• Helping you with HIPAA Security Solutions.
  • Call Us (631) 403-6687
  • Office HrsMon - Fri: 9.00am to 5:00pm
Log InSign Up

Trust Is Not a Control: Vendor Vetting Requires Proof, Not Promises

Trust Is Not a Control: Vendor Vetting Requires Proof, Not Promises
  • May 11, 2026
  • By justina
  • 0 Comments

Trust Is Not a Control: Vendor Vetting Requires Proof, Not Promises

by Justina DeBruzzi, Client Services Support at TLD Systems

With the inception of the world wide web and storing patient information electronically, offices have had to trust software vendors, cloud services, and third-party partners with their most sensitive information — ePHI.

But trust alone is not a control.

One of the clearest recent examples came from the Federal Trade Commission’s action against GoDaddy, one of the world’s largest website hosting providers. In January 2025, the FTC alleged that GoDaddy failed to implement reasonable security protections despite marketing its services as secure and reliable.

The case is an important reminder for every healthcare practice that you cannot assume your vendors are doing things properly. You must verify and request proof, not promises.

Many practices unintentionally treat software vendor relationships as an exercise in trust. A vendor says they follow best practices, claims they are secure, or advertises “enterprise-grade protection,” and the conversation ends there.

That approach creates dangerous blind spots.

According to the FTC complaint, GoDaddy allegedly failed to implement several foundational security practices over multiple years, including:

- Asset inventory and software management

- Proper risk assessments

- Security logging and monitoring

- Network segmentation

- Adequate multi-factor authentication controls

 

These are not advanced or experimental cybersecurity concepts. These are baseline controls expected in modern security programs.

Yet millions of businesses trusted the platform with websites, customer information, and online operations.

Risk analysis cannot rely on assumptions.

If your software vendors fail to secure their environment, your practice and more importantly your patient's information is inherits risk too.

The FTC alleged that GoDaddy’s security failures contributed to multiple breaches between 2019 and 2022, allowing attackers unauthorized access to customer websites and data. Some users were reportedly redirected to malicious websites as a result.

This demonstrates a critical reality of vendor management: A third-party weakness can quickly become your incident, your outage, your regulatory issue, and your reputational damage.

TLD Systems provides our clients with the often overlooked questions to ask and information needed from your vendors to ensure they are following best practices to protect your office and your patients information.

For more please, contact us at:

Website : https://www.tldsystems.com
Email : info@tldsystems.com
Phone  (631) 403 6687

Tags: HIPAACybersecurityePHI
justina

Justina

Read Comments

Add Your Comment