The compliant company that wasn't
A founder slides a tablet across the table. SOC 2 report, current. HIPAA policy manual, 140 pages. A signed letter from an auditor with the word "compliant" in it. Everyone in the room exhales. Then someone on the diligence side asks to see how a developer connects to the production database to fix a bug at 2am — and the answer is a shared root password, taped inside a Slack channel, that nobody has rotated since the last engineer who knew it quit in 2022.
That gap is the entire game in healthcare IT diligence. The paperwork describes a company that doesn't exist. The infrastructure describes the one you're actually buying. And in this sector, the price of the mismatch is brutal: IBM's 2024 Cost of a Data Breach Report puts the average healthcare breach at $9.77 million — the highest of any industry, year after year, and roughly double the cross-industry average. The same report finds the typical breach takes 292 days to identify and contain. That is not an incident you patch over a weekend. That is most of a fiscal year spent bleeding while your value-creation plan sits untouched.
Here is what makes healthcare different from a generic software carve-out. In most SaaS, a breach is an embarrassment and a churn event. In healthcare, every patient record is a regulated asset with a federal enforcement body attached, and the liability follows the entity through the change of control. You are not just buying recurring revenue. You are buying a standing population of protected health information, and the question that decides your return is whether the previous owner treated that population like an engineering responsibility or a compliance costume.
OCR stopped chasing lost laptops
The enforcement pattern has moved, and most sellers haven't noticed. Walk through the HHS Office for Civil Rights resolution agreements and you'll see the recurring citation isn't the breach itself — it's the failure to conduct an accurate, organization-wide risk analysis before anything went wrong. OCR is penalizing the absence of a discipline, not just the bad luck of an attack. A target can have never been breached and still be carrying a six-figure latent penalty because it never honestly mapped where its PHI lives. The HIPAA Journal breach record shows the volume climbing every year; the regulator is responding by making "we didn't know" an aggravating factor, not an excuse.
So when I run technical diligence on a healthcare asset, I close the policy binder and open the infrastructure. Five findings show up over and over, and each one maps to real dollars:
- The phantom risk analysis. Ask for the most recent risk analysis and the date it was completed. If it's a vendor template with the company name swapped in, or it predates the last major architecture change, you've found OCR's favorite violation sitting in the data room.
- Unencrypted PHI at rest. The EHR or claims platform was built a decade ago, before transparent encryption was default. Encrypting a multi-terabyte production database after close isn't a config flag — it's a migration with downtime risk on a system clinicians use during patient care.
- Tracking pixels behind the login wall. This is the healthcare-specific landmine. A marketing team drops a Meta or analytics pixel on the patient portal, and now PHI is flowing to an ad platform. The class actions on exactly this are active and expensive — you can buy a lawsuit that hasn't been filed yet.
- BAAs that don't cover the stack. The target swears it's compliant, but trace every vendor that touches a patient record. The transcription API, the notification service, the support-ticket tool — each one ingesting PHI without a Business Associate Agreement is an unsigned liability the seller forgot they created.
- Access that outlived employment. Termination policy: airtight. Reality: three former employees with live VPN credentials and no MFA. In 2025, an internet-facing remote-access point without MFA isn't a risk — assume it's already compromised and price accordingly.
None of these are IT tickets. They are technical debt with a dollar figure, and that figure belongs in your model before you sign anything.
Turn the findings into purchase-price math
A diligence report nobody can translate into deal terms is just expensive reading. Here's how a healthcare finding becomes leverage at the table.
Price remediation as debt, not roadmap. The seller will frame encryption and logging as "things we were going to do anyway." Don't accept that framing. If the platform isn't compliant on close day, the cost to make it compliant is a debt-like item that comes off the enterprise value dollar-for-dollar. Say the team scopes $500K to encrypt the database and segment the network, plus $200K to stand up audit-grade logging — that's $700K off the price, not a line in next year's budget. Our technical debt quantification approach exists to make that argument survive a seller's pushback.
Demand technical-specific indemnification. Standard reps and warranties insurance routinely excludes known, pre-existing conditions — and your own diligence report just made the MFA gap a known condition. If a credential-stuffing attack hits in month three through that exact hole, your generic policy may decline the claim. Negotiate seller indemnification carved out specifically for the technical remediation items your report flagged, with a survival window that covers at least the first 12 months post-close.
Spend the first 100 days locking, not planning. Forget the 12-month roadmap. Run a security posture assessment in week one, then have your security lead do three things and nothing else first: enforce MFA on every access path, move backups to immutable storage so ransomware can't reach them, and segment the network so one compromised box doesn't expose the whole PHI store. Everything else waits.
The math is simple and unforgiving. The highest multiples in healthcare go to assets that can demonstrate security as an engineering practice, not a binder. Find the gap in diligence and you price the risk. Miss it, and you've quietly agreed to fund someone else's neglect out of your own returns.
