Incident that exposed emails to a PayPal scam once again highlights the persistent nature of third-party security risk.

A Utah eye clinic is in the process of informing 20,000 patients that they were the victims of a data breach that happened a year and a half ago and linked patients to a scam involving PayPal.

The breach at the Utah Valley Eye Center in Provo, Utah, that exposed patient emails once again highlights third-party risk in terms of data security. It also sheds light on the added requirements of medical providers under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) when data breaches occur.

In the incident, which occurred on June 18, 2018, hackers accessed the center’s third-party portal that reminds patients of scheduled appointments, according to a letter dated Oct. 31 the center sent to patients. This resulted in emails being sent to a number of patients informing them they had received payment from PayPal, the center said.

Utah Valley Eye Center outsources its patient-scheduling reminder service to DemandForce, a San Francisco-based provider of marketing and customer-service cloud-based solutions.

“When informed of this letter, we immediately sent an email to these recipients notifying them to disregard the erroneous email,” according to the letter.

Center administrators believe that hackers only gained accessed to patient emails in the breach, though information such as names, addresses, dates of birth and phone numbers “could have been accessed,” according to the letter.

However, what’s certain is that attackers did not gain access to any personal health or financial information, the center assured patients.

Utah Valley Eye Center worked with DemandForce to better secure the system that was breached, as well as updated internal policies and procedures regarding its use of the third-party system to help remedy the situation.

Still, the scenario is yet another example of persistent third-party security risk, which has become a key factor leading to major data breaches that can affect millions of people worldwide. In 2017, for example, a third-party partner exposed data belonging to 14 million customers of the mobile service provider Verizon.

Moreover, though organizations are aware of the problem, it only seems to be getting worse. A report released a year ago by the Ponemon Institute found that 61 percent of U.S. companies said they experienced a data breach caused by one of their vendors or third parties, a number representing a 5 percent increase over what was reported in the study the year before.

The study also found that more than 75 percent of the 1,000 CISOs in the United States and United Kingdom polled believe that third-party cybersecurity incidents are on the rise, even as 22 percent of respondents admitted that they didn’t even know if they’d had a third-party breach or not in the 12 months prior.

In this case, the Utah Valley Eye Center not only had third-party risk to contend with, but also U.S. health regulations. In line with HIPAA, administrators said they reported the incident to the Department of Health and Human Services (HHS), even though no personal medical information was accessed.

Indeed, data breaches that occur at HIPAA-compliant medical providers require that they inform HHS of the nature and extent of the breach; the unauthorized person or persons who accessed the information, if known; whether protected health information was viewed; and the extent to which risk to this information has been mitigated.

What are the top mistakes leading to data breaches at modern enterprises? Find out: Join an expert from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.