Data privacy enforcement is turning its attention to business partners

OCR shifts enforcement focus toward healthcare business associates

The U.S. Office for Civil Rights (OCR) has made a decisive pivot in how it enforces healthcare data privacy. Instead of focusing largely on hospitals and insurers, it’s now going after the third-party vendors, the business associates, that manage or access sensitive patient information on behalf of these organizations. This change reflects a deeper understanding of where most vulnerabilities exist within the healthcare ecosystem.

In 2025, OCR issued only 12 enforcement actions, a drop from 23 in 2024. Yet the tone and direction of those actions speak volumes. Seven were aimed directly at business associates, doubling the total number penalized under OCR authority since 2013. The signal is clear: healthcare organizations can no longer rely on vendor relationships as a compliance buffer. Regulators are holding vendors, and by extension their healthcare partners, directly accountable for how data is handled.

For executives, this makes vendor oversight a strategic priority, not a compliance formality. Contracts need to do more than outline responsibilities, they must define measurable data security expectations and audit rights. Vendor selection, monitoring, and communication processes must mature in line with this new reality. Data protection cannot be outsourced; accountability now runs both ways.

This pivot from OCR also aligns with broader trends in data governance, where organizations are expected to demonstrate proactive control over their partner networks. C-suite leaders should interpret this as more than enforcement, it’s a roadmap for operational resilience built on transparency and accountability.

OCR’s enforcement approach evolves under resource constraints and operational priorities

Resource constraints at the federal level are reshaping how enforcement works. The OCR faced internal restructuring and layoffs in 2025, forcing it to rethink its approach. Instead of investigating every large-scale breach, OCR is now prioritizing high-impact cases and using technical assistance for incidents involving more than 500 individuals. This is a smarter, more focused strategy to make the most of limited manpower.

For business leaders, this signals a shift from reactive enforcement toward risk-based engagement. The regulators are adjusting their energy to where it will make the greatest difference, on organizations repeatedly showing systemic weaknesses in cybersecurity or compliance. In 2025, OCR imposed four penalties and resolution agreements under its security risk analysis initiative, emphasizing that the agency remains active but more strategic in where it applies pressure.

Decision-makers can’t rely on reduced enforcement capacity as an opportunity to relax. Instead, this is the time to get ahead of evolving standards. A thorough internal security risk assessment and mature incident response system are now core business requirements. Regulators will expect clarity, structure, and documentation around how organizations manage their data protection risks.

In practice, that means executives should invest in people and technology capable of identifying and remediating risk efficiently. The goal is not just compliance, it’s operational predictability. When regulators streamline, companies must strengthen. Those that stay proactive will find themselves not just meeting requirements, but outperforming competitors in trust and resilience.

State attorneys general actively fill enforcement gaps left by federal actions

State enforcement has become the new frontier in data privacy. In 2025, state attorneys general (AGs) stepped up to pursue healthcare data breaches with a level of energy that matched, and in some cases exceeded, federal efforts. Their actions often overlapped with, or followed, federal Office for Civil Rights (OCR) investigations, creating a comprehensive but more fragmented enforcement ecosystem.

Multiple AGs have used their powers under the HITECH Act and revised state privacy laws to hold both healthcare providers and vendors accountable. They’ve applied consumer protection and deceptive trade practices statutes to data privacy violations, broadening the scope of what constitutes a compliance failure. This dual enforcement layer, federal and state, means healthcare organizations now face increased legal complexity and a wider range of potential penalties.

For executives, this trend calls for an expanded view of compliance. It’s not enough to meet federal standards; state rules and expectations must also be integrated into enterprise compliance frameworks. Since AGs often frame investigations around consumer impact, public accountability is becoming as important as regulatory compliance. Healthcare leaders who invest in transparent breach reporting, clear communication with regulators, and consistent privacy governance will be better positioned in this more aggressive enforcement environment.

The message for leadership is straightforward: regulatory coverage is no longer uniform or centralized. The enforcement map varies by state, and organizations need teams capable of tracking and adapting to these differences.

Vendor vulnerabilities remain a major contributor to healthcare data breaches

Despite advances in healthcare cybersecurity, third-party vendors remain one of the industry’s weakest links. BakerHostetler’s 2025 report found that more than one-third of healthcare security incidents originated at the vendor level. These figures reveal a persistent challenge: many organizations still depend on external partners whose data protection standards aren’t aligned with their own.

Vendors often manage core processes, from billing to data analytics, meaning their access to sensitive information is extensive. When a vendor’s systems are compromised, the healthcare provider inherits the reputational and operational damage. The challenge for executives is ensuring each vendor is as secure as the organization itself, a goal that requires improved oversight, contractual enforcement, and real-time monitoring capabilities.

Vendor due diligence must move beyond initial vetting. Ongoing evaluation, continuous compliance checks, and mandatory breach notification clauses are now fundamental business requirements. This shift is not only about maintaining compliance but about safeguarding brand integrity and operational continuity.

For executives, this is an area where leadership visibility matters. Cybersecurity teams need resources and authority to evaluate and, if necessary, terminate relationships with partners that can’t meet compliance standards. Vendors should be treated as part of the organization’s extended infrastructure, with shared accountability and measurable performance metrics.

The 2025 incident data leaves no doubt, outsourced risk is still internal risk. Stronger vendor governance frameworks will define which organizations succeed or struggle in the next stage of healthcare data compliance.

Ransomware attacks continue to impose significant financial and operational challenges in healthcare

Ransomware remains one of the most pressing threats facing healthcare systems. The scale and sophistication of these attacks have grown, targeting both large and mid-sized organizations. In 2025, the average ransom demand reached $18 million, with healthcare entities paying an average of $1.2 million. Beyond the financial hit, system recovery took an average of 12.7 days, and forensic investigations often cost around $40,000 per incident, according to BakerHostetler’s findings.

These incidents disrupt critical operations and increase financial and reputational risks. When systems are offline, patient care slows, data access is restricted, and legal exposure grows. Leaders must recognize ransomware not only as a technical issue but as a direct business risk tied to operational readiness and financial resilience.

Executives should ensure their organizations have detailed ransomware response strategies that are practical and tested. This includes clear escalation protocols, secure data backups, offsite storage, and financial planning for potential ransom scenarios. Ensuring board-level understanding of these threats will help align budget priorities and risk tolerance.

The key for leadership is proactive management. Waiting for an attack before acting is no longer acceptable in a digital-first healthcare environment. Regular penetration testing, continuous monitoring, and multi-layered defense systems should be treated as fundamental business investments. These are not optional protections, they are operational necessities that define business continuity and public trust.

The integration of artificial intelligence will complicate vendor oversight and data privacy compliance

Artificial intelligence is introducing new opportunities and fresh layers of complexity to data management in healthcare. As organizations begin to integrate AI into their systems, and as vendors incorporate AI into theirs, the need for stronger oversight and compliance management becomes critical. The technology’s ability to process vast amounts of sensitive data demands deeper scrutiny from both a security and ethical standpoint.

BakerHostetler’s report projected that AI would become a defining factor in vendor oversight in 2026. Healthcare leaders will need to closely track how vendors use AI, what data these systems are exposed to, and how outputs are managed. The complexity lies in ensuring that AI-driven processes do not unintentionally breach confidentiality, introduce bias, or create compliance blind spots.

For executives, this requires formal AI governance structures. Every AI-driven tool, internal or vendor-managed, should be subject to documented risk evaluations and clear accountability metrics. Boards should demand transparency from vendors regarding how their AI systems interact with patient data, including access, data retention, and security controls.

Leaders must also anticipate regulatory scrutiny. Governments and regulators are moving quickly toward formal AI standards, and compliance expectations are only going to tighten. Organizations that treat AI governance as an integral part of their compliance ecosystem, rather than as a future issue, will maintain both regulatory confidence and stakeholder trust.

Key executive takeaways

• OCR targets vendors for accountability: Federal regulators are increasing pressure on healthcare business associates, holding vendors as directly responsible for data privacy failures as their clients. Leaders should strengthen vendor contracts, oversight, and risk controls to stay ahead of enforcement.
• Enforcement shifts toward targeted efficiency: With fewer resources, the OCR is focusing on high-impact breaches and offering technical guidance instead of routine investigations. Executives should invest in proactive risk assessment and thorough incident documentation to demonstrate compliance readiness.
• State attorneys general expand privacy enforcement: State-level regulators are using enhanced privacy laws and consumer protection powers to fill federal gaps. Organizations need to align their compliance programs with both federal and state requirements to reduce exposure to overlapping investigations.
• Vendors remain the weakest cybersecurity link: Over a third of healthcare breaches in 2025 stemmed from third-party failures, revealing ongoing gaps in vendor security. Leaders should embed continuous monitoring, clear accountability clauses, and breach response standards into all vendor relationships.
• Ransomware demands stronger resilience planning: With an average ransom demand of $18 million and recovery taking nearly two weeks, ransomware continues to threaten healthcare operations. Executives should prioritize incident response testing, secure data backups, and clear decision frameworks for crisis management.
• AI increases oversight complexity in data management: The rise of AI in vendor systems introduces new data privacy and compliance risks. Leaders should establish formal AI governance policies, require transparency from AI-driven vendors, and prepare for upcoming regulatory scrutiny in this space.