Demo Request
X Close Search

How can we assist?

Ponemon Institute Research Reveals Majority of Healthcare Vendors Have Experienced a Data Breach Exposing Protected Health Information

Censinet Logo

Post Summary

Listen to this article: 
Custom Audio Player
0:00
What percentage of healthcare vendors have experienced a data breach exposing PHI?

According to Ponemon Institute research, 54% of healthcare vendors have experienced at least one data breach exposing protected health information (PHI).

What is the average cost of a healthcare vendor data breach?

The average cost of a healthcare vendor data breach is $2.75 million, with nearly 10,000 records exposed per breach.

Why are current risk assessment processes failing in healthcare?

55% of vendors say risk assessments are costly and time-consuming. 64% of vendors find risk assessment questions confusing and ambiguous. Static assessments become outdated quickly, with 59% of vendors reporting that assessments are obsolete within three months.

How can the risk assessment process be improved?

Automation: 61% of vendors believe workflow automation would streamline the process and reduce costs by up to 50%. Collaboration: Vendors and providers must work together to create transparent, effective policies and procedures. Frequent updates: Regularly updating assessments ensures they remain relevant in a rapidly changing threat landscape.

What is the impact of ineffective risk assessments on healthcare vendors?

54% of vendors believe a single data breach would result in lost business and revenue. 28% of vendors report losing business after providers discovered gaps in their privacy and security practices.

Average Healthcare Vendor Breach Costs $2.75 Million and Exposes Nearly 10,000 Records; Most Vendors Would Not Notify Providers Immediately After Breach

BOSTON – (BUSINESS WIRE) – More than half of all healthcare vendors have experienced a data breach that exposed protected health information (PHI), and it’s a costly problem that points to broken third-party risk assessment processes, according to new data released today by the Ponemon Institute and Censinet®.

The report, ”Are Risk Assessments Failing to Secure the Third-Party Healthcare Ecosystem?”, conducted by Ponemon Institute and sponsored by Censinet, shows that 54 percent of healthcare vendors have experienced at least one data breach of protected health information belonging to patients of the healthcare providers they serve. Of those 54 percent of respondents, 41 percent experienced six or more data breaches over the past two years. The average breach costs $2.75 million and exposes nearly 10,000 records.

Additionally, 54 percent of healthcare vendors believe that a single data breach would result in lost business and revenues from the healthcare providers they sell to, while 28 percent of vendors say that healthcare organizations have chosen another service or solution after they discovered gaps in the vendor’s privacy and security practices. This may be why only 36 percent of vendors would immediately notify providers if they confirmed a data breach that involved their PHI.

“The overall process for managing risk assessments is severely broken in healthcare,” stated Ed Gaudet, CEO and Founder of Censinet. “As an industry we must empower vendors with the right tools and behaviors that give healthcare providers the level of transparency, security and confidence they need to protect their business.”

Many of the vendor respondents believe that healthcare providers do not fully embrace risk assessments to accurately measure and manage third-party risk. For example, nearly half (41 percent) of healthcare vendor respondents said that providers do not require any action to be taken if they discovered gaps in vendors’ privacy and security practices and policies, and 42 percent say that providers do not require proof that the vendor complies with privacy and data protection regulations.

“Healthcare vendors and providers must move from simply checking a box to changing the culture,” continued Gaudet. “This is an industry-wide problem and as such we need a new, collaborative approach that makes it easy for healthcare vendors and providers to band together and take action, implementing policies, procedures and controls that reduce risk holistically.”

The Broken Process of Healthcare Risk Assessments

The research points to a fundamental failure of vendors and providers to work collaboratively to accurately measure third-party risk, largely because of the shortcomings of legacy risk management assessment processes. According to the research, 55 percent of vendors say that risk assessments required by healthcare organizations are costly and time consuming, with vendors spending an average of $2.5 million annually to fill them out. This may be because 43 percent of vendors are still using spreadsheet-based processes for risk assessments.

Despite the effort vendors expend completing risk assessments, it’s hard to determine how accurate they are because 64 percent of vendors believe risk assessment questions are confusing and ambiguous. Additionally, the rapidly changing threat landscape has made static risk assessments far less effective; 59 percent of respondents say that the risk assessments they fill out become out of date within three months or less, but only 18 percent say that healthcare providers require them to update the assessments more than once per year. This may be why only 44 percent of vendors believe that risk assessments actually improve their security posture – a number that points to the misallocation of time and resources fueled by the need to check the box, rather than effectively mitigate risk.

“This research highlights many of the shortcomings in the risk assessment process and just how inadequate and ineffective industry certifications and frameworks are today for vendors,” stated Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute. “According to the research, 55 percent of vendors say that these certifications do not provide enough value for the cost, while 77 percent indicate challenges with the certification process, including respondents who believe it is too time-consuming, too costly and too confusing.”

When asked about ways to improve the risk assessment process, healthcare vendors overwhelmingly turned to automation. According to the research, 61 percent of vendors believe that workflow automation would streamline the risk assessment process and 60 percent think workflow automation would make risk assessments more cost-effective. If the risk assessment process were automated, vendors believe that the costs incurred would be reduced by up to 50 percent.

To download the full report, please visit: https://censinet.com/ponemon-research-report-vendor-study/

For more information, please visit https://www.censinet.com.

About Censinet

Censinet provides the first and only third-party risk management platform built by and for healthcare providers to manage the threats to patient care that exist within an expanding ecosystem of vendors. With its unique Censinet One-click AssessmentTM capabilities and Digital Vendor CatalogTM, the Censinet Platform reduces the time to assess vendor risk from weeks to seconds, while automating inefficient workflows and providing continuous real-time insights into the changing risk profile of each vendor. Censinet is based in Boston, MA and can be found at https://censinet.com/.

About Ponemon Institute

Ponemon Institute© is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries. For more information visit https://ponemon.org/.

Contacts
Dan Gaffney
fama PR for Censinet
(617) 986-5036
censinet@famapr.com

###

Key Points:

What percentage of healthcare vendors have experienced a data breach exposing PHI?

  • According to Ponemon Institute research, 54% of healthcare vendors have experienced at least one data breach exposing protected health information (PHI).
  • Of these, 41% of vendors reported experiencing six or more breaches in the past two years.

What is the average cost of a healthcare vendor data breach?

  • The average cost of a healthcare vendor data breach is $2.75 million, with nearly 10,000 records exposed per breach.

Why are current risk assessment processes failing in healthcare?

  • Costly and time-consuming: 55% of vendors report that risk assessments are expensive, with an average annual cost of $2.5 million to complete them.
  • Confusing and ambiguous: 64% of vendors find risk assessment questions unclear, leading to inefficiencies.
  • Outdated assessments: 59% of vendors say risk assessments become obsolete within three months, yet only 18% of healthcare providers require updates more than once per year.
  • Ineffective outcomes: Only 44% of vendors believe risk assessments improve their security posture, highlighting a misallocation of time and resources.

What are the consequences of ineffective risk assessments for healthcare vendors?

  • Lost business: 54% of vendors believe a single data breach would result in lost business and revenue.
  • Provider rejection: 28% of vendors report losing business after providers discovered gaps in their privacy and security practices.
  • Increased costs: Vendors spend significant resources on risk assessments that fail to deliver meaningful security improvements.

How can the risk assessment process be improved?

  • Automation: 61% of vendors believe workflow automation would streamline the process, reducing costs by up to 50%.
  • Collaboration: Vendors and providers must work together to create transparent, effective policies and procedures.
  • Frequent updates: Regularly updating assessments ensures they remain relevant in a rapidly changing threat landscape.
  • Standardization: Simplifying and standardizing risk assessment questions can reduce confusion and improve efficiency.

Why is automation critical for improving risk assessments?

  • Automation reduces the time and cost of completing risk assessments, making the process more efficient.
  • It ensures assessments are updated regularly, keeping pace with the rapidly evolving threat landscape.
  • Automated workflows eliminate manual errors and provide real-time insights into vendor security postures.

What is the ultimate goal of improving risk assessments in healthcare?

  • To create a more secure third-party ecosystem that protects patient data and reduces the risk of breaches.
  • To foster collaboration between vendors and providers, ensuring transparency and trust.
  • To streamline the risk assessment process, saving time and resources while improving security outcomes.
  • To enable healthcare organizations to adopt innovative technologies safely and efficiently.

Recent Posts

Censinet Recognized in the 2025 Gartner® Market Guide for Third-Party Risk Management Technology Solutions
Censinet, KLAS, and American Hospital Association Publish the 2025 Healthcare Cybersecurity Benchmarking Study
Censinet Appoints Cambrey Ware as Chief Commercial Officer
Censinet Announces Partnership with This Week Health’s 229 Project
Censinet and AHA Deliver Webinar on Navigating GRC, Cybersecurity, and Patient Safety in the Era of AI
Censinet Delivers New AI Cyber Governance, Risk, and Compliance Products and Capabilities at ViVE 2025
Censinet Announces AI Strategy and Infrastructure to Transform Cyber GRC in Healthcare at VIVE 2025
Censinet to Announce Early Findings from The Healthcare Cybersecurity Benchmarking Study, New AI Products at ViVE 2025

Categories

Slide 1

This is some text inside of a div block.
Text Link
Forbes article

Stronger Together: A Response To Rising Systemic Risk In Healthcare

The cyberattack on Change Healthcare shows systemic risk in healthcare is real—where even brief disruptions can mean life-threatening delays in treatment, lost medication access, and diverted emergency care.

Read More >>
Friendly software engineer

Senior Full-Stack Software Engineer

As a Senior Full-Stack Software Engineer on our innovative, fully-remote team, you'll collaborate with talented colleagues to employ AI and other cutting-edge technologies to create impactful solutions that protect patients and shape the future of he

Read More >>
Beckers Health IT logo

5 ways to reduce 3rd-party cybersecurity risks, per 18 experts

Healthcare information technology security leaders from across the country have shared insights with Becker's regarding the most important steps for hospitals and health systems to take in preventing increased cybersecurity risks when working with th

Read More >>
Censinet Risk Assessment Request Graphic

Censinet RiskOps™ Demo Request

Do you want to revolutionize the way your healthcare organization manages third-party and enterprise risk while also saving time, money, and increasing data security? It’s time for RiskOps.

Schedule Demo

Sign-up for the Censinet Newsletter!

Hear from the Censinet team on industry news, events, content, and 
engage with our thought leaders every month.

Third Party Risk
Enterprise Risk
Provider Solutions
Vendor Solutions
About
Terms of Use | Privacy Policy | Security Statement | Crafted on the Narrow Land