By Jeff Wardon, Jr., Assistant Editor

A $675,000 settlement following a 2023 vendor data breach is a recent example of how cyber risks don’t just stop at a hospital’s doorstep. For healthcare facilities, the case highlights a challenging trend: managing and mitigating risks that come with depending on third-party vendors. 

A settlement has been reached in a class action lawsuit over a November 2023 data breach at revenue cycle management provider R1 RCM Inc., which also involved Dignity Health’s St. Rose Dominican Hospital, Rosa de Lima Campus in Nevada, The HIPAA Journal reports. The breach exposed 16,121 people’s personal data, including Social Security numbers and medical information. Plaintiffs alleged negligence in safeguarding patient data; defendants denied wrongdoing but settled to avoid litigation costs. 

The R1 RCM breach isn’t just an isolated event. Since the company was a third-party vendor, the ripple effects directly impacted the hospitals it served, highlighting how healthcare facilities can end up as collateral damage in vendor attacks. 

Related Content: Cyber Crossfire: Why Healthcare Is Becoming a Battleground in Global Conflicts

Healthcare facilities managers have to begin improving visibility into their software and understand where they’re exposed to concentration risk, Jeffrey Wheatman, senior vice president and cyber risk strategist at Black Kite, told Healthcare Facilities Today. A high level of concentration risk indicates that a healthcare organization relies too much on one vendor. 

When that happens, the impact of a cyberattack could be widespread and severe if the vendor gets compromised. Managers can begin to understand this risk by being aware of the software their departments use and how it’s integrated with other systems. 

“If everybody uses a software and there's a vulnerability in that software, I need to know if my vendor is using it,” Chris Henderson, chief information security officer at Huntress, told Healthcare Facilities Today. “If I see that there is a security advisory issued for the software, my company needs to watch all the vendors more closely and the integration points for all the vendors that are using that software.”  

Jeff Wardon, Jr., is the assistant editor of the facilities market.