« Information Technology
  

Third-Party Data Breach Case Underscores Need for Cyber Risk Management

Plaintiffs alleged negligence in safeguarding patient data; defendants denied wrongdoing but settled to avoid litigation costs.

By Jeff Wardon, Jr., Assistant Editor


A $675,000 settlement following a 2023 vendor data breach is a recent example of how cyber risks don’t just stop at a hospital’s doorstep. For healthcare facilities, the case highlights a challenging trend: managing and mitigating risks that come with depending on third-party vendors. 

A settlement has been reached in a class action lawsuit over a November 2023 data breach at revenue cycle management provider R1 RCM Inc., which also involved Dignity Health’s St. Rose Dominican Hospital, Rosa de Lima Campus in Nevada, The HIPAA Journal reports. The breach exposed 16,121 people’s personal data, including Social Security numbers and medical information. Plaintiffs alleged negligence in safeguarding patient data; defendants denied wrongdoing but settled to avoid litigation costs. 

The R1 RCM breach isn’t just an isolated event. Since the company was a third-party vendor, the ripple effects directly impacted the hospitals it served, highlighting how healthcare facilities can end up as collateral damage in vendor attacks. 

Related Content: Cyber Crossfire: Why Healthcare Is Becoming a Battleground in Global Conflicts

Healthcare facilities managers have to begin improving visibility into their software and understand where they’re exposed to concentration risk, Jeffrey Wheatman, senior vice president and cyber risk strategist at Black Kite, told Healthcare Facilities Today. A high level of concentration risk indicates that a healthcare organization relies too much on one vendor. 

When that happens, the impact of a cyberattack could be widespread and severe if the vendor gets compromised. Managers can begin to understand this risk by being aware of the software their departments use and how it’s integrated with other systems. 

“If everybody uses a software and there's a vulnerability in that software, I need to know if my vendor is using it,” Chris Henderson, chief information security officer at Huntress, told Healthcare Facilities Today. “If I see that there is a security advisory issued for the software, my company needs to watch all the vendors more closely and the integration points for all the vendors that are using that software.”  

Jeff Wardon, Jr., is the assistant editor of the facilities market.  



September 16, 2025


Topic Area: Information Technology , Security

Recent Posts

Gaps in Nurses' Environmental Cleaning Knowledge Grow Amid Rising EVS Pressures

Environmental cleaning is crucial in preventing HAIs, but when the responsibility falls to those outside of EVS teams, problems arise. 

Ground Broken on the Southern Nevada Forensic Facility

Construction on the new secure forensic psychiatric hospital is expected to be completed in 2029.

Jackson Hospital Falls Victim to Third-Party Cybersecurity Incident

Jackson Hospital has no evidence that any personal information has been or will be used for identity theft as a direct result of this incident.

Making Healthcare Lighting Retrofits Work

Effective operational planning determines whether a retrofit project improves a facility or creates new problems.

Stadium Design is Reshaping Healthcare Facilities

Hospitals are turning to the sports industry for innovative ways to support healing and improve the patient experience.

 
 


FREE Newsletter Signup Form

News & Updates | Webcast Alerts
Building Technologies | & More!

 
 
 


All fields are required. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.