Vendor Security Risks: Key Questions Before Signing

Every medical practice now runs on third-party software. Your EHR, your billing clearinghouse, your patient-reminder texts, and the service that answers your phones after 5 p.m. all touch protected health information (PHI). Each of those vendors is a door into your patient data — and under HIPAA, you are responsible for who you hand the keys to.

That responsibility has never been more consequential. The U.S. Department of Health and Human Services Office for Civil Rights maintains a public breach portal — informally known as the "Wall of Shame" — that logs every healthcare data breach affecting 500 or more individuals. It now records hundreds of breaches every year, collectively exposing tens of millions of patient records, and a growing share of them originate not inside the practice but inside a third-party vendor. 2024 was one of the worst years on record for healthcare data exposure, and after-hours communication and answering-service platforms were among the categories hit.

For practice leaders, the lesson is not "avoid vendors." That is impossible. The lesson is to evaluate vendors the way a compliance officer would — and to understand that a low price or a flashy feature set means nothing if the company behind it has an unproven security record. This is what happens when you choose infrastructure on hype instead of evidence: you inherit its risk.

Why third-party vendors are now the leading source of healthcare breaches

The pattern in OCR's breach data is consistent. When a single answering service, scheduling platform, or communication vendor is compromised, it does not affect one practice — it affects every practice that vendor serves. A breach at a platform used by hundreds of clinics can expose hundreds of thousands, even close to a million, patient records in a single incident. The largest after-hours communication breaches on record have each affected populations in that range.

And the financial and legal fallout does not stay with the vendor. Affected practices field patient complaints, issue breach notifications, and in many cases become named parties or co-defendants in the class-action litigation that reliably follows. The vendor's "unproven system" becomes your liability, your reputational damage, and your patients' stolen data.

This is why the depth of a vendor's experience matters so much. A company that has operated securely for years, across millions of patient interactions, has demonstrably survived the attacks, the audits, and the scale that break newer entrants. A company that launched recently has not yet been tested — and healthcare data is the wrong place to be a test case.

The vendor-security checklist every practice should use

Before you sign with any vendor that will touch patient phone calls, messages, or records, get clear answers — in writing — to the following. If a vendor hesitates on any of these, treat that hesitation as the answer.

1. Is there a signed Business Associate Agreement (BAA)?

Under HIPAA, any vendor that handles PHI on your behalf is a "business associate" and must sign a BAA that contractually binds them to safeguard that data and to notify you promptly of any breach. No BAA, no deal — full stop. The BAA is not paperwork; it is the legal instrument that defines who is responsible when something goes wrong.

2. What is the vendor's actual breach history?

Ask directly: "Have you ever had a reportable data breach? Are you currently party to any breach-related litigation?" Then verify the answer against the public OCR breach portal. A clean, verifiable record over many years is the strongest evidence a vendor can offer. A history of incidents — or pending litigation — is a signal you cannot afford to ignore.

3. How is data encrypted, logged, and access-controlled?

You want encryption in transit and at rest, role-based access controls, complete audit logging of who touched what and when, and a documented, tested incident-response plan. "We take security seriously" is a slogan. Specifics are evidence.

4. How long has the system actually been in production at scale?

Security is earned, not announced. A platform that has handled tens of millions of real patient interactions has been hardened by that volume. Longevity and scale are not vanity metrics — in healthcare communication, they are risk metrics.

This is not about company age for its own sake — plenty of excellent companies are young. It is about whether the specific system handling your patients' data has been tested by real-world volume. A platform that has processed tens of millions of patient interactions has been hardened by every attack, audit, and edge case that volume produces. A system that has not reached that scale is not necessarily insecure — but its security is unproven, and “unproven” is precisely the risk you are trying to avoid when the data is protected health information. Ask for the numbers: how many patient interactions, over how many years, with what breach record.

5. What happens to your data if you leave?

Data portability, retention, and secure deletion policies tell you whether a vendor treats your patients' information as your asset or theirs. Get the offboarding terms before you onboard.

Where CallMyDoc stands

We built CallMyDoc as clinical communication infrastructure — not a bolt-on app, and not an unproven experiment running on your patients' data. The record speaks for itself:

• 27M+ patient call sessions handled securely across 40 states.
• 8+ years in production at scale — a proven track record, not a launch announcement.
• Zero breaches. Zero lost calls.
• HIPAA-aligned by design, with a signed BAA, encryption in transit and at rest, access logging, and a documented incident-response posture.

That track record is the whole point. When you evaluate a vendor for after-hours answering or daytime medical answering, you are not just buying a feature — you are extending your HIPAA responsibility to that company. We think you should extend it only to infrastructure that has already proven it can carry the weight.

CallMyDoc resolves roughly 47% of calls fully automatically while ensuring any patient who needs a person is connected to one — it is hybrid by design, never a black box that leaves callers stranded. The same discipline that keeps patients from getting stuck applies to how we treat their data: predictable, logged, and secure.

The real cost of an "unproven system"

The sticker price of a cheaper or newer vendor is rarely the real price. The real price includes the breach-notification campaign, the OCR investigation, the patient churn, the reputational damage in your community, and — increasingly — the cost of being named in litigation. Practices that have lived through a vendor breach will tell you that the savings on the contract were a rounding error against what the incident cost them.

Choosing communication infrastructure is a trust decision before it is a technology decision. The questions above let you make it with evidence instead of optimism. See how CallMyDoc compares on the criteria that actually matter on our comparison page, or explore the full platform capabilities.

Frequently asked questions

Is my practice liable if a third-party vendor causes a data breach?

Often, yes. Under HIPAA, covered entities (your practice) and business associates (your vendors) both carry obligations. A signed BAA defines responsibility, but practices can still face federal HIPAA investigations from the HHS Office for Civil Rights (OCR), breach-notification duties, and reputational harm when a vendor they selected is compromised. Vetting the vendor up front is your best protection.

What is a Business Associate Agreement and why does it matter?

A BAA is a HIPAA-required contract between your practice and any vendor that handles protected health information. It legally binds the vendor to safeguard that data and to notify you of breaches. If a vendor that touches PHI will not sign a BAA, you cannot use them compliantly.

How can I verify a vendor's security track record?

Ask the vendor directly about prior breaches and any active litigation, then cross-check against the public HHS Office for Civil Rights breach portal, which lists all reported healthcare breaches affecting 500 or more individuals. Pair that with proof of encryption, access logging, third-party audits, and years of production history at scale.

Does CallMyDoc have a history of data breaches?

No. Across 8+ years and 27M+ patient call sessions in 40 states, CallMyDoc has maintained zero breaches and zero lost calls, with HIPAA-aligned controls and a signed BAA. Book a demo → to review our security posture in detail.

Ready to evaluate communication infrastructure you can trust with your patients' data? Book a demo →