When the Breach Isn't at Your Bank: Third-Party Risk Hits Healthcare and Finance in the Same Week

John Z Black Apr 15, 2026 Incidents & Breaches #data-breach #third-party-risk #healthcare #financial-services #springfield-hospital #marquis #lapsus #vendor-risk

Your most sensitive data is probably sitting at a company you’ve never heard of. Not your bank. Not your hospital. A vendor they hired. You can’t audit them. You don’t have a relationship with them. When something goes wrong, they’re not the ones calling you.

This week made that point twice, in two different industries.

Springfield Hospital notified the Massachusetts AG on April 10: an email account compromise exposed names, dates of birth, Social Security numbers, reasons for visits, treating physicians, and medical record numbers. They’d known since February 10. Two months between internal discovery and patient notification. Legally within bounds. That’s about the nicest thing you can say about it.

In financial services: Lapsus$ claimed a breach against Axcera rated at 85/100 severity. RCI Hospitality Holdings disclosed separately. And customers of more than 700 community banks and credit unions were still receiving breach notifications from a ransomware attack that hit vendor Marquis back in August 2025. Eight months old. Still generating notifications because when one vendor serves 700 institutions, one breach produces hundreds of notification waves across months.

There’s no single attacker behind all of this. What there is: a structural condition where the organizations you trust are dependent on vendors you don’t know about, and those vendors hold your data. The notification you eventually receive is usually the first signal you get that anything went wrong – and the exposure window is already months old by then.

What to do if you’re affected, and what this means if you’re in a security role