On Nov. 20, 2025, OncoHealth, Inc., a digital health company specializing in oncology solutions, disclosed a data breach caused by a fraudulent Zendesk account being mistakenly included in an email distribution to Humana Inc. The breach resulted in the inadvertent exposure of a file containing protected health information (PHI) and personally identifiable information (PII), including first and last names, dates of birth, Humana identification numbers, and authorization numbers. The exposed data was sent to an impersonator’s email alongside intended recipients.The incident was discovered on Sept. 4, 2025, with the breach originating from an Aug. 26, 2025 email. The exposure of PHI and PII poses risks of identity theft and medical fraud for affected individuals. OncoHealth began notifying impacted parties via mail on Oct. 10, 2025, and reported the breach to the Maine Attorney General’s office on the disclosure date.In response, the company implemented stricter internal controls, enhanced staff security awareness, and updated Zendesk system protections. The breach stemmed from a human error in email distribution, leading to unauthorized access to sensitive health and personal data.
Source: https://www.claimdepot.com/data-breach/oncohealth-2025
TPRM report: https://www.rankiteo.com/company/oncohealth
"id": "onc4702747112225",
"linkid": "oncohealth",
"type": "Breach",
"date": "8/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Unknown (Individuals Associated '
'with Humana Medical Oncology '
'Prior Authorizations)',
'industry': 'Digital Health (Oncology Solutions)',
'name': 'OncoHealth, Inc.',
'type': 'Private Company'},
{'industry': 'Health Insurance',
'name': 'Humana Inc.',
'type': 'Public Company'}],
'attack_vector': 'Social Engineering (Impersonation via Fraudulent Zendesk '
'Account)',
'customer_advisories': ['Recommend monitoring for identity theft, reviewing '
'medical records for fraud, and contacting OncoHealth '
'for assistance.'],
'data_breach': {'data_exfiltration': 'Yes (Sent to Impersonator’s Email)',
'file_types_exposed': ['Email Attachment (Likely Spreadsheet '
'or Document)'],
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (PII and PHI)',
'type_of_data_compromised': ['First and Last Name',
'Date of Birth',
'Humana Identification Number',
'Authorization Number']},
'date_detected': '2025-09-04',
'date_publicly_disclosed': '2025-11-20',
'description': 'OncoHealth, Inc., a digital health company specializing in '
'oncology-focused solutions, disclosed a data breach on Nov. '
'20, 2025. The breach occurred when a fraudulent Zendesk '
'account was mistakenly included in an email distribution to '
'Humana Inc., resulting in the inadvertent delivery of an '
'email containing a file with protected health information '
'(PHI) to an impersonator’s email address. The exposed data '
'included first and last names, dates of birth, Humana '
'identification numbers, and authorization numbers, putting '
'individuals at risk of identity theft and medical fraud.',
'impact': {'brand_reputation_impact': 'Potential Reputation Damage Due to '
'PHI/PII Exposure',
'data_compromised': ['Personally Identifiable Information (PII)',
'Protected Health Information (PHI)'],
'identity_theft_risk': 'High (Exposed PII/PHI)',
'legal_liabilities': 'Potential Regulatory Scrutiny (HIPAA '
'Violation Risk)',
'systems_affected': ['Zendesk Email System']},
'initial_access_broker': {'entry_point': 'Fraudulent Zendesk Account '
'(Impersonation)',
'high_value_targets': ['PHI/PII of Humana '
'Patients']},
'investigation_status': 'Completed (Disclosed to Authorities)',
'lessons_learned': 'Importance of verifying email recipients, especially in '
'third-party communication systems like Zendesk. Need for '
'robust access controls and employee training to prevent '
'social engineering exploits.',
'post_incident_analysis': {'corrective_actions': ['Updated Zendesk '
'protections and training.',
'Strengthened internal '
'controls for email '
'distributions.',
'Enhanced security '
'awareness programs.'],
'root_causes': ['Human error in email distribution '
'list management.',
'Insufficient verification of '
'Zendesk account authenticity.',
'Lack of automated controls to '
'detect anomalous recipient '
'addresses.']},
'recommendations': ['Implement multi-factor authentication (MFA) for email '
'and support systems.',
'Conduct regular audits of email distribution lists and '
'third-party account access.',
'Enhance employee training on phishing and impersonation '
'attacks.',
'Monitor dark web for exposed PII/PHI and offer '
'credit/identity theft protection to affected '
'individuals.'],
'references': [{'source': 'OncoHealth Data Breach Notice (2025)'},
{'source': 'Maine Attorney General’s Office Disclosure '
'(2025-11-20)'}],
'regulatory_compliance': {'regulations_violated': ['Potential HIPAA Violation '
'(Unintentional PHI '
'Disclosure)'],
'regulatory_notifications': ['Maine Attorney '
'General (Disclosed '
'2025-11-20)']},
'response': {'communication_strategy': ['Mail Notifications to Affected '
'Individuals (Initial: 2025-10-10, '
'Follow-ups Ongoing)',
'Disclosure to Maine Attorney General '
'(2025-11-20)'],
'containment_measures': ['Removal of Fraudulent Zendesk Account',
'Review of Email Distribution Lists'],
'incident_response_plan_activated': True,
'recovery_measures': ['Security Awareness Training for Staff',
'Updated Training Materials'],
'remediation_measures': ['Strengthened Internal Controls',
'Updated Zendesk System Protections']},
'stakeholder_advisories': ['Mail Notifications to Affected Individuals'],
'threat_actor': 'Unknown (Impersonator)',
'title': 'OncoHealth Data Breach via Fraudulent Zendesk Account',
'type': 'Data Breach (Unintentional Disclosure)',
'vulnerability_exploited': 'Human Error (Misconfigured Email Distribution '
'List)'}