« Information Technology

Follow @HFToday

Third-Party Data Breach Case Underscores Need for Cyber Risk Management

Plaintiffs alleged negligence in safeguarding patient data; defendants denied wrongdoing but settled to avoid litigation costs.

By Jeff Wardon, Jr., Assistant Editor

A $675,000 settlement following a 2023 vendor data breach is a recent example of how cyber risks don’t just stop at a hospital’s doorstep. For healthcare facilities, the case highlights a challenging trend: managing and mitigating risks that come with depending on third-party vendors.

A settlement has been reached in a class action lawsuit over a November 2023 data breach at revenue cycle management provider R1 RCM Inc., which also involved Dignity Health’s St. Rose Dominican Hospital, Rosa de Lima Campus in Nevada, The HIPAA Journal reports. The breach exposed 16,121 people’s personal data, including Social Security numbers and medical information. Plaintiffs alleged negligence in safeguarding patient data; defendants denied wrongdoing but settled to avoid litigation costs.

The R1 RCM breach isn’t just an isolated event. Since the company was a third-party vendor, the ripple effects directly impacted the hospitals it served, highlighting how healthcare facilities can end up as collateral damage in vendor attacks.

Related Content: Cyber Crossfire: Why Healthcare Is Becoming a Battleground in Global Conflicts

Healthcare facilities managers have to begin improving visibility into their software and understand where they’re exposed to concentration risk, Jeffrey Wheatman, senior vice president and cyber risk strategist at Black Kite, told Healthcare Facilities Today. A high level of concentration risk indicates that a healthcare organization relies too much on one vendor.

When that happens, the impact of a cyberattack could be widespread and severe if the vendor gets compromised. Managers can begin to understand this risk by being aware of the software their departments use and how it’s integrated with other systems.

“If everybody uses a software and there's a vulnerability in that software, I need to know if my vendor is using it,” Chris Henderson, chief information security officer at Huntress, told Healthcare Facilities Today. “If I see that there is a security advisory issued for the software, my company needs to watch all the vendors more closely and the integration points for all the vendors that are using that software.”

Jeff Wardon, Jr., is the assistant editor of the facilities market.

September 16, 2025

Topic Area: Information Technology , Security

Recent Posts

Mature Dry Surface Biofilm Presents a Problem for Candida Auris

Multiple methods are described in the literature, but no consensus has been reached for disinfection efficacy tests against biofilms.

Sutter Health's Arden Care Center Officially Opens

With an adaptive reuse of an underutilized office building, the 70,000 square-foot facility was renovated to meet current healthcare standards.

Insight Hospital and Medical Center Falls to Data Breach

The investigation determined that an unauthorized individual accessed the network between August 22, 2025, and September 11, 2025.

The High Cost of Healthcare Violence

As workplace violence increases, healthcare facilities face mounting financial and operational disruptions- prompting legislative action.

EVS Teams Can Improve Patient Experience in Emergency Departments

A report confirmed that cleanliness of the ED was the third most impactful element on patient experience surveys.

FREE Newsletter Signup Form

News & Updates | Webcast Alerts
Building Technologies | & More!

All fields are required. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Job Board ‐ Available Jobs

Property Management Positions Available ASAP »

Facilities Manager with Eurofins Portage Site »