The Oncology Institute Confirms Unauthorized Access to Systems Due to Vendor Breach
The Oncology Institute, a publicly traded provider of cancer care through more than 100 clinics in California, Oregon, Nevada, Arizona, and Florida, has recently confirmed that patient data was potentially accessed by an unauthorized third party as a result of a security incident at one of its vendors.
In a November 3, 2025, filing with the U.S. Securities and Exchange Commission (SEC), The Oncology Institute said that it determined on November 3, 2025, that a cybersecurity incident at one of its information technology software providers would potentially delay fee-for-service collections. At the time of the notice, The Oncology Institute said its vendor was unable to confirm whether patient data had been accessed in the attack, and that at the time of issuing the filing, it was unaware of any unauthorized access to patient data as a result of the incident, but the investigation into the incident was ongoing.
In an updated SEC filing, the Oncology Institute said further information has come to light indicating that certain Oncology Institute systems were subject to unauthorized access by a third party as a result of the incident, including systems containing patient data. Kroll, the third-party administrator for the vendor, had made that determination and notified the Oncology Institute on May 20, 2026.
The Oncology Institute said it is working with its vendor to provide complimentary credit monitoring and identity theft protection services to the affected individuals. At the time of issuing the SEC filing on May 20, 2026, The Oncology Institute said the cybersecurity incident had not had a material impact on the company’s operations, financial systems, or the quality of care provided to patients. The Oncology Institute has yet to publicly disclose the types of data potentially compromised in the incident.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The Oncology Institute provides cancer care to around 2 million patients. It is currently unclear how many of those patients have been affected by the incident. The Oncology Institute has not disclosed the name of the vendor that experienced the cybersecurity incident, although certain media outlets have suggested that the vendor was TriZetto Provider Solutions, which experienced a major data breach last year affecting many of its healthcare provider clients.
