Radiology, Oncology, DocketWise: Three Breaches in One Week That Reshape Your Healthcare and Legal Third-Party Risk

In seven days, three US data breaches confirmed what many CISOs already know but hesitate to formalize: your real exposure doesn't run through your perimeter, it runs through your healthcare and legal vendors.

On May 21, Radiology Associates of Richmond notified 266,183 patients: names, Social Security numbers, medical and insurance data — exfiltrated in July 2025, identified in April 2026. The same day, The Oncology Institute confirmed the impact of a compromise at a third-party software vendor (TriZetto), with 3.4 million individuals affected across the broader ecosystem. On May 25, DocketWise — a SaaS platform for immigration case management — notified 143,480 people after stolen credentials were used to clone a code repository handling PII migration.

Three incidents, one angle: your data lives in systems you don't see

Not one attacker touched your network. Not one endpoint compromised on your side. And yet: your patients, your clients, your employees exposed. The common thread: sensitive data now lives at your vendor's vendor. Medical imaging is outsourced, revenue cycle billing is outsourced, legal case management is outsourced. And in each link of the chain, a vendor-of-a-vendor handles your most regulated data.

The Radiology pattern is especially telling: intrusion in July 2025, forensics completed in April 2026, notification on May 21, 2026. Nearly ten months between initial access and the first notification to victims. During that window, your internal controls couldn't see anything: the compromised perimeter wasn't yours.

The 3 questions your leadership will ask Monday morning

If you're CISO, DPO, or GRC lead in a regulated sector (healthcare, finance, legal, HR), prepare these three answers:

1. Mapping. How many vendors process our most sensitive data (PHI, PII, financial data)? For each, who are their subcontractors? The honest answer is often: "we don't know beyond tier 1."

2. Notification. In case of a breach at one of these vendors, within what timeframe are we contractually notified? How much time do we have to notify our own customers or regulators (HIPAA 60 days, GDPR 72h, state laws)?

3. Evidence. Beyond SOC 2 and the annual questionnaire, what guarantees that this vendor has actually segmented our data, logged access, tested its IR? A signed attestation is not a control.

A healthcare/legal third-party risk loop you can execute this week

No need to rebuild everything. Five actions to execute within 30 days:

1. True inventory. List every vendor that hosts, processes, or transits your regulated data. Include declared subcontractors (BAA, DPA annexes). If the list has fewer than 20 entries in a healthcare or legal environment, it's incomplete.

2. Criticality ranking. Three criteria: data volume exposed, sensitivity (PHI, PCI, professional secrecy), the vendor's market share in your sector. A dominant vendor = systemic risk.

3. Tightened notification clause. On contracts renewing this quarter, demand: 24-72h initial notification, right to audit the subcontractor's posture, right to terminate on material breach.

4. Test the notification chains. Once a year, simulate an incident at a critical vendor. Measure the real time between initial notification and updating your crisis committee.

5. Targeted CTI watch. Continuously monitor threat actors (ShinyHunters, Nitrogen, DragonForce…) and leak sites for mentions of your critical vendors. A mention on an extortion site is often the first actionable signal.

The CTI angle: see the incident coming

Third-party breaches aren't surprises for attackers — they're surprises for defenders. When TriZetto was compromised in late 2025, its customers only learned about it in May 2026. When DocketWise saw its repositories cloned, the attacker already had time to exploit the migrated credentials. Continuous CTI (not the annual audit) lets you see:

• mentions of your critical vendors on initial-access marketplaces,

• credentials from their employees circulating on leak platforms,

• active exploitation of vulnerabilities on their tech stack.

This watch shrinks the window between the actual compromise and your first action — from months to days.

Where FortaRisks comes in

Three capabilities of our Risk Management module apply directly after a week like this:

• Vendor + subcontractor mapping. Visualize your critical healthcare and legal vendors, their data flows, their declared subcontractors. One view, one source of truth.

• Continuous monitoring. Each vendor scored continuously: external posture, credential leaks, leak-site mentions, exploited vulnerabilities on their tech stack.

• CTI + GRC coupling. When an actor publishes a victim on an extortion site, your vendor map tells you immediately whether it's one of your vendors or their subcontractors — not in 10 months.

Good healthcare and legal third-party risk management doesn't prevent all incidents. But it shrinks the window between the leak and your response from months to days. In sectors where every day of delay costs in penalties, class actions, and trust, that's what you're really buying.

🎯 If you want to map your critical healthcare and legal vendors and move from the annual questionnaire to continuous monitoring, contact FortaRisks: https://www.fortarisks.com/contact