Vendor Governance · Population Health · HealthEC
“Just As Long As It’s Legal”
The Hidden Cost of Vendor Governance Gaps in Population Health
When the breach happens at your vendor, the bill still arrives at your door.
The Number Nobody Quoted
In June 2025, a $5.48 million settlement was approved to resolve consolidated class action litigation arising from a 2023 data breach at HealthEC, a population health analytics vendor. The settlement fund was allocated across five defendants. HealthEC, the breached vendor, contributed $3.33 million. Corewell Health contributed $1.3 million. Beaumont ACO contributed $350,000. MD Valuecare and Community Health Care Systems each contributed $250,000.
Four of those five organizations did not have a breach. They had a vendor who did. They paid $2.15 million combined for data they handed to HealthEC and subsequently lost all visibility into.
That is not a cybersecurity story. That is a governance story. And the governance failure did not begin in July 2023 when the breach occurred. It began at contract signing, months or years earlier, when nobody asked the questions that would have changed the cost curve.
What HealthEC Actually Was
HealthEC was a New Jersey-based population health analytics vendor whose platform was used by healthcare organizations to identify high-risk patients, close gaps in care, and recognize barriers to optimal care. It was, in other words, exactly the kind of vendor a director hires when his organization cannot staff the analytical work internally.
Its platform held some of the most sensitive data in the healthcare ecosystem — diagnosis codes, mental and physical condition information, prescription records, Social Security numbers, billing and claims data. Between July 14 and July 23, 2023, an unknown actor accessed its systems and copied files containing that data. HealthEC completed its investigation on October 24, 2023, began notifying client organizations on October 26, and mailed individual notification letters on December 22. The breach was initially reported to HHS Office for Civil Rights as affecting roughly 4.5 million individuals, a figure that was subsequently updated upward.
The five-month gap between breach and individual notification is the Timing failure. The gap between initial scope estimate and final count is the Measurement failure. The $2.15 million paid by organizations that never had a breach of their own is the governance failure. All three were preventable. None required the breach to be prevented — only the conditions surrounding it to be governed.
Meet the Three Organizations
To understand how governance posture changes the cost curve, consider three fictional but representative organizations — all HealthEC clients, all inside the same breach, all facing the same external event. What differs is what each had in place before July 14, 2023.
Meridian Health System is a large regional health system that signed its HealthEC contract through a standard procurement process. Legal reviewed the terms. Procurement closed the deal. No vendor governance review was conducted. No data scope was documented. No measurement baseline was established. Meridian is legally compliant and governance-thin.
Centerpoint Regional Medical is a mid-size employer that required ETHICMAP vendor certification before authorizing any data transfer to HealthEC. The certification documented data categories held, error tracking protocols, breach scope methodology, and the notification chain — all signed off before go-live. Centerpoint is certified, measured, and prepared.
Valley Community Health is a small community health center whose IT director requested a security certification before signing. HealthEC provided a SOC 2 report. Valley accepted it as sufficient. No measurement baseline was established, no data scope was documented, and no formal notification chain existed in the contract. Valley has partial controls and a fragile response posture.
Same vendor. Same breach. Three different governance postures. Three very different cost curves.
The Timeline: Same Breach, Different Governance Posture
See timeline: From HealthEC to 2030 — Same breach. Different governance futures.
The timeline running alongside this article tracks all three organizations from contract signing through a modeled 2030 governance future. What it shows is not dramatic. It is quiet. The differences between Meridian, Centerpoint, and Valley do not become visible at the moment of breach. They become visible in the months before it, in the decisions that were made or not made when the cost of making them was low. By the time the breach occurs, the cost curve is already set.
From HealthEC to 2030: Same breach. Different governance futures.
The public-record HealthEC breach anchors the timeline. The columns remain fictional scale models: a large regional system, a mid-size ETHICMAP-governed organization, and a small community organization with partial controls.
Contract Signing
Public record anchor: HealthEC client contracts existed before the July 2023 incident. Fictional columns model large, mid-size, and small client postures at signing.
Large regional system signs HealthEC contract through standard procurement. Legal reviews terms. Procurement closes. No vendor governance review conducted. Data scope undocumented. No measurement baseline established.
Mid-size organization requires ETHICMAP vendor certification before any data transfer. Certification documents data categories held, error tracking, breach-scope methodology, and notification chain before go-live.
Small community organization asks for security evidence. Receives a SOC 2 report and accepts it as sufficient. No measurement baseline, data-scope record, or formal notification chain is created.
First Program Cycle Closes
Programs are running before the incident. The governance differences are still quiet and mostly invisible.
Program continues at scale. No governance review triggered. No audit of what HealthEC holds on Meridian’s behalf. No documented baseline.
Annual ETHICMAP Application cycle review is conducted. Data scope confirmed. Measurement protocols verified. Certification renewed. Documentation remains current.
Program continues with limited staff capacity. IT director flags a data-access anomaly internally. No formal escalation path exists. Note filed, but not acted on.
Environment Shifts
Real-world anchor: Welltok/MOVEit vendor breach pattern becomes visible in the healthcare market before HealthEC’s July incident.
Leadership sees industry coverage. No internal review triggered. No vendor audit conducted. Legal confirms the current contract is compliant.
ETHICMAP Environment review is triggered. HealthEC is asked to confirm pipeline architecture, consent validation, and notification assumptions. Documentation updated.
CFO asks whether the organization is exposed. IT says they use a different vendor. No further review occurs because there is no framework telling them what to ask next.
Time Zero: Breach
Real-world anchor: HealthEC systems are accessed and files are copied. The three fictional organizations are modeled as HealthEC clients inside the same vendor incident.
Unaware. No internal tripwire. Waiting on vendor. Scale increases the number of patients and programs potentially implicated.
Unaware of the breach itself, but contract terms require notice within 72 hours of confirmed suspicious activity and require uncertainty-based scope reporting.
Unaware. Waiting on vendor. Small scale does not reduce dependency; it only reduces staff capacity to respond when information finally arrives.
The Dark Window
Real-world anchor: HealthEC investigation runs July 24–October 24, 2023.
Three months of silence. No visibility into scope. No internal protocol for vendor breach response. Communications team unprepared. Legal on standby.
Receives early contractual notice in the model. Scope estimate includes an explicit uncertainty range. Internal response team activates. Patient communication and regulatory counsel move early.
Three months of silence. IT director contacts an account manager informally. No formal response channel exists in the contract.
Client Notification
Real-world anchor: HealthEC begins notifying client organizations.
Notified. Begins response planning against a point estimate. Communications, legal strategy, and operational triage are built around a number that may not hold.
Already executing the response plan. The later vendor notice confirms the incident fits the previously documented uncertainty range. No full pivot required.
Notified. Begins response with no communications infrastructure. Board hears the full issue for the first time.
Public Disclosure
Real-world anchor: HHS notice, revised multi-million affected population, and individual letters mailed.
Scope expands publicly. Prior response planning becomes obsolete. Communications restart. Legal strategy is rebuilt. Large scale turns the governance gap into a public risk event.
Revised figure remains within the documented uncertainty range. Patient letters and regulatory posture are already prepared. Governance record explains what was known and when.
Revised figure lands hard. Board enters crisis mode. Local press pressure arrives before a prepared statement exists. Small scale becomes fragility, not safety.
Litigation
Real-world anchor: consolidated class action litigation follows the HealthEC breach.
Named in the model. No governance documentation demonstrates due diligence. Discovery exposes absence of vendor audit trail. Settlement exposure elevated by documentation gaps.
Not named in the model. ETHICMAP documentation demonstrates active governance posture. Counsel uses certification record as due-diligence evidence.
Named in the model. Partial documentation exists, but it is inconsistent. Some records are present, others missing. Exposure is smaller than Meridian’s but harder to absorb.
Settlement Track
Real-world anchor: settlement terms and approval process allocate breach cost across HealthEC and affected provider organizations.
Settlement contribution modeled on the large-system allocation. Notification, credit monitoring, legal fees, communications rebuild, and corrective action drive total operational cost into the millions.
Direct settlement cost remains $0 in the model. Framework cost is documented and absorbed as risk mitigation investment. Governance posture becomes evidence rather than marketing.
Settlement contribution modeled on smaller-provider allocations. Notification, legal fees, and board crisis management produce a six-figure event for an organization with far less margin.
Legislative Hinge
Real-world anchor: Michigan Senate breach-notification legislation passes the Senate in 2025; the Attorney General renews calls after additional healthcare breach activity.
Compliance team responds to proposed notification requirements. New vendor contracts receive more legal review, but no durable vendor-governance framework is adopted.
ETHICMAP Application cycle captures the legislative change. Vendor contracts are updated as part of annual review. Notification timeline is already governed by contract.
IT director researches compliance obligations. Leadership understands the risk better, but implementation remains unfunded and informal.
Governance Futures
Fictional projection begins here. This row does not describe or predict conduct by any real HealthEC defendant.
New vendor, same pattern. Legal reviews terms. Procurement closes. The system is larger and more complex, but the governance gap remains. Next incident produces the same cost curve at greater scale.
No data transfer until the new vendor certifies. Data scope, measurement protocol, breach methodology, and notification chain are current. A future incident becomes execution, not improvisation.
Still deciding. A SOC 2 report plus informal diligence feels cheaper until the next breach. The organization must choose between partial comfort and an actual governance record.
Contract Signing
Public record anchor: HealthEC client contracts existed before the July 2023 incident. Fictional columns model large, mid-size, and small client postures at signing.
Large regional system signs HealthEC contract through standard procurement. Legal reviews terms. Procurement closes. No vendor governance review conducted. Data scope undocumented. No measurement baseline established.
Mid-size organization requires ETHICMAP vendor certification before any data transfer. Certification documents data categories held, error tracking, breach-scope methodology, and notification chain before go-live.
Small community organization asks for security evidence. Receives a SOC 2 report and accepts it as sufficient. No measurement baseline, data-scope record, or formal notification chain is created.
First Program Cycle Closes
Programs are running before the incident. The governance differences are still quiet and mostly invisible.
Program continues at scale. No governance review triggered. No audit of what HealthEC holds on Meridian’s behalf. No documented baseline.
Annual ETHICMAP Application cycle review is conducted. Data scope confirmed. Measurement protocols verified. Certification renewed. Documentation remains current.
Program continues with limited staff capacity. IT director flags a data-access anomaly internally. No formal escalation path exists. Note filed, but not acted on.
Environment Shifts
Real-world anchor: Welltok/MOVEit vendor breach pattern becomes visible in the healthcare market before HealthEC’s July incident.
Leadership sees industry coverage. No internal review triggered. No vendor audit conducted. Legal confirms the current contract is compliant.
ETHICMAP Environment review is triggered. HealthEC is asked to confirm pipeline architecture, consent validation, and notification assumptions. Documentation updated.
CFO asks whether the organization is exposed. IT says they use a different vendor. No further review occurs because there is no framework telling them what to ask next.
Time Zero: Breach
Real-world anchor: HealthEC systems are accessed and files are copied. The three fictional organizations are modeled as HealthEC clients inside the same vendor incident.
Unaware. No internal tripwire. Waiting on vendor. Scale increases the number of patients and programs potentially implicated.
Unaware of the breach itself, but contract terms require notice within 72 hours of confirmed suspicious activity and require uncertainty-based scope reporting.
Unaware. Waiting on vendor. Small scale does not reduce dependency; it only reduces staff capacity to respond when information finally arrives.
The Dark Window
Real-world anchor: HealthEC investigation runs July 24–October 24, 2023.
Three months of silence. No visibility into scope. No internal protocol for vendor breach response. Communications team unprepared. Legal on standby.
Receives early contractual notice in the model. Scope estimate includes an explicit uncertainty range. Internal response team activates. Patient communication and regulatory counsel move early.
Three months of silence. IT director contacts an account manager informally. No formal response channel exists in the contract.
Client Notification
Real-world anchor: HealthEC begins notifying client organizations.
Notified. Begins response planning against a point estimate. Communications, legal strategy, and operational triage are built around a number that may not hold.
Already executing the response plan. The later vendor notice confirms the incident fits the previously documented uncertainty range. No full pivot required.
Notified. Begins response with no communications infrastructure. Board hears the full issue for the first time.
Public Disclosure
Real-world anchor: HHS notice, revised multi-million affected population, and individual letters mailed.
Scope expands publicly. Prior response planning becomes obsolete. Communications restart. Legal strategy is rebuilt. Large scale turns the governance gap into a public risk event.
Revised figure remains within the documented uncertainty range. Patient letters and regulatory posture are already prepared. Governance record explains what was known and when.
Revised figure lands hard. Board enters crisis mode. Local press pressure arrives before a prepared statement exists. Small scale becomes fragility, not safety.
Litigation
Real-world anchor: consolidated class action litigation follows the HealthEC breach.
Named in the model. No governance documentation demonstrates due diligence. Discovery exposes absence of vendor audit trail. Settlement exposure elevated by documentation gaps.
Not named in the model. ETHICMAP documentation demonstrates active governance posture. Counsel uses certification record as due-diligence evidence.
Named in the model. Partial documentation exists, but it is inconsistent. Some records are present, others missing. Exposure is smaller than Meridian’s but harder to absorb.
Settlement Track
Real-world anchor: settlement terms and approval process allocate breach cost across HealthEC and affected provider organizations.
Settlement contribution modeled on the large-system allocation. Notification, credit monitoring, legal fees, communications rebuild, and corrective action drive total operational cost into the millions.
Direct settlement cost remains $0 in the model. Framework cost is documented and absorbed as risk mitigation investment. Governance posture becomes evidence rather than marketing.
Settlement contribution modeled on smaller-provider allocations. Notification, legal fees, and board crisis management produce a six-figure event for an organization with far less margin.
Legislative Hinge
Real-world anchor: Michigan Senate breach-notification legislation passes the Senate in 2025; the Attorney General renews calls after additional healthcare breach activity.
Compliance team responds to proposed notification requirements. New vendor contracts receive more legal review, but no durable vendor-governance framework is adopted.
ETHICMAP Application cycle captures the legislative change. Vendor contracts are updated as part of annual review. Notification timeline is already governed by contract.
IT director researches compliance obligations. Leadership understands the risk better, but implementation remains unfunded and informal.
Governance Futures
Fictional projection begins here. This row does not describe or predict conduct by any real HealthEC defendant.
New vendor, same pattern. Legal reviews terms. Procurement closes. The system is larger and more complex, but the governance gap remains. Next incident produces the same cost curve at greater scale.
No data transfer until the new vendor certifies. Data scope, measurement protocol, breach methodology, and notification chain are current. A future incident becomes execution, not improvisation.
Still deciding. A SOC 2 report plus informal diligence feels cheaper until the next breach. The organization must choose between partial comfort and an actual governance record.
Meridian
Large-scale exposure
- Modeled settlement
- $1.3M
- Operational response
- $1.2M est.
- Legal
- $500K est.
- Reputational
- significant, unquantified
- 2030 risk
- same pattern, larger systems
Centerpoint
Governed exposure
- Modeled settlement
- $0
- Operational response
- documented, absorbed
- Legal
- minimal
- Reputational
- neutral to positive
- 2030 risk
- managed by certification cycle
Valley
Small-scale fragility
- Modeled settlement
- $250K
- Operational response
- $350–550K est.
- Legal
- $200K est.
- Reputational
- significant locally
- 2030 risk
- decision point unresolved
Measurement: Nobody Knew What They Had
The HealthEC breach was initially reported to HHS Office for Civil Rights as affecting roughly 4.5 million individuals. That figure was subsequently revised upward. The gap between what was initially reported and what was ultimately counted is not a rounding error. It is a Measurement failure — and it cascaded directly into every client organization's response.
Measurement asks what moved, and requires accounting for uncertainty and error rates, not just point estimates. An organization that cannot produce an accurate scope estimate at the moment of disclosure does not have a measurement infrastructure. It has a discovery process that runs on crisis.
Every client organization that began planning its response in October 2023 was doing so against a number that was wrong. Communications were drafted for the wrong scale. Legal strategy was built on the wrong exposure estimate. When the revised figure became public in December, everything built on the original number became obsolete.
Centerpoint's contract, structured around a functioning governance cycle, required HealthEC to provide scope estimates with explicit uncertainty ranges rather than point estimates. That single requirement — document what you don't know as carefully as what you do — meant that when the revised figure arrived, it fell within a documented range Centerpoint had already planned for. No pivot required. No communications restart. No legal strategy rebuilt from scratch.
A measurement framework does not prevent breaches. It prevents organizations from managing a $3 million crisis using a $250,000 number.
Timing: You Cannot Notify Faster Than You Can Count
Michigan's Attorney General called for new legislation after the HealthEC breach. The proposed package — Michigan SB 360-364, which passed the Senate 19-15 in August 2025 and was awaiting House consideration at the time of writing — would require notification within 45 days of breach determination and expand the definition of personal data to include health and biometric information.
That is not nothing. Faster notification protects affected individuals. Requiring Attorney General notification creates accountability that did not previously exist in Michigan.
But it is a Timing mandate applied to a Measurement failure. Timing asks when things happen — cutoffs, lags, retroactivity, and notice. A 45-day requirement addresses the lag between discovery and disclosure. It does not address the condition that produced the lag: an organization that could not accurately count what had been taken.
You cannot notify people faster than you can count them. The five-month gap between HealthEC's breach and individual notification was not primarily a notification decision. It was a scope determination problem. HealthEC needed three months to complete its investigation — and still produced an initial count that required significant upward revision. A 45-day mandate, applied to that same measurement infrastructure, produces a faster notification of a wrong number.
The legislation, if passed, will help organizations in Michigan that are large enough to attract regulatory attention. It does not reach the director at a healthcare organization in one of the other states where no equivalent requirement exists. It does not require any vendor, anywhere, to demonstrate before contract signing that it has the internal architecture to know what it holds.
Environment: The Contract Was the Ceiling, Not the Floor
Environment asks where we are operating — constraints, norms, and power dynamics. In the HealthEC transaction, the environmental conditions were consistent across all three fictional organizations and all real HealthEC clients: a regulatory floor that required minimal vendor governance disclosure, a procurement norm that treated legal review as sufficient due diligence, and a power dynamic in which the vendor held all data visibility while the client held all downstream risk.
That power dynamic is not incidental. It is structural. When a director outsources analytical work his organization cannot staff, he is also outsourcing the data governance decisions that accompany it. The vendor becomes the de facto governor of data the client organization is legally responsible for. The contract, reviewed by legal and confirmed as compliant, becomes the ceiling of what the client thinks to ask — not the floor of what governance requires.
Meridian's legal team confirmed the contract was compliant. That confirmation was accurate and insufficient. Compliance with the regulatory floor is not a governance posture. It is the minimum required to avoid immediate penalty. The distance between that floor and the conditions that would have interrupted the HealthEC cost cascade is where vendor governance lives — and where most organizations are not looking.
Publish: The Settlement Was the Documentation
Publish requires formalizing decisions, tradeoffs, and changes across cycles — creating a record that makes governance visible and auditable before something goes wrong.
None of the HealthEC client organizations had documented what they had authorized HealthEC to hold on their behalf. None had a documented baseline of data categories, retention periods, or breach scope methodology that would have allowed them to respond quickly and accurately when the breach forced disclosure. The settlement corrective actions — notification requirements, credit monitoring commitments, regulatory compliance obligations — are precisely the documentation that a functioning Publish cycle would have produced proactively.
The litigation itself became the forced Publish event. Discovery requests exposed the absence of governance documentation. The gap between what was held and what was authorized became visible only because a court required it to be. For Meridian, that visibility cost $3 million. For Valley, it cost $800,000 to $1 million. For Centerpoint, the documentation already existed — not because a court required it, but because the governance cycle produced it annually.
When Publish is absent, decisions don't disappear. They accumulate. And when litigation arrives, the absence of documentation is itself evidence — not of what was decided, but of what was never examined.
What Centerpoint Did Differently
Centerpoint did not prevent the breach. It had no more ability to secure HealthEC's systems than Meridian or Valley did. What it did was structure the vendor relationship so that the consequences of a breach were governable before the breach occurred.
The ETHICMAP certification required before go-live documented what HealthEC held, how errors were tracked, what a breach scope methodology looked like, and who was notified in what sequence when suspicious activity was detected. That documentation did not live in HealthEC's systems. It lived in Centerpoint's governance record.
When the breach occurred, Centerpoint's response was not a pivot. It was an execution of a plan that already existed. The scope estimate arrived with an uncertainty range rather than a point estimate. The patient communication was drafted against a protocol rather than improvised under pressure. The regulatory posture was current rather than scrambled. The litigation found a governance record rather than a documentation gap.
Centerpoint's framework cost is documented and absorbed. Its settlement cost is zero. Its reputational position is neutral to positive in a moment when its peers are managing crisis communications. That outcome is not luck. It is the return on a governance investment made at contract signing, when the cost of making it was low.
The Legislation Answer and Why It's Incomplete
Michigan SB 360-364 is a meaningful step. If passed by the House, it would require notification to the Attorney General within 45 days of breach determination, expand the definition of personal data, and create accountability structures that did not previously exist. Thirty-seven other states already require Attorney General notification. Michigan's proposed legislation would bring it into alignment with national practice.
It would not require any vendor to demonstrate, before a contract is signed, that it has the internal architecture to know what it holds. It would not require any client organization to document what it has authorized a vendor to hold on its behalf. It would not reach the director at a healthcare organization in a state where no equivalent requirement exists — which is most states, for most organizations, making most procurement decisions today.
That director is making a risk decision without a risk framework. He knows the vendor is credentialed. He knows the contract is signed. He knows legal reviewed it. What he does not know — and has no structured mechanism to discover — is what governance architecture exists inside the vendor's systems for the data he just handed over. What is being measured. How errors are tracked. What a breach would look like at the row level and how long it would take to know.
He does not ask because he does not have the framework to know what to ask. The vendor does not volunteer it because there is no obligation to do so and because the conversation would slow the sale. The legislation being debated in Michigan will help at the notification end of the chain. It does not reach the procurement decision at the other end — which is where the cost curve is actually set.
Just As Long As It's Legal
The HealthEC breach will be studied as a cybersecurity case. It is also a procurement case, a governance case, a measurement case, and an environment case. The organizations that paid the most for it were not the ones who failed to secure the data. They were the ones who handed data to a vendor and had no structured way to know what happened to it next.
Meridian will renew its population health vendor contract with a new vendor. The procurement process will follow the same pattern. Legal will review the terms. The contract will be compliant. The governance window — the months between signing and the next breach — will be ungoverned again.
Valley is researching frameworks. The next contract is pending. The decision point is approaching. Whether Valley enters that contract with a governance posture or another SOC 2 report accepted as sufficient will determine which column of the next timeline it occupies.
Centerpoint will apply its certification requirement to the next vendor before data transfer is authorized. The governance cycle will run. The documentation will be current. If the next vendor is breached, Centerpoint's response will be an execution, not an improvisation.
The difference between those three outcomes is not regulatory. It is not the result of legislation that passed or didn't. It is the result of a decision made at contract signing, when the cost of making it correctly was low and the cost of getting it wrong was not yet visible.
A director at a healthcare organization in a state where none of this is required will make that procurement decision today or tomorrow or next quarter. He will confirm the contract is compliant. He will close the deal.
Just as long as it's legal. That is all he needs to know.
Until it isn't.
Meridian Health System, Centerpoint Regional Medical, and Valley Community Health are fictional composites created for illustrative purposes. The HealthEC breach dates, settlement allocation, and Michigan legislative anchors are real-world reference points. Sources: HIPAA Journal, BankInfoSecurity, ClassAction.org, Michigan Attorney General press releases, Michigan Senate Bill tracking.