Skip to main content
Meet Us at GHPCO 2026 - Global Healthcare InnovationMarch 15-18, 2026|Meet Us at GHPCO 2026 - Global Healthcare InnovationMarch 15-18, 2026
Best Practices

The Perils of Vendors Storing PHI

Recently over 14,000 Medicare recipients of Brand New Day’s health plan had their personal records exposed due to an error from a third party vendor. According to HealthITNews, the breached data included PHI such as names, addresses, dates of birth, contact information, and Medicare ID numbers. Though this breach was unintentional, it leaves one wondering, why or how do these HIPAA violations keep occurring. Healthcare environments have many moving parts, so much so that third parties vendors with varying specialties are required in order to provide all levels of service for patients.

2 min read
security breaches and cyber-attackes on healthcare companies

Recently over 14,000 Medicare recipients of Brand New Day’s health plan had their personal records exposed due to an error from a third party vendor. According to HealthITNews, the breached data included PHI such as names, addresses, dates of birth, contact information, and Medicare ID numbers. Though this breach was unintentional, it leaves one wondering, why or how do these HIPAA violations keep occurring. Healthcare environments have many moving parts, so much so that third parties vendors with varying specialties are required in order to provide all levels of service for patients. However, the inherent danger of such partnerships is the handling of PHI through these various services. The moment an organization grants access to this data to their partners, the uncertainty of PHI hand-off ensue.From malicious intent to basic human error, the breach of patient data can originate from many points. A vendor’s IT department could backup the PHI on a laptop for any reason. That laptop could then become lost or stolen, thus exposing patient information. Employees of third parties could also become victims of phishing scams or ransomware attacks, that makes the entire database on their internal servers vulnerable. The point really is more of a question. With such risk, how do you manage which vendors should access and store your PHI?Our philosophy at QliqSOFT is this: If a vendor does not need PHI, then the vendor should not store PHI. That is why we developed our exclusive Cloud Pass-ThruTM architecture, which only utilizes cloud-based servers as a conduit for transferring encrypted messages between Qliq secure texting users. In contrast, legacy client-server messaging architecture  stores all messages and PHI in the vendor’s cloud server creating unnecessary security risks.  Keeping this data only opens vendors to potential breaches such as the one mentioned above. To learn more about how QliqSOFT and its family of secure communication products, CLICK HERE to request a demo.

Frequently Asked Questions

Find answers to common questions about this topic.

Cloud Pass-Through architecture uses cloud servers only as a conduit to transfer encrypted messages without storing PHI on vendor servers. Traditional client-server architecture stores all messages and PHI on the vendor's cloud servers, creating unnecessary security risks and potential breach exposure.

Healthcare organizations should follow the principle that if a vendor doesn't need PHI to perform their services, they shouldn't store or access PHI. Organizations should evaluate each vendor's actual business requirements and implement data minimization practices to reduce breach risks.

Business Associate Agreements (BAAs) are HIPAA-required contracts that establish how third-party vendors must handle, protect, and secure PHI. These agreements legally bind vendors to HIPAA compliance standards and define their responsibilities for safeguarding patient data.

Organizations must immediately assess the scope of the breach, notify affected patients within 60 days, report to HHS within 72 hours, and implement corrective measures. They should also review vendor agreements and security protocols to prevent future incidents.

Organizations should implement data minimization by sharing only necessary PHI, use encrypted communication channels, conduct regular vendor security assessments, and choose vendors with pass-through architectures that don't store PHI unnecessarily.

Ben Henson

Written by

Ben Henson

Healthcare IT Specialist

Healthcare IT specialist with expertise in HIPAA compliance and secure messaging.

View all posts

Related Articles

5-Steps-to-an-Effective-Disaster-Communications-Plan-Infographic|5-steps-to-effective-disaster-communication-plan-infographic|5-Steps-to-an-Effective-Disaster-Communications-Plan-Infographic
Best Practices

5 Steps to an Effective Disaster Communications Plan

Creating disaster communications plans can be complex, especially in healthcare when so much is at stake. Disasters and disruptions can happen at any time. You must be prepared in the event your systems go down. Key to that response is having a disaster communication tool, not dependent on the network or power of the location.

Ben HensonBen Henson
1 min read
WannaCry ransomware attack on desktop screen, notebook and smartphone, cyber attack internet security concept
Best Practices

Beware of These Email Subject Lines for Potential Ransomware Attack

Last year, we shared 10 steps to take when (not if) your organization is hit with a ransomware attack. Now that several months have passed, the number of malicious cyber attacks that have plagued IT professionals has grown exponentially. The stakes have never been higher. Public services, financial data, and protected health information are all in jeopardy when such widespread security compromises take place.

Ben HensonBen Henson
2 min read
2m left