Skip to main content
Patient Protect circular logo mark in purple and white used for site navigationPatient Protect

Breach analysis · Patient Protect

Vendor risk management and business associate oversight: what healthcare practices owe when outside counsel holds PHI

When PHI leaves your practice and lands with outside counsel, your HIPAA obligations travel with it — here's how to govern vendor risk before a third-party breach becomes your notification problem.

Patient Protect ResearchMay 4, 2026First reported in HIPAA Pulse →

The control gap

Vendor risk management is the discipline that determines whether a covered entity can contain its regulatory exposure when a third-party incident occurs — and it is the control category most commonly underdeveloped at independent practices. When PHI flows to outside legal counsel, billing companies, or transcriptionists, the covered entity's HIPAA obligations do not transfer with the data; they multiply. The breach of Orrick, Herrington & Sutcliffe LLP by Silent Ransom Group, as first reported by DataBreaches.net and covered by HIPAA Pulse, illustrates the pattern precisely: a data-rich third party with a large healthcare client base becomes the attack surface, and the notification obligations flow back upstream to every covered entity whose patients' records were in those systems. First reported in HIPAA Pulse → https://hipaapulse.com/silent-ransom-group-breached-orrick-herrington-and-sutcliffe-exposing-client-data-held-b4a0043a

The compounding risk here is that SRG's reported method — callback phishing, not unpatched software — means the failure point is human, not technical. Perimeter controls at your practice do not protect data that already lives on a vendor's systems.

The HIPAA Security Rule provision in play

Two provisions converge here. 45 C.F.R. § 164.314(a) (Business Associate Contracts and Other Arrangements) requires covered entities to enter written agreements with business associates that contractually bind them to implement appropriate safeguards. 45 C.F.R. § 164.410 (Notification by a Business Associate) sets the obligation for a business associate to notify the covered entity of a breach — which then triggers the covered entity's own 60-day notification clock under § 164.404. If the BAA is missing, expired, or lacks required terms, OCR has pursued enforcement against the covered entity regardless of where the intrusion originated.

How Patient Protect addresses this

  • BAA Management / Vendor Risk Scanner tracks which outside vendors hold PHI, flags missing or expired agreements, and surfaces the legal counsel and professional-services relationships that practices routinely undermonitor.
  • Information Systems Inventory maintains a current record of where PHI travels outside practice systems — a prerequisite for responding coherently when any third-party incident is disclosed.
  • Security Risk Assessment (SRA) incorporates third-party risk as a scored factor, so gaps in vendor oversight register on the practice's compliance posture rather than remaining invisible until an incident occurs.
  • Office Training (80+ modules) includes workforce training on social engineering and callback phishing recognition — directly relevant when SRG-style attacks depend on an employee completing the attacker's steps.
  • Autonomous Compliance Engine recalculates risk posture continuously, so a new vendor relationship or a lapsed BAA surfaces as an open finding rather than accumulating silently.

Practical next steps

  • Audit every active BAA for outside legal counsel — confirm a current, signed agreement exists and that it meets § 164.308(b) and § 164.314 requirements.
  • Build a PHI-flow inventory listing which vendors hold copies of patient data, what categories of data they hold, and when each BAA was last reviewed.
  • Establish a written third-party breach response protocol before you need it — including who at your practice receives vendor breach notifications and how your 60-day clock is tracked from discovery.
  • Train staff on callback phishing this quarter; the attack vector in incidents like this one targets employees, not servers.
  • Request a security posture summary from high-risk vendors annually; OCR guidance supports reasonable oversight, and documenting that you asked creates an auditable record.

Try Patient Protect

  • Start a free trial at hipaa-port.com → https://hipaa-port.com
  • Run a free Security Risk Assessment at patient-protect.com/risk-assessment → https://patient-protect.com/risk-assessment

This commercial companion is published by Patient Protect and may be co-written with editorial AI assistance, drawing on the source HIPAA Pulse article. First reported in HIPAA Pulse → https://hipaapulse.com/silent-ransom-group-breached-orrick-herrington-and-sutcliffe-exposing-client-data-held-b4a0043a