HHS burrows into identifying risks to health sector from third-party vendors | CyberScoop<\/title> <meta name=\"description\" content=\"A Department of Health and Human Services official said Thursday that HHS is devoting a lot of attention to the security of third-party service providers after the 2024 Change Healthcare cyberattack.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/hhs-burrows-into-identifying-risks-to-health-sector-from-third-party-vendors\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"HHS burrows into identifying risks to health sector from third-party vendors\"> <meta property=\"og:description\" content=\"A Department of Health and Human Services official said Thursday that HHS is devoting a lot of attention to the security of third-party service providers after the 2024 Change Healthcare cyberattack.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/hhs-burrows-into-identifying-risks-to-health-sector-from-third-party-vendors\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2026-02-19T18:15:48+00:00\"> <meta property=\"article:modified_time\" content=\"2026-02-19T18:15:49+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/02\/hhs-burrows-into-identifying-risks-to-health-sector-from-third-party-vendors-2.jpg\"> <meta property=\"og:image:width\" content=\"1024\"> <meta property=\"og:image:height\" content=\"679\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Tim Starks\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@timstarks\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1770142553g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1771335878g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1767808656g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/87837\"><meta name=\"generator\" content=\"WordPress 6.8.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=87837\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fhhs-burrows-into-identifying-risks-to-health-sector-from-third-party-vendors%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fhhs-burrows-into-identifying-risks-to-health-sector-from-third-party-vendors%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-87837 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/hhs-burrows-into-identifying-risks-to-health-sector-from-third-party-vendors\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.579861111111\">\n<div class=\"single-article__header-content\" readability=\"34.153846153846\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/hhs-burrows-into-identifying-risks-to-health-sector-from-third-party-vendors\/\"> <span>Healthcare<\/span> <\/a> <\/li>\n<\/ul>\n<p> A department official speaking at CyberTalks said HHS is trying to help the sector on finding where those risks are. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/87837\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"424\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/02\/hhs-burrows-into-identifying-risks-to-health-sector-from-third-party-vendors.jpg?resize=640%2C424&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/02\/hhs-burrows-into-identifying-risks-to-health-sector-from-third-party-vendors-2.jpg 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/02\/hhs-burrows-into-identifying-risks-to-health-sector-from-third-party-vendors-2.jpg?resize=300,199 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/02\/hhs-burrows-into-identifying-risks-to-health-sector-from-third-party-vendors-2.jpg?resize=768,509 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/02\/hhs-burrows-into-identifying-risks-to-health-sector-from-third-party-vendors-2.jpg?resize=600,398 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/02\/hhs-burrows-into-identifying-risks-to-health-sector-from-third-party-vendors-2.jpg?resize=253,168 253w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/02\/hhs-burrows-into-identifying-risks-to-health-sector-from-third-party-vendors-2.jpg?resize=508,337 508w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/02\/hhs-burrows-into-identifying-risks-to-health-sector-from-third-party-vendors-2.jpg?resize=1018,675 1018w\" sizes=\"(max-width: 1018px) 100vw, 1018px\"><figcaption> A healthcare worker tends to a patient on a ventilator in the Intensive Care Unit of Baptist Health Floyd on September 7, 2021 in New Albany, Indiana. (Photo by Jon Cherry\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"19.323671497585\"><body readability=\"41.233604336043\"><\/p>\n<p>A Department of Health and Human Services official said Thursday that HHS is devoting a lot of attention to the security of third-party service providers after the 2024 <a href=\"https:\/\/cyberscoop.com\/tag\/change-healthcare\/\">Change Healthcare<\/a> cyberattack.<\/p>\n<p>That attack, which is widely regarded as the biggest ever in the sector \u2014 including by HHS\u2019s Charlee Hess, who spoke Thursday at CyberTalks presented by CyberScoop \u2014 began with hackers exploiting the lack of multifactor authentication set up on <a href=\"https:\/\/www.wsj.com\/articles\/change-healthcare-hackers-broke-in-nine-days-before-ransomware-attack-7119fdc6\">a remote access portal<\/a> at Change Healthcare.<\/p>\n<p>\u201cIt wasn\u2019t a hospital, it was a company most people have never heard of and had major impacts on our sector and threatened the liquidity of our entire health care system,\u201d said Hess, director of the healthcare and public health sector cybersecurity at the Administration for Strategy Preparedness and Response division. \u201cWe recovered from that, but we realized there are third-party risks lurking in our health care system, and we don\u2019t even know they\u2019re there. Where are those entities or systems that will have an outsized impact on our sector?\u201d<\/p>\n<p>That realization arose from meetings between HHS and industry, she said. The focus on third-party service provider risk came next.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cWe are going through and working through a methodology to identify that, and we\u2019ve been working with industry on doing that, really finding where those places are,\u201d Hess said.<\/p>\n<p>The Change Healthcare breach, which exposed the data of 190 million people, has triggered other government responses, too, including on <a href=\"https:\/\/cyberscoop.com\/bipartisan-health-care-cybersecurity-legislation-returns-to-address-a-cornucopia-of-issues\/\">Capitol Hill<\/a>.<\/p>\n<p>It also prompted UnitedHealth Group, the parent company of Change Healthcare to <a href=\"https:\/\/cyberscoop.com\/unitedhealth-group-steven-martin-ciso-ransomware-attack-recovery\/\">\u201cstart over\u201d<\/a> on its use of computer systems. But industry has also bristled at the notion of <a href=\"https:\/\/cyberscoop.com\/health-care-groups-resist-cybersecurity-rules-in-wake-of-landmark-breach\/\">mandatory cybersecurity requirements on hospitals<\/a> \u2014 in part because, they note, the Change Healthcare attack wasn\u2019t their fault.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\">\n<div class=\"author-card\" readability=\"7.7216117216117\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/02\/hhs-burrows-into-identifying-risks-to-health-sector-from-third-party-vendors-1.jpg?w=640&ssl=1\" alt=\"Tim Starks\"> <\/figure>\n<\/p><\/div>\n<div class=\"author-card__details\" readability=\"10.901098901099\">\n<h4 class=\"author-card__name\">Written by Tim Starks<\/h4>\n<p> Tim Starks is senior reporter at CyberScoop. His previous stops include working at The Washington Post, POLITICO and Congressional Quarterly. An Evansville, Ind. native, he’s covered cybersecurity since 2003. Email Tim here: <a href=\"mailto:tim.starks@cyberscoop.com\">tim.starks@cyberscoop.com<\/a>. <\/div>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/hhs-burrows-into-identifying-risks-to-health-sector-from-third-party-vendors\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>HHS burrows into identifying risks to health sector from third-party<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1603,6035,655,1436,117,459,224,2101,439,46,824,1604],"tags":[1605,6036,657,1439,119,461,232,2109,443,54,828,1606],"class_list":["post-8367","post","type-post","status-publish","format-standard","hentry","category-change-healthcare","category-charlee-hess","category-congress","category-department-of-health-and-human-services-hhs","category-government","category-health-care","category-healthcare","category-hospitals","category-policy","category-ransomware","category-third-party-risk","category-unitedhealth-group","tag-change-healthcare","tag-charlee-hess","tag-congress","tag-department-of-health-and-human-services-hhs","tag-government","tag-health-care","tag-healthcare","tag-hospitals","tag-policy","tag-ransomware","tag-third-party-risk","tag-unitedhealth-group"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/change-healthcare\/\" rel=\"category tag\">Change Healthcare<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/charlee-hess\/\" rel=\"category tag\">Charlee Hess<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/congress\/\" rel=\"category tag\">Congress<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/department-of-health-and-human-services-hhs\/\" rel=\"category tag\">Department of Health and Human Services (HHS)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/government\/\" rel=\"category tag\">Government<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/health-care\/\" rel=\"category tag\">health care<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/healthcare\/\" rel=\"category tag\">Healthcare<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/hospitals\/\" rel=\"category tag\">hospitals<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/policy\/\" rel=\"category tag\">Policy<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ransomware\/\" rel=\"category tag\">ransomware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/third-party-risk\/\" rel=\"category tag\">Third-Party Risk<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/unitedhealth-group\/\" rel=\"category tag\">UnitedHealth Group<\/a>","tag_info":"UnitedHealth Group","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8367","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8367"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8367\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8367"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8367"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8367"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8367,"date":"2026-02-19T12:15:48","date_gmt":"2026-02-19T18:15:48","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=87837"},"modified":"2026-02-19T12:15:48","modified_gmt":"2026-02-19T18:15:48","slug":"hhs-burrows-into-identifying-risks-to-health-sector-from-third-party-vendors","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2026\/02\/19\/hhs-burrows-into-identifying-risks-to-health-sector-from-third-party-vendors\/","title":{"rendered":"HHS burrows into identifying risks to health sector from third-party vendors"},"content":{"rendered":"