Exposure of The Oncology Institute Patients' Data Linked to Third-Party Vendor Breach

Exposure of The Oncology Institute Patients’ Data Linked to Third-Party Vendor Breach

/ Categories IT Security Incidents / by

The Oncology Institute confirmed that patient data was potentially accessed following unauthorized access to its systems related to a cybersecurity incident at a third-party vendor affecting healthcare data processing and related services.

SEC Filing Disclosure and Initial Incident Findings

The Oncology Institute, a publicly traded cancer care provider operating more than 100 clinics across California, Oregon, Nevada, Arizona, and Florida, identified a cybersecurity incident involving one of its information technology software providers in a November 3, 2025, filing with the U.S. Securities and Exchange Commission.

The filing stated that the incident was identified on November 3, 2025, and involved a vendor security event that could delay fee-for-service collections. At that time, the vendor had not confirmed whether patient data had been accessed. The Oncology Institute also stated that it was not aware of unauthorized access to patient data at the time of the initial disclosure, while the investigation remained ongoing.

Updated Investigation Findings

An updated SEC filing reported that additional findings indicated unauthorized access to certain Oncology Institute systems occurred as a result of the vendor-related incident. The accessed systems included environments containing patient data.

Kroll, acting as the third-party administrator for the vendor, identified unauthorized access and notified The Oncology Institute on May 20, 2026. The updated filing reflects that the investigation found system-level access involving data environments used in healthcare operations.

Scope of Data Exposure and Patient Impact

HIPAA-covered entity, The Oncology Institute, has not disclosed the specific types of patient data potentially impacted by the incident. The organization also has not confirmed how many individuals may have been affected. The Oncology Institute provides approximately 2 million patients with cancer care services.

The identity of the vendor that encountered the data security incident has not been publicly disclosed by The Oncology Institute. Certain media reports have indicated the vendor may be TriZetto Provider Solutions, which previously suffered a large-scale data breach affecting healthcare provider clients. This attribution has not been formally confirmed by The Oncology Institute.

Operational and Financial Impact Statement

At the time of the May 20, 2026 SEC filing, The Oncology Institute reported that the cybersecurity incident had not materially affected company operations, financial systems, or the delivery of patient care. The organization stated it continues to coordinate with its vendor in response to the incident.

The Oncology Institute also stated that it is arranging complimentary credit monitoring and identity theft protection services for individuals potentially impacted by the unauthorized access.

Image credit: 1747937410 Varith, AdobeStock / logo@TheOncologyInstitute

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

John Blacksmith

John Blacksmith is a journalist with several years experience in both print and online publications. John has specialised in Information technology in the healthcare sector and in particular in healthcare data security and privacy. His focus on healthcare data means he has specialist knowledge of the HIPAA regulations. John has a degree in journalism and many years experience.
Twitter
LinkedIn

Related News

Stay Connected

  • Twitter
  • LinkedIn
  • Reddit
  • Mastodon

Subscribe

*Our Privacy Policy and Terms & Conditions