Vendor breaches expose gaps

A hospital or wealth manager can lock down its own network and still end up exposed through a supplier sitting off to the side like a spare key under the mat. That is what links a United Kingdom recruiting platform, a New Zealand imaging provider, a United States advisory firm, and a New Hampshire medical practice. (bbc.com) (rnz.co.nz) (wealthmanagement.com) (beckersspine.com) In Northern Ireland, health trusts warned staff to stay alert after a cyberattack hit Healthdaq, a recruitment platform used by all five regional trusts. BBC News reported that hackers claimed to have stolen hundreds of thousands of files containing identity documents and other personal data. (bbc.com) The problem there was not a hospital database with patient charts. The weak point was a hiring pipeline that held passports, driving licences, and background-check material for doctors, nurses, and other workers applying for jobs. (bbc.com) In New Zealand, IntraCare said on April 9, 2026 that some patient data was accessed in a cyber incident first detected on Friday, March 20, 2026. Earlier reporting said the company shut down its information technology systems and 28 surgeries were deferred while it investigated. (intracare.co.nz) (rnz.co.nz) IntraCare is not a giant public hospital chain. It is a specialist provider for cardiology, electrophysiology, and interventional radiology, which meant a breach in one midsize clinical business was enough to disrupt scheduled care and trigger direct outreach to affected patients. (intracare.co.nz) (rnz.co.nz) Then there is OneDigital Investment Advisors in the United States, where the company said its own network was not breached. Instead, Salesforce notified OneDigital on August 22, 2025 about a security event involving Salesforce and Drift, an online chat tool managed by Salesloft and connected to OneDigital’s customer records. (wealthmanagement.com) (salesforce.com) (maine.gov) That incident ran from August 12 to August 18, 2025, and Maine’s breach filing says 28,414 people were affected. The exposed data included names and Social Security numbers, and notices to consumers went out on April 8, 2026, months after the original access window. (wealthmanagement.com) (maine.gov) (oag.ca.gov) The New Hampshire case shows what happens after the scramble. Concord Orthopaedics agreed to settle litigation tied to a November 2024 cyberattack that affected 72,815 people, and the settlement site says the accessed files may have included dates of birth, Social Security numbers, appointment details, insurance information, and driver’s licence numbers. (beckersspine.com) (concorddatasettlement.com) What ties these cases together is the delay between the break-in and the full inventory. IntraCare said confirming what data was accessed was “technically challenging,” and OneDigital needed a forensic review after a vendor alert to determine which customer information in Salesforce had been involved. (intracare.co.nz) (classlawdc.com) That usually means one basic thing is missing: a current map showing which outside company holds which data, in which system, for which business process, with one named employee inside the company who owns that relationship. Without that map, every vendor breach starts with the same question asked under pressure: what exactly did we give them? (salesforce.com) (intracare.co.nz) (bbc.com) The lesson from these four cases is not that companies use too many vendors. It is that payroll systems, recruiters, chat tools, customer databases, and specialist clinics all become part of the same data chain the moment personal information moves between them, and the chain is only as visible as the records kept before the breach starts. (bbc.com) (rnz.co.nz) (wealthmanagement.com) (concorddatasettlement.com)