A breach that involved the posting of a spreadsheet to the internet was experienced by Stanford Hospital in California.
Upon investigation the breach was traced to a subcontractor of one of its vendors, Multi-Specialty Collection Service. Looking at the trail, Stanford Hospital contracted with Multi Specialty Collection Service. Multi Specialty Collection Service employed a subcontractor. That subcontractor was responsible for the breach.
So even with the best possible HIPAA plans and procedures in place a covered entity such as Stanford Hospital can experience breaches. While there is no requirement to confirm that a Business Associate is complying with the privacy and security requirements, it is probably not a bad idea to complete due diligence and check on your vendors to insure they are employing good practices and ask them what subcontractors they are sharing your data with.