3rd Party Risk Management
,
Agentic AI
,
Data Security
Business Associates Tied to 50% of Breach Victims as AI-Aided Attacks Loom
Third-party vendor hacks continue to plague the healthcare sector, accounting for half of the victims of major health data breaches. Security experts warn that rapidly advancing artificial intelligence tools are likely to make attacks on third parties even more effective at stealing data.
See Also: Securing the Next Billion AI Agents
The arrival of new AI systems – including Anthropic’s Mythos and other tools capable of generating exploit code, identifying vulnerabilities and automating reconnaissance – could dramatically increase the speed and scale of attacks. Experts say third-party vendors – ranging from software firms to bill collectors – will be a target because they tend to serve many or even hundreds healthcare organizations.
“Over the years, the number of breaches attributed to third parties – business associates – has been steadily increasing from around 25% back in 2010 to around 30%,” said Tom Walsh, founder and principal consultant of privacy and security firm tw-Security. “However, so far in 2026, the percentage is 41%. This means third parties are a major cybersecurity problem for healthcare.”
As of Thursday, the U.S. Department of Health and Human Services listed 351 major health data breaches reported so far in 2026, affecting nearly 20.7 million people. Of these, business associates were involved in 145 incidents, or about 41% of the breaches posted on the HHS website. Those breaches affected 9.94 million people – nearly half of everyone affected so far this year.
Mike Hamilton, CISO emeritus of technology services firm Datec and former CISO of the city of Seattle, called the continuing rise of attacks on vendors a “striking trend.”
“This suggests that there is a real effort underway to identify the ‘unlocked window’ to crawl through in order to get to the real victim, as well as inadequate controls deployed at these third parties, followed by credential abuse, vulnerability exploit or social engineering to gain initial access,” Hamilton said.
For example, the 2024 ransomware attack on UnitedHealth Group’s Change Healthcare IT services unit in 2024 affected nearly 193 million people – an all-time health data breach record. That year, business associates were at the center of 30% of the major health data breaches reported to HHS, yet they accounted for 78% of patients affected by hacks.

Federal Government Delays New Regs Aimed at Vendor Security
Federal regulators recognized the trend in 2024 and included new mandatory rules to help ensure vendors comply with HIPAA and secure their data. The regulations would have been finalized this summer, but HHS recently revealed that it will wait until at least 2027 to propose a final rule that would update the HIPAA Security Rule. Some observers predict it will take even longer – if it’s taken up at all by the Trump administration.
The delay will undoubtedly give some organizations another excuse to procrastinate implementing certain critical controls and best practices that could otherwise help fend off the rash of attacks they’re already battling, let alone new AI-related threats.
The proposed HIPAA Security Rule – if finalized as written today – would convert several longstanding “addressable” safeguards – including multifactor authentication, encryption, segmentation and vulnerability scanning – into mandatory requirements.
It also would require covered organizations to obtain annual written verification that their business associates have implemented required security controls.
With vendors at the center of so many breaches, such a mandate could pressure many business associates to harden their security and meet the new cybersecurity requirements.
If a final update of the HIPAA security rule does eventually mandate business associates to verify their controls, “this will help,” Hamilton said. But it would still take time for vendors to comply. “The adversary is known to be more nimble and adaptable than typical business associates.”
“The key point isn’t that AI itself will cause more breaches, but that AI will help the attackers, as well as significantly expand the amount of data third parties handle, thereby increasing the opportunities for third-party-related incidents.”
—Tom Walsh, founder, tw-Security
Clearly, compromising business associates as the way to gain access to patient information is a trend that’s growing and not likely to abate, Hamilton said.
“As AI-driven methods for vulnerability identification and agentic AI attacks become more prevalent, business associates are the least likely to make the investments that would allow them to prevent and detect these occurrences,” he said.
While the proposed HIPAA Security Rule update could help close longstanding security gaps, it doesn’t specifically address new emerging threats, such as those posed by AI, Walsh said.
Yet at the same time, the adoption of AI in healthcare for clinical and other uses – along with AI in the hands of bad actors “is one of the most important emerging risks over the next three to five years,” Walsh said.
“The key point isn’t that AI itself will cause more breaches, but that AI will help the attackers, as well as significantly expand the amount of data third parties handle, thereby increasing the opportunities for third-party-related incidents,” he said.
A lot of what is proposed in the HIPAA security rule update – such as multifactor authentication – are things that more mature security healthcare organizations are already doing “because of PCI DSS compliance or because the controls are required by their cyber insurance companies,” Walsh said.
“In my experience, the fear of having to do a public breach notification along with PCI DSS and cyber insurance have become the main drivers for new safeguards and controls, rather than rules from HHS,” he said.
But, he added, “even when a covered entity has a mature security program, it can still suffer a reportable breach because one of its vendors or third parties was compromised.”
The good news so far is in 2026 is that the type of incidents and attacks being reported appear to be “the same type we’ve been dealing with in the past,” Walsh said.
But “attacks are becoming larger, more sophisticated – perhaps because of AI – and increasingly concentrated around third-party service providers rather than individual healthcare organizations,” he said.
Without action by vendors and healthcare organizations to shore up their security – whether mandated by HIPAA or not – hackers will continue to plague the sector, but now with even more effective AI-powered attacks.
The challenge for healthcare organizations is no longer limited to primarily protecting their own environments. As AI enables attackers to find and exploit weaknesses faster, the security posture of every vendor, software provider and business associate increasingly becomes part of the healthcare sector’s overall cyber risk.
Click Here For The Original Source.
