The Oncology Institute Discloses Data Breach Linked to Third-Party Vendor
The Oncology Institute Inc., a California-based healthcare provider, recently confirmed a data breach involving an unnamed third-party software vendor. The incident was first reported to the U.S. Securities and Exchange Commission (SEC) on November 6, 2025, with an initial filing indicating an ongoing investigation by the vendor. At the time, no evidence of compromised patient data had been confirmed.
However, on May 20, 2026, the company filed an updated disclosure classifying the breach as a material cybersecurity event. Kroll, a third-party administrator assisting the vendor, notified The Oncology Institute that unauthorized access had been detected in systems containing patient data. While the exact types of exposed information such as medical records, personal details, or financial data were not specified, the filing acknowledged that "healthcare and other personal information" of patients was affected.
The breach extended beyond The Oncology Institute, impacting additional unnamed healthcare providers that relied on the same vendor. The total number of affected individuals remains undisclosed.
In response, The Oncology Institute stated that its security and continuity plans allowed operations to continue without material disruption. The company plans to collaborate with the vendor to offer credit monitoring and protection services to impacted patients, though details on enrollment and the provider have not been released. The vendor has also established a patient portal for incident-related inquiries, though its web address was not included in the filing.
Source: https://www.claimdepot.com/data-breach/oncology-institute-2026
Censinet cybersecurity rating report: https://www.rankiteo.com/company/censinet
"id": "CEN1780640965",
"linkid": "censinet",
"type": "Breach",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Healthcare',
'location': 'California, USA',
'name': 'The Oncology Institute Inc.',
'type': 'Healthcare Provider'},
{'industry': 'Healthcare',
'type': 'Healthcare Provider'}],
'attack_vector': 'Third-Party Vendor Compromise',
'customer_advisories': 'Credit monitoring and protection services to be '
'offered',
'data_breach': {'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Healthcare information',
'Personal information']},
'date_detected': '2025-11-06',
'date_publicly_disclosed': '2026-05-20',
'description': 'The Oncology Institute Inc. disclosed a data breach involving '
'an unnamed third-party software vendor. Unauthorized access '
'was detected in systems containing patient data, affecting '
'The Oncology Institute and additional unnamed healthcare '
'providers. The breach exposed healthcare and other personal '
'information of patients.',
'impact': {'data_compromised': 'Healthcare and other personal information',
'operational_impact': 'No material disruption to operations'},
'investigation_status': 'Ongoing',
'references': [{'source': 'U.S. Securities and Exchange Commission (SEC) '
'filing'}],
'regulatory_compliance': {'regulatory_notifications': 'SEC filing'},
'response': {'communication_strategy': 'Patient portal for incident-related '
'inquiries, credit monitoring and '
'protection services',
'incident_response_plan_activated': 'Yes',
'third_party_assistance': 'Kroll (third-party administrator)'},
'title': 'The Oncology Institute Data Breach Linked to Third-Party Vendor',
'type': 'Data Breach'}