Two healthcare breaches expose the vendor risk gap

Two May 2026 healthcare breaches — at The Oncology Institute and Radiology Associates of Richmond — were caused by third-party vendor compromises, not direct attacks on the providers. Verizon’s 2026 Data Breach Investigations Report found that third parties were involved in 48% of breaches last year, a 60% year-over-year increase. For healthcare organizations, vendor risk is now the dominant exposure.

What happened at The Oncology Institute and Radiology Associates of Richmond?

The Oncology Institute (TOI) disclosed a third-party vendor breach in a U.S. Securities and Exchange Commission (SEC) Form 8-K filed May 22, 2026. According to TOI’s filing, Kroll — acting as the third-party administrator for one of TOI’s software vendors — notified the company on May 20, 2026 that an unauthorized party had accessed certain information systems, including systems holding patient data.

TOI had first referenced the incident in an earlier SEC 8-K on November 6, 2025, but at that time the company had no confirmation that patient data was involved. The May 2026 update reversed that. TOI has stated that its technology security and continuity plan allowed clinical operations to continue, and the company is offering credit monitoring to impacted patients while reserving its rights against the third parties involved.

Separately, Radiology Associates of Richmond (RAR), one of the oldest continuously operating private radiology practices in the United States, began notifying 266,183 individuals on May 21, 2026 of a data breach involving their protected health information. The HIPAA Journal reported that the breach was disclosed to the Maine Attorney General’s office, and a Vermont Attorney General filing indicated that medical records, financial account codes, and credit and debit account information were potentially exposed.

RAR’s forensic investigation, which concluded on April 6, 2026, confirmed that unauthorized access occurred on or around July 25, 2025 — nearly ten months before patient notification began. RAR told affected individuals that those whose Social Security numbers were exposed are being offered complimentary credit monitoring and identity theft protection.

In a statement included with the patient notifications, the company said: “[Radiology Associates of Richmond] is committed to maintaining the privacy of personal information in our possession and have taken many precautions to safeguard it. We continually evaluate and modify our practices and internal controls to enhance the security and privacy of your personal information.”

Why third-party vendor breaches now drive nearly half of healthcare incidents

Verizon’s 2026 Data Breach Investigations Report (DBIR) found that breaches involving a third party reached 48% of the analyzed dataset, up from 30% in the 2025 DBIR — a 60% year-over-year increase. The report analyzed more than 31,000 security incidents and over 22,000 confirmed breaches across 145 countries. In healthcare, the layered vendor ecosystem amplifies that exposure: a single software vendor, claims processor, billing company, or third-party administrator can touch protected health information for hundreds of thousands of patients.

The TOI incident illustrates the layering directly. TOI relied on a software vendor. That vendor used Kroll as its third-party administrator. Kroll was the entity that detected the unauthorized access and notified TOI. From the patient’s perspective, the breach happened at their oncology provider; from the regulator’s perspective, the chain of responsibility runs through at least three organizations before it reaches the entity legally obligated to notify.

The DBIR also reported that only 23% of third-party cloud platforms in the dataset had fully remediated missing or misconfigured multifactor authentication. That control gap matters because the most common vendor compromise pattern in 2025 — the one seen in the Salesloft Drift and Snowflake-era credential incidents — did not require a CVE. It required a single weak authentication point in a vendor environment that held customer data.

MITRE ATT&CK frames this attack pattern as T1195 (Supply Chain Compromise) and T1199 (Trusted Relationship), where adversaries exploit the trust between an organization and its third-party vendors to access networks or data. Both patterns appear in the publicly available analysis of the TOI incident.

What is at stake when a vendor — not your network — is the entry point?

When a business associate’s systems are compromised, the healthcare provider still owns the regulatory exposure. The HIPAA Breach Notification Rule (45 CFR §§ 164.400–414) requires covered entities to notify affected individuals, the U.S. Department of Health and Human Services (HHS), and in many cases state attorneys general — regardless of whether the breach occurred on the provider’s own network or a vendor’s. The covered entity carries the OCR investigation, the state filings, the class action exposure, and the patient communications cost.

For publicly traded healthcare companies like TOI, the SEC’s cyber disclosure rules add a second clock. Form 8-K Item 1.05 requires registrants to disclose any material cybersecurity incident within four business days of determining it is material to investors. TOI’s May 22 8-K filing is the visible end of that clock; the November 6, 2025 initial disclosure shows how long the underlying investigation can run before a material determination is reached.

The financial stakes scale faster than most CFOs project. Notification, credit monitoring, forensic investigation, legal defense, regulatory penalties, and class action exposure can each independently exceed a six-figure budget line. Radiology Associates of Richmond was already named in a class action filing by classaction.org within days of the May 21 notification round — a pattern now standard within weeks of any healthcare breach affecting more than a few thousand records.

What should healthcare CFOs and COOs do?

Healthcare leaders should treat May’s incidents as a prompt to inventory vendor access, not a reason to wait for the next breach to land. Both the Verizon 2026 DBIR data and the pending HIPAA Security Rule update point to the same conclusion: vendor risk management has moved from a procurement checkbox to a documented, testable control. The work below is concrete and can begin this week.

Pull a current list of all business associates with access to electronic protected health information (ePHI) or financial systems, and flag which of those vendors rely on their own third-party administrators (the fourth-party layer). The TOI/Kroll chain is exactly this kind of dependency, and most organizations do not have it mapped.

Review each Business Associate Agreement (BAA) for three things: a defined breach notification timeline (typically 30 to 60 days, sometimes shorter), explicit audit rights, and a termination clause tied to security failures. BAAs written more than three years ago often lack all three. Where they do, the renewal cycle is the time to fix them.

For each high-risk vendor, request current evidence: a SOC 2 Type II report or equivalent, the most recent HIPAA risk assessment summary, confirmation of multifactor authentication on systems handling ePHI, and a penetration test summary from within the last twelve months. If a vendor cannot produce that documentation on request, that gap is the finding.

Stand up a tabletop exercise framed specifically around “the vendor is breached, not us.” Most incident response plans assume the intrusion begins inside the organization’s perimeter, and they break down when the first call comes from a third-party administrator. Purple Shield Security works with healthcare clients on exactly this kind of vendor-program review through its fractional CISO and compliance services — the goal is to walk into a breach call already knowing who is on the other end of the line and what your BAA says about it.

How does this fit into HIPAA Security Rule changes coming in 2026?

The HIPAA Security Rule update — published as a proposed rule by HHS Office for Civil Rights (OCR) in January 2025 — is on the federal regulatory agenda for finalization in 2026. According to the HIPAA Journal, the proposed rule moves nearly all “addressable” safeguards to mandatory, requires written technology asset inventories and network maps of ePHI data flows, and obligates business associates to provide written compliance testing evidence to covered entities. Compliance is expected within 180 to 240 days of finalization.

Specific changes that matter for vendor oversight include mandatory multifactor authentication on systems that access ePHI, encryption of ePHI at rest and in transit, vulnerability scanning at least every six months, penetration testing at least annually, and written attestation of vendor compliance with the BAA’s security requirements. Each of these moves from “recommended” to “required and documented.”

The May 2026 breaches arrive at exactly the moment when those obligations are being written into law. Healthcare practices that have treated their BAA portfolio as a paperwork exercise will inherit several quarters of catch-up work — risk assessments, evidence collection, vendor remediation negotiations, and documentation — in a compressed window. A risk assessment that maps the vendor inventory to the proposed rule’s specific requirements is the cleanest way to know where the gaps are before OCR has the authority to ask.

Frequently asked questions

Is the Oncology Institute breach connected to TriZetto?

SecurityWeek identified TriZetto as one possible candidate for the unnamed software vendor in TOI’s May 22, 2026 SEC Form 8-K filing, but TOI has not publicly named the vendor and TriZetto has not confirmed any involvement. The 8-K refers only to “a software vendor” for which Kroll acts as the third-party administrator. Until either company confirms publicly, any specific vendor attribution is speculation.

Does HIPAA require a covered entity to notify patients if its business associate is breached?

Yes. Under the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414), when a breach occurs at a business associate, the covered entity is generally responsible for notifying affected individuals, HHS, and in many cases state attorneys general. A Business Associate Agreement (BAA) can assign the operational notification work to the business associate, but the regulatory accountability stays with the covered entity. The notification clock typically starts when the covered entity is informed of the breach, not when the BA first discovers it.

What evidence should a healthcare practice request from its business associates each year?

At a minimum: a current SOC 2 Type II report or equivalent independent attestation, the most recent HIPAA risk assessment summary, written confirmation of multifactor authentication enforcement on systems handling ePHI, a penetration test summary completed within the last twelve months, and a signed attestation of compliance with the security obligations in the BAA. The proposed 2026 HIPAA Security Rule update would make several of these documentation requirements explicit rather than discretionary.

What is the difference between a third-party breach and a fourth-party breach?

A third-party breach happens at one of your direct business associates — a vendor with whom you have a signed BAA. A fourth-party breach happens at one of your business associate’s own vendors. The Oncology Institute incident is the textbook fourth-party pattern: TOI used a software vendor, that vendor used Kroll as its third-party administrator, and the breach surfaced through Kroll. Fourth-party exposure is harder to identify because most BAA portfolios do not require business associates to disclose their own vendor chain.

The mid-market healthcare practices and provider groups that get ahead of this do not wait for OCR to ask the hard questions. They walk into the conversation already knowing which vendors touch ePHI, which BAAs need rework, and which controls have evidence behind them. Purple Shield Security works with healthcare clients on exactly that kind of vendor and compliance program review through its vCISO Services, and fractional CISO and risk assessment services. If your team would benefit from a second set of eyes on where your third-party exposure actually sits, that is a conversation worth having.

By Yonatan Hoorizadeh — CISSP, CISM, CRISC, AAISM

Published By: Purple Shield Security

Published: May 26, 2026

Last updated: May 26, 2026