top of page

Censinet and Ponemon Report: More Than Half of Healthcare Vendors Have Been Breached, Exposed PHI

A new report issued by Censinet and the Ponemon Institute found that more than half of all healthcare vendors have experienced a data breach that has exposed protected health information, with the average breach costing nearly $2.75 million and exposing nearly 10,000 records.

Additional Key Findings:

  • Only 36 percent of vendors would immediately notify providers if they confirmed a data breach that involved their PHI

  • 41 percent of vendors say that providers do not require any action to be taken if they discovered gaps in vendors’ privacy and security practices and policies

  • Healthcare vendors spend an average of $2.5M annually filling out risk assessments

  • 59 percent of health say that the risk assessments they fill out become out of date within three months or less, but only 18 percent say that healthcare providers require them to update the assessments more than once per year

In this Q&A, Ed Gaudet, CEO, Censient shares his insights on the report's findings and how the healthcare industry can improve their security practices.

Is there anything surprising about these findings?

"I was surprised by the rate at which risk assessments become outdated and alarmed to see that two out of three healthcare vendors do not notify their providers when they experience a data breach. Manual risk assessments, framework validations, and certificates can take anywhere from 6-9 months to complete -- this approach almost guarantees that a vendor's risk assessment is out of date at the time of completion and publishing."

How would you go about fixing these problems? How could Censinet's offerings help?

"We must do a better job as an industry enabling our supply chain of third-party vendors with effective procedures and controls that reduce risk through automation, transparency and standardization. The more transparent and proactive the process, the more everyone benefits. That’s why we call our platform a collaborative risk network. Healthcare organizations (HCOs) want risk awareness and aren’t using assessments as a pass/fail. As data risk experts, we encourage vendors to complete the standardized risk assessment questionnaire in advance so they can see how they appear to HCOs and consider how they will address any findings those buyers may worry about. Vendors on our platform can take the hundreds of hours they used to spend answering questionnaires and put it back into improving their risk and security posture.

It was encouraging to see that so many respondents believe automation and standardization will improve the risk management process, because that’s at the heart of what Censinet does."

To download the full report, please visit:

For more information on Censient, please visit


bottom of page