What Happened
In January 2026, LifeLong Medical Care disclosed that 70,000 individuals were affected by a hacking incident at a business associate.
The compromised data reportedly includes health data. Patients were affected through a third-party relationship rather than a direct attack on LifeLong's systems.
Timeline
- January 2026 — LifeLong Medical Care discloses breach affecting 70,000 individuals via business associate
Impact and Risk Assessment
For Individuals
70,000 patients had their health data exposed through a third-party business associate, despite LifeLong's own systems not being directly compromised.
Patients may not understand how their data came to be compromised through an entity they had no direct relationship with.
For Organisations
LifeLong Medical Care must manage patient notification and response for a breach that originated at a third party.
The business associate faces potential HIPAA enforcement action for the breach.
Regulatory Context
Under HIPAA, both covered entities and business associates have obligations to protect patient data. The covered entity must ensure its business associates meet security requirements.
What Should You Do?
For Individuals
- If you receive care from LifeLong Medical Care, monitor your explanation of benefits for signs of medical identity fraud.
For Security Professionals
- Review your business associate agreements and ensure they include meaningful security requirements, breach notification timelines, and audit rights.
- Third-party risk management in healthcare must extend to all business associates that handle protected health information.
Learnings and Recommendations
Business associate breaches continue to affect healthcare patients who had no direct relationship with the compromised entity. Third-party risk management is critical in the healthcare supply chain.