Phishing attack hits cancer care providers, exposing personal data of over 46,000 patients

A sophisticated phishing attack has compromised sensitive personal and medical information of more than 46,000 patients across several cancer care providers affiliated with the Integrated Oncology Network (ION), the organization confirmed.

The cybersecurity incident, which took place between December 13 and December 16, 2024, involved unauthorized access to a limited number of employee email and SharePoint accounts. ION described the breach as the result of a “sophisticated phishing attack,” with evidence suggesting that threat actors may have initially targeted email systems for phishing purposes before expanding access to additional platforms.

An immediate response was launched upon discovery, including securing compromised accounts and engaging forensic experts to investigate the nature and scope of the breach. The investigation determined that several of the accessed accounts contained protected health information (PHI), including patient names, addresses, dates of birth, Social Security numbers, financial account details, health insurance and claims information, diagnoses, lab results, medications, treatment records, and provider information.

ION stated that, although no evidence has been found indicating misuse of the compromised data, all affected individuals have been offered complimentary services including credit monitoring, identity restoration, and dark web monitoring as a precaution. Notification letters were sent to the impacted oncology physician practices on June 13, 2025, with individual patient notifications beginning on June 27, 2025.

The breach has been reported to the U.S. Department of Health and Human Services’ Office for Civil Rights (HHS OCR), and entries related to the affected practices have begun to appear in the agency’s breach portal. The total number of individuals impacted stands at 46,052 across 11 cancer care providers.

Among the hardest hit were Rocky Mountain Oncology Care with 10,268 individuals affected, e+ Oncologics Louisiana with 8,270, and California Cancer Associates for Research and Excellence in Fresno with 7,670. Other affected facilities include PET Imaging locations in Texas and Oklahoma, Mojave Radiation Oncology Medical Group, South Georgia Center for Cancer Care, Acadiana Radiation Therapy, and the Cancer Care Center of North Florida in Lake Butler.

In response to the breach, ION has implemented enhanced cybersecurity measures and is providing additional phishing awareness training to its workforce to mitigate the risk of similar attacks in the future.