You ran the diligence three years ago when you signed up your records vendor. You looked at their certifications. You signed the agreement they sent. You moved on.
Last year, they got breached. They sent you the notification. You sent the right letters to your patients. The cycle closed. You went back to seeing patients.
Last week, a federal judge in Chicago opened a door you thought was closed. Patients of the practice can sue the practice — not the vendor — for what the vendor lost.
What the ruling actually said
The case is Bernardino v. HAH Group Holding.[1] Two patients of Help at Home — an Illinois home-care provider — sued the provider over a 2024 breach at one of its vendors. The vendor had lost personal and medical information for thousands of patients. The vendor sent the breach notification. Help at Home sent the patient letters. The case looked closed.
The patients sued anyway. Help at Home asked the court to throw the lawsuit out — they pointed at the vendor, said "that was their problem, not ours."
On May 28, the judge declined. The patients can sue Help at Home. The risk of identity theft from the leaked data was enough exposure to keep the case alive. One of the two patients also had immediate damages — fraudulent credit card charges traceable to the breach.
The judge didn't say Help at Home is liable. The judge said the patients get to prove Help at Home is liable. In a courtroom. With discovery. With depositions of whoever at Help at Home was responsible for that vendor relationship.
That's the door that just opened. The plaintiff bar in Illinois will walk through it. The plaintiff bars in other states have been waiting for one of these rulings to land somewhere.
The diligence defense just got narrower
The defense most practitioners would reach for is the obvious one: I did my due diligence. The vendor had certifications. They had references. The breach was their failure, not mine.
Three years ago, that defense kept these lawsuits from going anywhere. Today, the court will say: fine, prove the diligence. Show me what you did.
That's where most small practices come apart. The vendor contract is the vendor's standard template — accepted as-is, never marked up, often never actually read past page two. The SOC 2 report was glanced at, never re-checked when it expired. The breach notification window in the contract says "without unreasonable delay," which the vendor's lawyer will define as sixty days. There's no insurance requirement. There's no indemnification — or there is, but it caps at the fees you paid the vendor in the last twelve months, which doesn't cover a single defense attorney's billable week.
The court didn't ask whether you trust your vendor. The court asked what your contract requires of them when something goes wrong.
What to look for when you read a vendor contract
Five things to check in any vendor agreement, in plain language.
1. Does it say what data the vendor gets? Names? Dates of birth? Diagnoses? Insurance numbers? If you can't find a paragraph listing the specific categories, you don't have an agreement — you have a marketing brochure.
2. How fast do they have to tell you when something goes wrong? The default in most agreements is "without unreasonable delay." That means whatever the vendor's lawyer says it means — often sixty days, sometimes longer. You want a number measured in days. Five days. Ten days. Whatever works for your practice. Just a number.
3. What does the indemnification clause actually say? This is the question most small practices skip because they assume the answer is "they'll cover everything." It's not. The indemnification clause usually caps the vendor's liability at the fees you paid them in the last twelve months — a number that won't cover a single defense attorney's billable week, let alone a class-action settlement.
You probably can't get a major vendor to take the cap off entirely. They won't sign it. But you have three smaller asks that are realistic at renewal:
- Move the cap from 1x annual fees to 2x or 3x. Some vendors will agree if you push.
- Get an explicit carve-out for gross negligence and willful misconduct. Those should NOT be capped, regardless of what the cap is on routine liability. Reputable vendors usually have this language already; check if yours does.
- Get your practice named as an additional insured on the vendor's cyber-liability policy (which is item 4 below). When you're a covered party on their insurance, the cap matters less because the insurance pays before the indemnification cap kicks in.
And carry your own cyber-liability insurance to bridge whatever the vendor doesn't cover. Your policy + their policy is the actual coverage stack, not whatever the indemnification clause says by itself.
4. Do they have cyber-liability insurance? Most legit vendors do. Most small-practice contracts don't require it. You want a minimum coverage limit (a million dollars is the typical floor for vendors holding health data), your practice named as an additional insured, and proof every year at renewal.
5. Can you audit them? You probably won't. But the right to audit is what makes the vendor actually take their security posture seriously. Without that clause, you have no leverage when something looks off.
Three things to do this week
One. Find the contract drawer. Pull the agreements for your three biggest vendors — the ones that hold the most patient data. For most practices that's your records system, your billing service, and now your AI scribe. Read each one. Look for the five things above. Mark the page numbers where they fall short.
Two. Email each of those vendors and ask for their current SOC 2 report or equivalent. Just say "we're updating our vendor risk file, can you send us your current security attestation?" Many will send it. Some won't. The ones who refuse to send their security attestation are usually the same ones who'll be slowest to indemnify you when something goes wrong.
Three. Identify which of your vendor agreements were signed more than three years ago. Anything older than that was almost certainly drafted before the current wave of healthcare class actions established what courts now look for. Those contracts need updating at the next renewal, or sooner if the vendor will negotiate.
The court didn't say you have to renegotiate every vendor contract this week. It said the next time a vendor of yours gets breached, your patients have a door to sue you through. The door is open. The diligence you do this month is what determines whether you survive what comes through it.
|
The vendor review checklist for the five elements your agreement needs to do.
The Encrypted Chart Vault includes the BAA review checklist plus pre-drafted BAA language calibrated for independent practice. Run any vendor contract through it in twenty minutes. National edition $299. New York edition $349 (adds SHIELD Act and state-specific addenda).
Get the Vault →
|
| With security, |
| Brad |
| Brad Lieberman, JD (retired), MSN, PMHNP-BC |
| Founder, The Encrypted Chart |
| www.encryptedchart.com · Vault: store.encryptedchart.com/l/binder |
| Brad@encryptedchart.com |
- Bernardino v. HAH Group Holding LLC, No. 1:24-cv-07594, U.S. District Court for the Northern District of Illinois, decided May 28, 2026. Case analysis: The Data Breach Times.
- HIPAA Business Associate Agreement provisions, 45 CFR § 164.504(e). HHS Office for Civil Rights sample BAA provisions.
- HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414. HHS Office for Civil Rights guidance.
