JMIR Publications

ABSTRACT

Background:

Healthcare organizations increasingly rely on business associates (BAs) to provide clinical, administrative, and technology services that require access to protected health information (PHI). While the HITECH Act and the HIPAA Omnibus Rule extended legal liability to BAs, the frequency and characteristics of data breaches involving BAs have not been systematically tracked across the entire post-HITECH reporting era. Understanding these trends is critical for health information managers and cybersecurity professionals who are directly responsible for managing third-party risk.

Objective:

The author examined the longitudinal trends in BA involvement in healthcare data breaches reported to the US Department of Health and Human Services (HHS) Office of Civil Rights (OCR) from 2009 to 2025, including changes in frequency, breach mechanisms, breach locations, and severity profile of BA-involved incidents across three regulatory periods.

Methods:

The author conducted a retrospective longitudinal analysis on the complete population of healthcare data breaches (N = 6612) reported to the HHS OCR breach portal between October 2009 and December 2025. BA involvement was operationalized as breaches reported by BA entities or flagged as BA-related. Logistic regression models estimated annual trends in BA involvement, breach mechanism, and breach location. Chi-square tests assessed associations between BA status and breach characteristics across three regulatory periods: pre-Omnibus (2009-2013), post-Omnibus (2014-2019), and post-2020 (2020-2025). Proportion tests compared BA-involvement rates across periods.

Results:

BA-involved breaches accounted for 1950 of 6612 incidents (29.5%) and 44.8% of all individuals affected. The annual BA involvement rate increased from 22.1% in the pre-Omnibus period to 36.6% in the post-2020 period (z=13.67, P<.001). Logistic regression confirmed an 8% annual increase in BA involvement odds (odds ratio [OR] 1.08, P<.001). Hacking/IT incidents increased from a minority to the dominant breach mechanism (OR 1.40 per year, P<.001), and network server breaches grew at OR 1.25 per year (P<.001). BA-involved breaches were significantly more concentrated in hacking (66% vs 51%) and network server locations (58% vs 34%) compared to non-BA breaches (P<.001). The proportion of mega breaches (≥100,000 individuals) also increased annually (OR 1.16, P<.001), with BA-involved breaches exhibiting a significantly higher mega breach rate (12.4% vs 8.2%; χ²=28.44, P<.001).

Conclusions:

BA-involved healthcare data breaches accelerated substantially across the post-HITECH reporting era, with the steepest increase occurring after 2020. The concurrent growth of hacking and the concentration of network servers suggests that digital transformation, cloud migration, and the ransomware epidemic have compounded third-party risk exposure. Health information managers and cybersecurity professionals should prioritize BA risk management strategies that account for the evolving threat landscape, including enhanced vendor security assessments and data compartmentalization requirements.