The Pulse of TPRM | July 2025

Welcome 

Welcome to the latest edition of The Pulse of TPRM, your trusted source for insights at the intersection of third-party risk, cybersecurity, and healthcare resilience. In this issue, we spotlight several mid-year developments that signal deeper structural shifts in the healthcare risk landscape. A surge in data breaches linked to business associates reinforces the need for robust third-party oversight, while a new report from the Health Sector Coordinating Council highlights the growing cybersecurity crisis among rural and underfunded providers. We also examine the AMA’s AI advocacy principles, a lawsuit over AI-driven claim denials, and the NHS’s 10-year plan to become the most AI-enabled health system in the world. As employment trends and federal policy decisions reshape the healthcare economy, this edition offers timely context and practical takeaways for risk leaders navigating today’s increasingly complex supplier ecosystem.

Mid-Year Data Shows Sharp Rise in Business Associate Breaches 

The U.S. Department of Health and Human Services (HHS) maintains a public record of health data breaches impacting 500 or more individuals, as required under the HITECH Act. A review of these records reveals that Business Associates—third parties contracted to support covered entities—continue to play a significant role in healthcare data breaches. As of July 2025, 124 Business Associate breaches have been reported, impacting over 15.8 million individuals. 

This figure reflects a steep increase in the volume of incidents compared to the same period in 2024, when only 44 Business Associate breaches had been logged. Though the number of affected individuals was higher in 2024 due to a few outlier events that exposed massive volumes of data, the year-over-year growth in incident count is an unmistakable red flag. In contrast, mid-year 2023 saw just 4 Business Associate breaches. 

 The surge in Business Associate incidents reflects the growing complexity and interconnectedness of healthcare ecosystems. Many of these breaches stem from hacking and IT incidents, targeting third-party vendors that store or transmit protected health information (PHI) on behalf of providers and insurers. Other cases involve unauthorized access or disclosure, often the result of insufficient access controls or misconfigured systems. 

NHS Unveils Plan to be the “Most AI-Enabled Health System in the World”  

The UK’s newly unveiled 10-Year Health Plan lays out an ambitious digital and data-driven vision for the future of the National Health Service. While the strategy aims to modernize care and improve access, it also introduces a wave of new technologies, suppliers, and delivery models that will require closer third-party oversight. 

Wearables and Robotics Enter Routine Care 

The plan will make wearables a standard feature of preventive and chronic care by 2035, with devices provided free in high-need communities. It also calls for the expansion of surgical robots and digital hospitals, modeled in part after South Korea’s smart hospital network. 

 “Make AI Every Nurse’s and Doctor’s Trusted Assistant” 

The plan promises to make AI integral to clinical pathways across the system, supporting diagnostics, automating administrative tasks (like clinical note-taking via “AI scribes”), and predicting deterioration in patient health through wearable data. AI will also be used in personalized medicine, with genomic analysis and risk scoring tied to population-level preventive care. 

“[We will] free up hospitals to prioritise safe deployment of AI and harness new technology to bring the very best of cutting-edge care to all patients. All hospitals will be fully AI-enabled within the lifetime of this Plan.” 

- Fit for the Future: The 10 Year Health Plan for England 

As AI tools become embedded in patient-facing systems, risk leaders must ensure third-party developers meet robust safety, transparency, and bias mitigation standards. Procurement and contracting practices will need to reflect evolving regulatory expectations, including those under the UK AI white paper and EU AI Act.  

Report Reveals Cyber Crisis at Resource-Constrained Providers 

A new report from the Health Sector Coordinating Council warns that America’s most vulnerable healthcare providers are on the edge of a cybersecurity collapse. Based on interviews with executives from rural hospitals, critical access hospitals, federally qualified health centers (FQHCs), and small practices across 30 states, the report paints a sobering picture: these organizations recognize the growing cyber threats they face but lack the resources, staff, and funding needed to respond effectively. The result is a widening security gap that puts patient safety, data integrity, and third-party dependencies at growing risk.  

 "This report sheds a critical light on the cybersecurity challenges threatening resource constrained healthcare providers like ours. It accurately reflects the fears we face daily in knowing that a single ransomware attack could not only jeopardize our hospital’s future but also put our patients and community at risk.” 

- Jim Roeder, Lakewood Health 

Key Findings 

• Widespread Awareness, Limited Capacity: Most leaders know what good cybersecurity looks like—but simply lack the funding or staffing to achieve it. 
• Aging Systems: Many organizations are running unsupported or end-of-life systems, increasing vulnerability to exploits. 
• Overstretched Staff: Nearly all respondents identified workforce as their greatest need—calling for shared resources, managed services, or surge support in times of crisis. 
• Third-Party Risk Is Real: Many small providers rely on external vendors but do not have the tools or expertise to properly assess or monitor those relationships. 

Kansas Hospital Sues Insurer Over AI-Driven Claim Denials 

AdventHealth Shawnee Mission, based in Kansas City, has filed a lawsuit against Blue Cross Blue Shield of Kansas City (Blue KC), accusing the insurer of wrongly denying over $2 million inpatient claims. The denied charges stem from hundreds of diagnoses deemed by Blue KC — via AI-powered clinical validation audits — as “clinically invalid and unsupported”. 

The hospital alleges that Blue KC has outsourced these audits to third-party vendors which use artificial intelligence to challenge physicians' determinations – often without meaningful review by licensed clinicians. AdventHealth claims this practice violates contractual agreements, state law, and federal regulations by allowing AI to override direct medical judgement. 

Risk Management Considerations 

• Transparency in AI-Driven Decision-Making: The lawsuit highlights a lack of transparency around how AI models reach denial decisions, and whether human oversight is involved. For TPRM, understanding vendor AI workflows—especially in high-stakes use cases—is critical. 
• Accountability and Compliance Gaps: Delegating claim review to AI without clinician sign-off may expose insurers—and their hospital customers—to regulatory and contractual risk. Contracts should clarify liability, approval processes, and audit rights for all parties including sub‑vendors. 
• Impact on Provider–Payer Relationships: Automated denial outcomes can strain provider relationships, escalate appeals, and increase legal exposure. TPRM teams should monitor denial patterns connected to AI audits and collaborate cross-functionally to manage emerging disputes. 

Related Resources 

• Shared Assessments briefing paper on AI contractual considerations 
• AMA article on How AI is leading to more prior authorization denials 

Healthcare Overtakes Manufacturing as America’s Top Employer 

A new analysis from The New York Times underscores the scale and momentum of the U.S. healthcare workforce transformation. For decades, jobs in retail and manufacturing dominated the labor market. Today, it’s healthcare that leads employment growth—now accounting for about one in three new U.S. jobs and 13% of total U.S. employment. 

 Wage growth in the healthcare sector has also significantly outpaced that of other industries—particularly in middle-skill roles such as nurses and physician assistants. According to the analysis, these roles have seen faster average earnings increases than even highly compensated specialties like physicians. However, in some segments—such as behavioral health—rapid wage escalation has strained provider budgets, making it harder for clinics, addiction treatment centers, and home health agencies to remain financially viable. 

While the healthcare sector remains labor-intensive and largely insulated from automation, the article notes that artificial intelligence could reshape the workforce, especially by reducing administrative burden. Still, experts caution that growing the healthcare workforce should not be seen as a goal in itself—healthcare spending already consumes a significant share of household and government budgets. 

Other Healthcare News 

• Comments from Politico, AMA, AHA, and AAMC on recent U.S. legislation 
• Night vision contact lenses and other recent scientific breakthroughs 
• Report attributes patient’s death to 2024 ransomware attack 
• American Heart Association advice for summer music festivals 

Connect

About Shared Assessments | Join Shared Assessments | Upcoming Events

Subscribe to our Risk Roundup Newsletter: News, Events, and Insights For TPRM.

Subscribe to our Tech In Focus Newsletter: AI & Emerging Tech Insights for Risk Leaders

More questions about Shared Assessments or our Healthcare Initiative? Please connect with Chris Johnson or Stephanie Moore.