Oncology Institute says third-party vendor breach compromised patient data

Cancer treatment provider The Oncology Institute said the information of its patients was compromised in 2025 during a security incident affecting a third-party software services provider.

 

The U.S.-based cancer treatment centre said in a regulatory filing with the U.S. Securities and Exchange Commission that the cyber security incident, which took place last year and affected a third party software services provider, compromised the personal information of its patients.

 

Headquartered in Cerritos, California, The Oncology Institute provides specialised cancer care through a network of more than 100 clinics in California, Oregon, Nevada, Arizona and Florida. The Centre provides comprehensive cancer treatment options, blood transfusion, lab testing, in-house dispensary, clinical trials, financial counselling and end-of-life counselling services.

 

The Institute first announced the cyber security incident in an 8K filing with the U.S. SEC on November 3, 2025. It said that a cyber security incident affecting a third-party software vendor had affected and delayed fee-for-service collections.

 

Without naming the vendor, TOI said the information technology vendor had initiated an investigation into the cyber security incident and at the time, did not have any evidence to indicate that the incident had compromised patients’ personal or healthcare information.

 

In its latest filing with the SEC, TOI said that on May 20, it learned from Kroll, the software vendor’s third-party administrator, that the cyber security incident enabled threat actors to access some of its information systems, including systems that stored patients’ information.

 

"Because of the Company’s technology security and continuity plan, the Company worked swiftly in response, and its operations have continued in all material respects since the detection of the incident," The Institute said.  "The Company remains committed to protecting the healthcare and other personal information of its patients and will work with the Vendor to offer credit monitoring and protection to all impacted patients."

 

The Oncology Institute is yet to share the number of patients whose information was compromised during the cyber security incident. The company is also yet to share whether the compromised information contained only patients’ personal information or their healthcare information as well.