• Document the day-to-day impact. Lost revenue, delayed claims, staff overtime — you may need this for insurance claims or litigation.
• Communicate with your staff. They need to know what’s happening and what the temporary workflow looks like.

Step 6: Build Your Affected Patient List (24-48 Hours)

Work with the vendor to get a specific list of which of your patients had data exposed. You need names and the types of PHI involved for each person.

If the vendor can’t provide this list — which happens more often than you’d expect, especially in large-scale breaches — consult with a HIPAA attorney about your options. You may need to notify all patients whose data the vendor had access to, not just those confirmed as compromised.

Perry Johnson & Associates took months to provide complete patient lists to affected healthcare groups. Concentra didn’t file its report with OCR until January 2024, even though the PJ&A breach was discovered in May 2023. The delay wasn’t unusual — it was the norm. Plan as needed.

Step 7: Notify Affected Patients (Within 60 Days of Discovery)

If your risk review determines a breach of unsecured PHI occurred, patient notice is mandatory. The clock runs from when you knew or should have known about the breach — not when the vendor told you, not when you confirmed every detail.

Each patient notice must include, in plain language:

• A brief description of what happened and when
• The types of PHI involved (e.g., “your name, date of birth, Social Security number, and insurance information”)
• Steps the patient should take to protect themselves (credit tracking, fraud alerts, reviewing explanation of benefits statements)
• What your practice is doing to look into and prevent future incidents
• Contact information for your Privacy Officer

Method: First-class mail to each patient’s last known address. If you have outdated addresses for 10 or more people, you must also post a notice on your website homepage for 90 days or provide a toll-free number for 90 days.

Media notice: If more than 500 people in a single state or jurisdiction are affected, you must also notify prominent media outlets serving that area within the same 60-day window.

Step 8: Report to HHS OCR

For breaches affecting 500 or more people: Report to OCR within 60 days of discovery through the HHS breach portal. OCR will post these on the public “Wall of Shame” — the Breach Portal that lists every large breach for public viewing.

For breaches affecting fewer than 500 people: You have until March 1 of the calendar year following discovery. For breaches discovered in 2026, the deadline is March 1, 2027. But record everything now while details are fresh. Don’t wait — the March 1 small breach deadline catches habits off guard every year.

OCR’s report will ask about the nature of the breach, PHI types involved, your protections at the time, what you’ve done in response, and your corrective action plan.

Step 9: Check State Breach notice rules

HIPAA isn’t the only notice law that applies. Most states have their own breach notice statutes, and many have rules that go beyond HIPAA:

• Shorter notice timelines — some states require notice within 30 days or less
• State AG notice — many states require you to notify the Attorney General, not just affected people
• Additional content rules — some states mandate offering credit tracking or identity theft protection

Check the laws for every state where affected patients reside. If you have patients in multiple states, you may have multiple overlapping duties with different deadlines. This is where legal counsel earns their fee.

Step 10: Review and Update Your BAA (Within 30 Days)

Once the immediate crisis is handled, review your BAA with the breached vendor:

• Did the vendor meet its notice duties under the BAA? If it took them four months to tell you, and the BAA says 30 days, that’s a contract breach.
• Did the vendor keep the security standards it agreed to? Change Healthcare didn’t have MFA on a remote access portal. That’s the kind of gap a proper BAA and vendor review should catch.
• Do you need to end the relationship? If the vendor can’t show enough fixes, continuing the relationship creates ongoing risk.

Update the BAA with stronger security rules, shorter notice windows, and specific tech standards (data scrambling, MFA, access controls). If the vendor won’t agree to tighter terms, find a vendor who will.

Step 11: Conduct a Post-Incident Review (Within 60 Days)

After the dust settles, conduct a formal review with your team:

• What worked? Did your response plan hold up? Did your team know their roles?
• What failed? Where did communication break down? What information took too long to get?
• What would you do differently? Update your incident response plan with specific improvements.
• What vendor changes are needed? Do you need backup vendors? Better vetting steps? Stronger BAA language?

Document the review and its outcomes. This becomes part of your rule-keeping record and shows to OCR that you learn from incidents.

Step 12: Audit Every Vendor Relationship

Don’t wait for the next breach to review your other vendors. Conduct a full vendor list:

• List every vendor that touches PHI
• Confirm a current, signed BAA exists for each one
• Request security written records: SOC 2 reports, penetration test results, incident response plans
• Ask about prior breaches and how they were handled
• Verify they use MFA, data scrambling at rest and in transit, and access logging

Vendors who can’t answer these questions need immediate attention. A vendor security questionnaire should be standard practice — not something you create after getting burned. In 2024, healthcare breaches doubled largely because of vendor weak spots that nobody checked.

Your Vendor Breach Response Checklist

Keep this somewhere accessible. When the call comes, you won’t have time to research:

• Confirm your group’s data was involved
• Get written details from the vendor (scope, timeline, data types)
• Activate incident response team and open incident log
• Pull and review your BAA with the vendor
• Conduct four-factor risk review
• Disconnect from vendor systems if breach is ongoing
• Identify backup vendors or manual workarounds
• Build list of affected patients with PHI types
• Prepare and send patient notice letters
• Report to HHS OCR (60 days for 500+, March 1 for under 500)
• Check and comply with state notice rules
• Notify state AG if required
• Review and strengthen vendor BAA
• Conduct post-incident review with team
• Audit all remaining vendor relationships

The Honest Reality About Supply Chain Attacks in Healthcare

You can’t prevent your vendors from being attacked. Change Healthcare had the resources of UnitedHealth Group behind it — $3.1 billion in breach costs later — and still got breached through a portal without MFA. Perry Johnson & Associates was inside healthcare systems for over a month before anyone noticed. The MOVEit weak spot affected thousands of groups simultaneously.

What separates habits that survive a vendor breach cleanly from those that face OCR enforcement isn’t whether the breach happened — it’s whether they responded properly. Had a plan. Documented their actions. Notified on time. Showed OCR they took it seriously.

When the call comes that your vendor has been hacked, be the practice that had a plan — not the one scrambling to figure out what HIPAA requires.

Related Reading

• The Change Healthcare Breach One Year Later — What 190 million exposed records taught us about vendor link
• The Business Associate Agreement Mistakes That Will Cost You — Fix these BAA gaps before your next vendor incident
• Ransomware Hit Your Practice — The First 72 Hours — The incident response playbook for direct attacks
• MFA Is About to Be Required for HIPAA — Why the Change Healthcare breach accelerated this rule
• Healthcare Breaches Doubled in 2025 — The vendor-driven breach epidemic by the numbers

---

Need help building a vendor management program and incident response plan before the next breach hits? One Guy Consulting offers HIPAA rule-keeping packages starting at affordable, including BAA templates, vendor security questionnaires, and incident response steps. Explore HIPAA rule-keeping services Business associate agreement management

Related: Vendor management for HIPAA