The 2025 Workday & Salesforce Breach: A HIPAA Wake-Up Call for Vendor Management

More Than Just Another Tech Headline

The widespread 2025 data breach affecting users of Workday and Salesforce is far more than a distant technology problem; it is a critical and urgent case study for every healthcare provider, employer group health plan, health insurance agent, and Business Associate covered by HIPAA. This incident, which came from a compromised third-party vendor, serves as a powerful reminder of the hidden risks of connected software. This article will break down the attack, translating the technical details into actionable lessons on vendor management, Business Associate Agreements (BAAs), and the Common Agency Provision.

Anatomy of a Supply-Chain Attack: Deconstructing the Breach

A “supply-chain attack” is when hackers get into a company’s computer systems by going through one of its vendors or software providers. Instead of attacking the target directly, criminals find a weaker link in the chain, a smaller vendor with less robust security, to gain access. The 2025 Workday/Salesforce incident is a textbook example of this strategy, demonstrating how a security failure at one company can create a catastrophic ripple effect across hundreds of others.

The Key Players and Timeline

The attack unfolded over several months, involving a sophisticated hack and multiple technology vendors.

• The Attack: The strike relied heavily on social engineering tactics to deceive employees and gain initial access.
• The Point of Entry: The attack did not exploit a vulnerability in Workday or Salesforce software directly. Instead, between March and June 2025, attackers first compromised the GitHub account of Salesloft, a popular customer engagement vendor.
• The Attack Execution: From the compromised GitHub account, the attackers were able to enter Salesloft’s Drift AI chat agent platform. There, they successfully stole OAuth authentication tokens—digital keys that grant applications access to each other. Between August 8 and August 18, 2025, these stolen tokens were used to access and steal data from Salesforce. 
• The Discovery: Salesloft began revoking the compromised access on August 20, 2025. Workday, one of the many impacted organizations, became aware of the breach affecting its Salesforce platform on August 23, 2025.

The Scope and Impact

The consequences of this supply-chain attack were widespread, affecting some of the world’s most prominent technology and cybersecurity companies.

• Widespread Impact: Google’s Threat Intelligence Group reported being aware of over 700 potentially impacted organizations. High-profile victims included Workday, Palo Alto Networks, Zscaler, Cloudflare, and even Google itself.
• Data Compromised: From Workday’s Salesforce environment, the attackers stole business contact information, basic support case details, tenant-related information such as tenant and data center names, product and service names, training course records, and event logs. Crucially, Workday’s investigation, verified by a third-party forensics firm, found no evidence that the attackers accessed core customer information, contracts, order forms, or any attachments sent through support cases.
• Attacker’s Goal: The hackers’ primary objective was to harvest sensitive credentials from the stolen data. They were specifically searching for access keys for Amazon Web Services (AWS) and access tokens for the Snowflake cloud platform, which could be used to launch further attacks.

This incident, starting with a single compromised vendor, shows how interconnected systems create shared risk, a reality with profound implications for organizations governed by HIPAA.

The HIPAA Connection: Translating Cyber Risk into Compliance Imperatives

While the data stolen in this specific incident was primarily business contact information, the attack vector, a compromised third-party vendor, represents one of the greatest risks to Protected Health Information (PHI) today. For any organization covered by HIPAA, the technical details of this breach are less important than the compliance failures they expose. Understanding this connection is essential for protecting PHI, maintaining trust, and avoiding significant legal and financial liability.

The Business Associate Dilemma: Your Vendor Is Your Vulnerability

Under HIPAA, a Business Associate (BA) is any person or organization that performs services for a Covered Entity and has access to PHI. This includes a wide range of vendors, from IT providers and cloud storage companies to billing services and law firms.

In the context of this breach, a vendor like Salesloft or Salesforce would be considered a BA if it were used by an organization to process, store, or transmit PHI. This incident proves that inadequate security at a BA can lead directly to a data breach for the Covered Entities they serve. Under HIPAA, your security perimeter is not your firewall but every single vendor with (potential) access to your PHI. A vulnerability in their environment is a reportable breach in yours. Learn more about auditing BAs and the Common Agency Provision here.

Beyond the Handshake: The Critical Function of a Business Associate Agreement 

The primary tool for managing this shared risk is the Business Associate Agreement (BAA). A BAA is a legally binding contract that establishes the responsibilities of both the Covered Entity and the BA in safeguarding PHI. It is not a formality but a requirement for HIPAA Compliance. According to the Department of Health and Human Services (HHS), a robust BAA must include the following:

• Permitted Uses and Disclosures: Clearly define how the BA is allowed to use and share the PHI it receives.
• Required Safeguards: Outline the specific administrative, physical, and technical security measures the BA must implement to protect the data.
• Breach Notification Clause: Specify the timeline and method by which the BA must report any security incident or data breach to the Covered Entity. (Learn what to do after a HIPAA Breach here.)
• Subcontractor Agreements: Require the BA to enter into its own BAAs with any subcontractors it uses that will also have access to the PHI, extending the chain of responsibility.
• Audit Rights: Grant the Covered Entity the right to audit the BA’s security practices and HIPAA compliance.
• Liability and Indemnification: Address financial responsibility and legal liability in the event of a breach caused by the BA’s negligence.

Download our Free Business Associate (Subcontractor) Checklist!

“Their Breach Is Your Breach”: Demystifying the Common Agency Provision

The legal stakes of vendor failure are made explicit by the Common Agency Provision (45 CFR § 160.402) of the HIPAA regulations. This rule establishes that a Covered Entity can be held liable for the HIPAA violations of its BAs, a concept best understood as “liability by association.” 

Simply signing a BAA does not mean the Covered Entity has no responsibility to protect PHI.

If a breach like the Workday incident were to expose  PHI, the affected Covered Entities could face significant fines and corrective action plans from the Office for Civil Rights (OCR) due to their vendor’s security failures. This underscores the need for continuous oversight, not just a one-time contract signing.

Understanding these risks is the first step; the next is to take concrete, preventative action to build a more resilient defense.

From Reaction to Resilience: A Proactive Defense Strategy

The lessons from the Workday/Salesforce incident provide a clear roadmap for strengthening defenses against the sophisticated, multi-stage attacks that define the modern threat environment.

Mandate Annual Security Risk Assessments

The HIPAA Security Rule mandates regular security risk assessments, not as a compliance checkbox, but as a critical, proactive tool for identifying and neutralizing threats before they result in a breach. This process must go beyond a simple checklist to actively identify, prioritize, and mitigate vulnerabilities across your organization. A proper assessment would analyze the very risks exploited in this hack, including the dangers posed by third-party application integrations, poorly configured access permissions, and potential gaps in vendor security.

To learn more, see our blog on The Importance of a Risk Assessment.

Implement a Robust Vendor Management Program

A vendor management program must extend far beyond signing a BAA. It requires active and ongoing oversight of your entire software supply chain.

1. Conduct Due Diligence: Evaluate the security and privacy policies of any potential BA before granting them access to your systems or data. Go beyond asking for certifications. Demand to see their policy on third-party application integrations within their critical systems, software supply chain, and their process for vetting and monitoring their subcontractors.
2. Audit Connected Applications: Consistently review all third-party application integrations within your core software, such as your Electronic Health Record (EHR) or Customer Relationship Management (CRM) platform. Scrutinize the permissions granted to each application, ensuring they follow the principle of least privilege—granting only the minimum access necessary for the application to function.
3. Enforce Access Controls: Implement technical safeguards to limit the avenues for unauthorized access. This includes restricting access to your systems from named IP ranges and blocking or challenging logins that originate from unexpected geographic locations. Learn more about Access Control here.

Strengthen the Human Firewall

The broader attack relied heavily on social engineering and voice phishing (“vishing”), where attackers convincingly impersonate IT or HR staff over the phone, often targeting employees in English-speaking branches of global companies. The employees are then guided to authorize a malicious application, sometimes a modified version of Salesforce’s own Data Loader, which grants the attackers direct access. This highlights that humans are often the weakest link in the security chain. https://www.totalhipaa.com/building-a-culture-of-compliance/

• Ongoing Employee Training: All staff, including full-time employees and contractors, must be educated on how to identify sophisticated phishing and vishing attempts. Training should be regular and include real-world examples.
• Establish Clear Protocols: Empower employees to refuse requests for sensitive information or system access over the phone, no matter how convincing or urgent the request seems. Create a clear protocol for verifying such requests through a separate, trusted communication channel.
• Mandate Multi-Factor Authentication (MFA): Reinforce that MFA is an essential, non-negotiable security layer. It requires users to provide two or more verification factors to gain access to a resource, making it significantly harder for attackers to succeed even if they steal a password.

The Shared Responsibility for Data Security

The 2025 Workday/Salesforce breach is a powerful reminder that in today’s interconnected world, security is a shared responsibility. Relying solely on a vendor’s built-in protections or contract is a critical and costly mistake. The integrity of your data is only as strong as the weakest link in your supply chain. Let this incident be a lesson for every organization that handles sensitive data to immediately review its vendor relationships, audit its BAAs, and reinforce the security training and technical protocols that form the foundation of a truly powerful compliance program.

HIPAA compliance is not a one-time task but a continuous process that evolves with your organization and new technology. By following these steps and fostering a culture of compliance, you can protect sensitive information, build trust, and confidently navigate the complex regulatory environment.