The reassuring part that reassures people too early
The software comes back on.
Everyone breathes out. That does not mean the problem is over. An EHR vendor may restore access to its platform and still leave the practice with the harder questions:
- Was PHI exposed?
- Who needs notice?
- What did downtime cost?
- Who talks to patients?
- Who pays for counsel, forensics, and cleanup?
The vendor may fix the software.
The practice may still own the event. That is the cloud-computing hangover. The platform lives somewhere else, but the patients, phones, schedule, billing, and HIPAA response are still sitting right inside the practice. The vendor may be restoring software while the office is explaining delays to real people.
The cloud did not move the waiting room. If you want the broader frame first, start with Healthcare Practices and Cyber & Modern Operational Risk.
What is really going on
Most vendor contracts are built around the vendor’s service. They may promise things like uptime, technical support, restoration of the hosted environment, or limited indemnity if the vendor clearly caused the breach and the contract says so.
Vendor service is different from practice-level cyber protection. The practice still owns the patient relationship. The practice still has to deal with scheduling, chart access, billing, patient communication, HIPAA response, and office-level downtime.
There is the gap. People hear “the vendor has cyber” and translate it into “we are covered.” Those are not the same sentence.
Where the vendor usually stops
Think of it this way:
- The vendor covers their system.
- You cover your practice.
If the hosted platform goes down, the vendor may focus on restoring the platform. You are handling:
- rescheduled patients
- front-desk confusion
- billing delays
- payroll for a less productive day
- outside IT or forensics if facts are unclear
- breach counsel if PHI may be involved
- notice and patient support if required
That division is common enough that it should be your default assumption until the contract proves otherwise.
Where the practice bill starts to stack
A small practice does not need a giant hospital event to spend real money. Say 1,500 patient records are involved. If notice and support run $8 to $15 per person, that is roughly $12,000 to $22,500.
Add outside forensics and counsel. That can add another $15,000 to $40,000 depending on how messy the facts are. Then add two or three disrupted days of scheduling, charting, and billing.
That is how “the vendor is handling it” turns into “why are we still paying all these bills?”
What people get wrong
The mistakes start with the wrong question. People focus only on whether the vendor got hacked.
Phishing is often more ordinary. An attacker gets into an inbox, resets access, pivots into a cloud app, and suddenly the event touches patient data. That may be your credential problem inside their system.
They assume HIPAA cost means only fines. Often the first dollars are counsel, forensics, notice, patient communication, and downtime.
They assume a package policy quietly handles everything. Sometimes a cyber endorsement helps. Sometimes it is a small sublimit with short legs. Read Standalone Cyber vs. BOP Cyber Endorsements for Small Healthcare Practices for that decision.
Simple decision rule
If the vendor agreement mostly promises software restoration, support response, or service credits, do not treat that as practice-level cyber protection. Treat it as vendor protection. Then ask what pays for your forensics, counsel, patient notice, and downtime.
Next step
Put the vendor agreement and cyber coverage summary side by side. The missing piece usually shows itself quickly.
Minnesota note: in smaller Twin Cities practices, one outage can tie up the same person who handles phones, billing, and vendor coordination. Assuming the vendor owns everything is like assuming the city plowed your storefront step because the street looks clean.