« Information Technology
  

Third-Party Data Breach Case Underscores Need for Cyber Risk Management

Plaintiffs alleged negligence in safeguarding patient data; defendants denied wrongdoing but settled to avoid litigation costs.

By Jeff Wardon, Jr., Assistant Editor


A $675,000 settlement following a 2023 vendor data breach is a recent example of how cyber risks don’t just stop at a hospital’s doorstep. For healthcare facilities, the case highlights a challenging trend: managing and mitigating risks that come with depending on third-party vendors. 

A settlement has been reached in a class action lawsuit over a November 2023 data breach at revenue cycle management provider R1 RCM Inc., which also involved Dignity Health’s St. Rose Dominican Hospital, Rosa de Lima Campus in Nevada, The HIPAA Journal reports. The breach exposed 16,121 people’s personal data, including Social Security numbers and medical information. Plaintiffs alleged negligence in safeguarding patient data; defendants denied wrongdoing but settled to avoid litigation costs. 

The R1 RCM breach isn’t just an isolated event. Since the company was a third-party vendor, the ripple effects directly impacted the hospitals it served, highlighting how healthcare facilities can end up as collateral damage in vendor attacks. 

Related Content: Cyber Crossfire: Why Healthcare Is Becoming a Battleground in Global Conflicts

Healthcare facilities managers have to begin improving visibility into their software and understand where they’re exposed to concentration risk, Jeffrey Wheatman, senior vice president and cyber risk strategist at Black Kite, told Healthcare Facilities Today. A high level of concentration risk indicates that a healthcare organization relies too much on one vendor. 

When that happens, the impact of a cyberattack could be widespread and severe if the vendor gets compromised. Managers can begin to understand this risk by being aware of the software their departments use and how it’s integrated with other systems. 

“If everybody uses a software and there's a vulnerability in that software, I need to know if my vendor is using it,” Chris Henderson, chief information security officer at Huntress, told Healthcare Facilities Today. “If I see that there is a security advisory issued for the software, my company needs to watch all the vendors more closely and the integration points for all the vendors that are using that software.”  

Jeff Wardon, Jr., is the assistant editor of the facilities market.  



September 16, 2025


Topic Area: Information Technology , Security

Recent Posts

The Debate on Laundering Microfibers in Healthcare

Should microfibers be single-use or reusable? Researchers have opinions on both.

Construction Begins for New Cancer Center at OhioHealth's Administrative Campus

The project’s completion date is estimated for late 2028.

Sutter Health and Alina Health to Form 39-Hospital System

The organizations anticipate closing by the end of 2026, pending regulatory approval.

IAQ and Infection Mitigation in Aging Facilities

Challenges can contribute to elevated risks related to patient safety, staff comfort and retention, and heightened regulatory and accreditation scrutiny.

Preventing Pests: Effective Measures in Healthcare Facilities

How integrated pest management can protect patient health.

 
 


FREE Newsletter Signup Form

News & Updates | Webcast Alerts
Building Technologies | & More!

 
 
 


All fields are required. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.