Cybersecurity Incident at The Oncology Institute Exposes Patient Data via Third-Party Vendor
The Oncology Institute (TOI), a U.S.-based cancer treatment provider with over 100 clinics across California, Oregon, Nevada, Arizona, and Florida, disclosed that patient data was compromised in a 2025 cybersecurity incident involving a third-party software vendor.
The breach, first reported in an SEC filing on November 3, 2025, initially appeared to disrupt fee-for-service collections without evidence of patient data exposure. However, a subsequent update on May 20 revealed that threat actors accessed systems containing patient information, as confirmed by Kroll, the vendor’s third-party administrator.
TOI stated that its security protocols allowed operations to continue largely unaffected, and the company is collaborating with the vendor to provide credit monitoring and protection for impacted patients. The extent of the breach including the number of affected individuals and whether healthcare data was exposed remains undisclosed.
The Oncology Institute cybersecurity rating report: https://www.rankiteo.com/company/oncologyinstitute
Kroll Cyber and Data Resilience cybersecurity rating report: https://www.rankiteo.com/company/kroll-cyber
"id": "ONCKRO1779972089",
"linkid": "oncologyinstitute, kroll-cyber",
"type": "Breach",
"date": "1/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Healthcare',
'location': 'U.S. (California, Oregon, Nevada, '
'Arizona, Florida)',
'name': 'The Oncology Institute (TOI)',
'size': 'Over 100 clinics',
'type': 'Healthcare Provider'}],
'attack_vector': 'Third-Party Vendor',
'customer_advisories': 'Credit monitoring and protection for impacted '
'patients',
'data_breach': {'personally_identifiable_information': 'Likely',
'sensitivity_of_data': 'High (healthcare data)',
'type_of_data_compromised': 'Patient information'},
'date_publicly_disclosed': '2025-11-03',
'description': 'The Oncology Institute (TOI), a U.S.-based cancer treatment '
'provider, disclosed that patient data was compromised in a '
'2025 cybersecurity incident involving a third-party software '
'vendor. The breach initially appeared to disrupt '
'fee-for-service collections without evidence of patient data '
'exposure, but a subsequent update revealed that threat actors '
'accessed systems containing patient information.',
'impact': {'data_compromised': 'Patient data',
'identity_theft_risk': 'Potential',
'operational_impact': 'Disruption in fee-for-service collections',
'systems_affected': 'Fee-for-service collections systems, patient '
'information systems'},
'investigation_status': 'Ongoing',
'references': [{'source': 'SEC filing'}],
'regulatory_compliance': {'regulatory_notifications': 'SEC filing'},
'response': {'communication_strategy': 'SEC filing, public disclosure',
'remediation_measures': 'Collaboration with vendor to provide '
'credit monitoring and protection for '
'impacted patients',
'third_party_assistance': 'Kroll (third-party administrator)'},
'title': 'Cybersecurity Incident at The Oncology Institute Exposes Patient '
'Data via Third-Party Vendor',
'type': 'Data Breach'}