Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


6 Steps for Responding to a Healthcare Third-Party Data Breach

4 min read
Featured Image

Earlier this year, in March, nearly 60 healthcare providers were informed that their third-party vendor, Shields Health Group, suffered a major data breach. During this cyberattack, approximately 2 million patients had their data compromised.

In the wake of this massive breach, healthcare organizations are reviewing their security measures and considering what steps to take in case one of their vendors is compromised.

What If Your Data Is Breached?

If there is a data breach, your organization's Privacy Officer and Data Protection Officer must act quickly and coordinate key responders, including your HIPAA Compliance Officer, legal team, third-party risk assessment team, incident response team, and IT department. That team should work with the vendor to determine how much data was compromised, what action the vendor is taking to investigate and report the breach, and maintain continuous communication with specific legal and incident response personnel.

It's important to fully understand what is being done by the vendor for short-term mitigations, such as monitoring patient credit or identifying thieves, as well as long-term mitigations and remediations over the next three to six months. Your internal teams should also identify and understand the legal and regulatory ramifications of the vendor breach as it pertains to your organization and its patients. And determine the reporting or investigative proceedings requirements for your organization, per regulatory and legal requirements such as those outlined in the HIPAA Breach Notification Rule.

At a minimum, a risk reassessment should be performed on the vendor within six months of the data breach. That time should be sufficient to allow the vendor to perform the investigation, implement mitigations and remediations, and review lessons learned before the reassessment.

healthcare data breach

What If Your Data Is Not Breached?

What should you do if your vendor suffered a data breach, but your organization's data was not compromised? It’s still necessary for your organization to follow up with the vendor regarding the action they have taken in response to the attack.

It's necessary to confirm that the vendor will provide a public report of the findings as soon as possible. However, a vendor may be limited in what it can disclose outside of public notifications and updates based on the facts of the breach and the status of any ongoing criminal investigation. If this is the case, your organization can monitor the vendor during the investigation period by using routine check ins with key internal teams and by using a continuous monitoring approach. Your third-party risk assessment team should still plan to reassess the vendor no later than six months from the time of the breach.

Steps for Responding to a Third-Party Data Breach

  1. Confirm Official Letter. As soon as you become aware of a breach, contact your Privacy or Data Protection Officer to talk to your vendor and determine if your data was compromised. If so, your legal team and other key team members from incident response and third-party risk management should discuss the details of the breach and the investigation with your vendor.
  2. Confirm Investigation. If your data isn’t part of the breached data set, reach out to the vendor to confirm details of the breach and inquire, at minimum, if an investigation is underway as well as what they are doing for short-term and long-term mitigations.
  3. Take Internal Action. If your data is part of the breached data set, know what legal, regulatory, and investigative actions your organization needs to take. Those actions should include notifying HIPAA and your patients of the breach.
  4. Check In Periodically. Perform routine check ins with the vendor for investigative updates and to confirm which mitigations or remediations have been implemented.
  5. Continuously Monitor. Continually monitor the vendor and consider using a monitoring solution, such as risk alerts and monitoring services.
  6. Reassess. Schedule a risk reassessment on the vendor no later than six months after the breach. The reassessment may be conducted sooner depending on the compromised data's scope and the investigation's length.

The key to responding to a third-party data breach is communication. HIPAA requires business associates, also known as high-risk vendors, to report a breach of your PHI to you no later than 60 days after the breach occurred. Vendors must notify your organization within this timeframe or sooner of any breaches involving sensitive data, including proprietary or internal data.

When your organization is notified of a breach, it’s extremely important to communicate with your vendors and ask the right questions. It's necessary to understand the scope of the breach. Additionally, knowing how the vendor is investigating, reporting, and mitigating the breach will enable your organization to determine what steps it needs to take to ensure compliance with regulatory requirements and protect its patients.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo