The second in a series analyzing HIPAA breach data from the HHS Office for Civil Rights.
TL;DR: 42% of all patient records exposed through email breaches came from business associates, not from providers themselves. BAs account for only 15% of email breaches by count, but produce disproportionately large incidents — nearly 5x the average size of a provider email breach. Most third-party risk assessments don't ask the right questions about email data at rest. That's a gap worth closing.
‍
The assumption most healthcare security teams make
When healthcare organizations think about email account takeover risk, they think about their own employees. Their own inboxes. Their own MFA policies and phishing training programs.
That's a reasonable place to start. But the data tells a different story about where the largest exposures actually come from.
In our previous analysis of 702 HIPAA breaches, we found that 1 in 5 healthcare breaches involved email, and 85% of those were account takeovers. We've since gone deeper into one finding that surprised us: the role of business associates.
What the breach data shows
Of the 144 email-related HIPAA breaches currently under investigation by HHS, 22 came through business associates — vendors, service providers, and third-party organizations that handle protected health information on behalf of healthcare providers and health plans.
22 out of 144 is 15%. That doesn't sound alarming.
But those 22 breaches exposed 812,000 patient records. Out of 1.9 million total records exposed across all email breaches, that's 42%.
15% of the breaches. 42% of the exposure.
The reason is straightforward: when a business associate's email is compromised, the blast radius is enormous. A single BA often serves dozens or hundreds of provider clients. A compromised mailbox at a billing company, a staffing firm, or a health data analytics vendor doesn't just contain that vendor's internal communications — it contains PHI from every provider they serve.
BA email breaches are nearly 5x larger than provider breaches
The average email breach at a healthcare provider exposed roughly 7,500 patient records. Significant, but typically contained to one organization's patient population.
The average email breach at a business associate exposed nearly 37,000 patient records — 4.9 times larger.
And at the top of the distribution, the gap is even more stark. The two largest email breaches in the entire OCR dataset — out of all 144 email-related incidents — were both business associates. The largest, at a mammography services company, exposed 357,000 individuals' PHI. The second largest exposed over 320,000. Between them, those two incidents account for 677,000 patient records — 35% of all email breach exposure from just two BA incidents.
Across the full list of BA email breaches, the pattern holds: imaging and diagnostics providers, clinical staffing firms, health data analytics companies, benefits administrators, oncology networks. These are organizations that routinely handle PHI from dozens or hundreds of provider clients — and a single compromised mailbox at any of them can expose patient data across the entire client base.
The provider still reports the breach
Here's the part that makes this a problem for healthcare security leaders, not just for vendors.
When a business associate suffers an email breach that exposes patient data, the BA is required to notify each affected covered entity within 60 days. But the covered entity — the hospital, the health plan, the provider — is the one that reports to HHS, notifies patients, and appears on the OCR Breach Portal.
Your vendor gets breached. Your patients' data is exposed. Your organization's name goes on the Wall of Shame.
This isn't a theoretical risk. It's the mechanism behind many of the largest breaches in the dataset. A mammography services company's compromised email account exposed 357,000 individuals' PHI — and every provider that used that company had to report a breach they didn't cause and couldn't have prevented with their own security controls.
The gap in third-party risk assessments
Most healthcare organizations have third-party risk management programs. Vendor security questionnaires are standard. BAAs are in place. Many organizations use frameworks like HITRUST or work through programs like Health-ISAC's third-party risk services to assess their vendors.
But here's what most of those assessments miss: they ask whether a vendor uses MFA and whether they encrypt data in transit and at rest. They ask about endpoint protection and incident response plans. These are important questions.
They rarely ask: what happens to PHI inside your vendor's email accounts after an account is compromised?
Does the vendor have controls that protect data at rest inside email — not just at the perimeter? If an attacker bypasses MFA and authenticates to a vendor employee's mailbox, is there a containment layer that limits what they can access? Or is every message from every provider client immediately exposed?
For most business associates, the answer is the same as it is for most providers: there is no containment layer. A compromised email account means full access to everything in the mailbox.
The difference is that a compromised BA mailbox may contain PHI from dozens of your peers, not just your organization. The blast radius is structurally larger.
What this means for healthcare security leaders
This isn't an argument against working with business associates — that's not realistic. Healthcare runs on a complex ecosystem of providers, payers, vendors, and service organizations, and data has to flow between them.
But the data suggests three things worth acting on:
First, add email-specific questions to your vendor risk assessments. Not "do you use email encryption" — that covers data in transit. Ask about data at rest inside mailboxes. Ask what happens after an account takeover. Ask whether there's a containment layer between authentication and access to historical messages.
Second, understand your BA email exposure. How many business associates have access to your patients' PHI through email? Not through APIs or dedicated systems — through regular email correspondence. Referral letters, authorization requests, billing communications, clinical notes. That accumulated data is the exposure surface, and most organizations have never mapped it.
Third, rethink how you evaluate BA email breaches in your risk model. The OCR data shows that BA email breaches produce 5x the exposure of provider email breaches. If your risk model treats all email account takeovers equally, it's underweighting the supply chain scenario.
‍
This is the second in our series analyzing HIPAA breach data from the HHS Office for Civil Rights. The first post — We Analyzed 702 HIPAA Breaches. The Problem Isn't the Phish — It's What's Already in the Inbox — covers the full dataset. Data source: HHS OCR Breach Portal, breaches under investigation as of March 2026.
‍
