Currently submitted to: JMIR Medical Informatics
Date Submitted: Feb 15, 2026
Open Peer Review Period: Feb 18, 2026 - Apr 15, 2026
(closed for review but you can still tweet)
NOTE: This is an unreviewed Preprint
Warning: This is a unreviewed preprint (What is a preprint?). Readers are warned that the document has not been peer-reviewed by expert/patient reviewers or an academic editor, may contain misleading claims, and is likely to undergo changes before final publication, if accepted, or may have been rejected/withdrawn (a note "no longer under consideration" will appear above).
Peer review me: Readers with interest and expertise are encouraged to sign up as peer-reviewer, if the paper is within an open peer-review period (in this case, a "Peer Review Me" button to sign up as reviewer is displayed above). All preprints currently open for review are listed here. Outside of the formal open peer-review period we encourage you to tweet about the preprint.
Citation: Please cite this preprint only for review purposes or for grant applications and CVs (if you are the author).
Final version: If our system detects a final peer-reviewed "version of record" (VoR) published in any journal, a link to that VoR will appear below. Readers are then encourage to cite the VoR instead of this preprint.
Settings: If you are the author, you can login and change the preprint display settings, but the preprint URL/DOI is supposed to be stable and citable, so it should not be removed once posted.
Submit: To post your own preprint, simply submit to any JMIR journal, and choose the appropriate settings to expose your submitted version as preprint.
Warning: This is an author submission that is not peer-reviewed or edited. Preprints - unless they show as "accepted" - should not be relied on to guide clinical practice or health-related behavior and should not be reported in news media as established information.
Who Holds the Risk? A Longitudinal Analysis of Business Associates' Involvement in US Healthcare Data Breaches
ABSTRACT
Background:
Healthcare organizations increasingly rely on business associates (BAs) to provide clinical, administrative, and technology services that require access to protected health information (PHI). While the HITECH Act and the HIPAA Omnibus Rule extended legal liability to BAs, the frequency and characteristics of data breaches involving BAs have not been systematically tracked across the entire post-HITECH reporting era. Understanding these trends is critical for health information managers and cybersecurity professionals who are directly responsible for managing third-party risk.
Objective:
The author examined the longitudinal trends in BA involvement in healthcare data breaches reported to the US Department of Health and Human Services (HHS) Office of Civil Rights (OCR) from 2009 to 2025, including changes in frequency, breach mechanisms, breach locations, and severity profile of BA-involved incidents across three regulatory periods.
Methods:
The author conducted a retrospective longitudinal analysis on the complete population of healthcare data breaches (N = 6612) reported to the HHS OCR breach portal between October 2009 and December 2025. BA involvement was operationalized as breaches reported by BA entities or flagged as BA-related. Logistic regression models estimated annual trends in BA involvement, breach mechanism, and breach location. Chi-square tests assessed associations between BA status and breach characteristics across three regulatory periods: pre-Omnibus (2009-2013), post-Omnibus (2014-2019), and post-2020 (2020-2025). Proportion tests compared BA-involvement rates across periods.
Results:
BA-involved breaches accounted for 1950 of 6612 incidents (29.5%) and 44.8% of all individuals affected. The annual BA involvement rate increased from 22.1% in the pre-Omnibus period to 36.6% in the post-2020 period (z=13.67, P<.001). Logistic regression confirmed an 8% annual increase in BA involvement odds (odds ratio [OR] 1.08, P<.001). Hacking/IT incidents increased from a minority to the dominant breach mechanism (OR 1.40 per year, P<.001), and network server breaches grew at OR 1.25 per year (P<.001). BA-involved breaches were significantly more concentrated in hacking (66% vs 51%) and network server locations (58% vs 34%) compared to non-BA breaches (P<.001). The proportion of mega breaches (≥100,000 individuals) also increased annually (OR 1.16, P<.001), with BA-involved breaches exhibiting a significantly higher mega breach rate (12.4% vs 8.2%; χ²=28.44, P<.001).
Conclusions:
BA-involved healthcare data breaches accelerated substantially across the post-HITECH reporting era, with the steepest increase occurring after 2020. The concurrent growth of hacking and the concentration of network servers suggests that digital transformation, cloud migration, and the ransomware epidemic have compounded third-party risk exposure. Health information managers and cybersecurity professionals should prioritize BA risk management strategies that account for the evolving threat landscape, including enhanced vendor security assessments and data compartmentalization requirements.
Citation
Request queued. Please wait while the file is being generated. It may take some time.
Copyright
© The authors. All rights reserved. This is a privileged document currently under peer-review/community review (or an accepted/rejected manuscript). Authors have provided JMIR Publications with an exclusive license to publish this preprint on it's website for review and ahead-of-print citation purposes only. While the final peer-reviewed paper may be licensed under a cc-by license on publication, at this stage authors and publisher expressively prohibit redistribution of this draft paper other than for review purposes.