Nsight Blog | Ncontracts

July 2026 Vendor Management News

Written by Ncontracts | Jul 2, 2026 12:00:05 PM

Vendor breaches, regulatory shifts, and the governance gaps in between. Here's what happened this month in third-party risk management news.

Financial institutions are legally accountable for what their vendors do with customer data. Outsourcing a function doesn't outsource the liability that comes with it — a principle that runs through GLBA Safeguards Rule requirements, state privacy laws, and open banking obligations under Part 1033. Vendor contracts need to do more than check a compliance box: they should specify permitted data uses, require breach notification within 24–48 hours, include audit rights, and address AI governance for any vendor using automated decision-making. Fourth-party risk also warrants explicit contract language requiring vendors to disclose and flow down obligations to their own subcontractors.

A phishing attack on a healthcare AI vendor exposed 1.4 million patient records. Xsolis, which provides AI-powered utilization management to hospitals and health insurers, was breached through a single phishing email, exposing Social Security numbers, health insurance details, and medical treatment records across seven major hospital systems including Mayo Clinic. At least one organization — Rochester Regional Health — had ended its relationship with Xsolis in 2021, yet its patient data was still in scope at the time of the breach. Most of the 1.4 million affected had no idea the vendor held their information at all. Third-party vendor incidents now account for 58% of all healthcare data breaches, and this case is a concrete reminder that data deletion at offboarding is a risk control, not an administrative afterthought.

The Klue breach reached LastPass customer data. Attackers used OAuth tokens stolen from Klue to access LastPass's Salesforce environment, exposing customer names, contact details, and support case records. Password vaults were unaffected, but the stolen data is enough to fuel targeted phishing. Fourth-party risk in practice: a vendor relationship several steps removed still produced direct customer harm.

The NAIC got breached — and insurance companies are still feeling it. Attackers exploited a vulnerability in the National Association of Insurance Commissioners’ Oracle systems for two weeks before a patch existed, accessing statutory financial reporting data and credit rating information. Credit rating agencies have since paused their data feeds to the NAIC, and insurer investment designation assignments remain suspended — a process that could take months to restore. No personally identifiable information or state department systems were affected, but the incident is a reminder that regulators are targets too, and that third-party software vulnerabilities can create operational disruptions well beyond the initial breach.

A vendor breach just cost a crypto platform $3 million. Attackers breached a third-party vendor supplying frontend code to Polymarket, one of the world's largest crypto prediction markets, and injected a malicious script that tricked users into approving fraudulent transactions on what appeared to be the legitimate site. Polymarket's own infrastructure was untouched. The company is reimbursing all losses, but the incident is a useful reminder to reassess which vendor relationships are in scope for security oversight — a dependency that touches the user interface is a dependency that can touch user funds.