Cybersecurity Incident at The Oncology Institute Confirmed to Expose Patient Data
The Oncology Institute (TOI), a leading oncology provider operating over 100 clinics across five states since 2007, has confirmed that a previously disclosed cybersecurity incident resulted in unauthorized access to patient information. The breach originated from a third-party software vendor, first reported to the SEC in November 2025, though the extent of the impact remained unclear at the time.
On May 20, 2026, Kroll, the vendor’s third-party administrator, notified TOI that the vendor had detected unauthorized access to TOI’s systems, including patient data. TOI stated in an SEC filing that the incident likely affected multiple healthcare providers, with the vendor establishing a patient portal for inquiries and disclosures.
While TOI has not named the vendor, the breach’s scope and timeline suggest TriZetto Provider Solutions a Cognizant-owned healthcare technology company as the likely source. TriZetto, which Kroll also represents, reported a separate breach earlier this year impacting 3.4 million individuals across its customer base.
No ransomware group has claimed responsibility for the attack, and the identity of the threat actors remains unknown. TOI has not provided further details on the number of affected patients or the specific data compromised. The incident adds to a growing trend of healthcare breaches, with recent disclosures affecting hundreds of thousands of individuals at other providers.
Source: https://www.securityweek.com/oncology-institute-discloses-third-party-data-breach/
The Oncology Institute cybersecurity rating report: https://www.rankiteo.com/company/oncologyinstitute
TriZetto Provider Solutions cybersecurity rating report: https://www.rankiteo.com/company/trizettoprovider
"id": "ONCTRI1779733617",
"linkid": "oncologyinstitute, trizettoprovider",
"type": "Breach",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Healthcare',
'location': 'United States (5 states)',
'name': 'The Oncology Institute (TOI)',
'size': 'Over 100 clinics',
'type': 'Healthcare Provider'}],
'attack_vector': 'Third-party vendor compromise',
'customer_advisories': 'Patient portal for inquiries',
'data_breach': {'personally_identifiable_information': 'Likely',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Patient information'},
'date_detected': '2026-05-20',
'date_publicly_disclosed': '2026-05-20',
'description': 'The Oncology Institute (TOI) confirmed that a cybersecurity '
'incident resulted in unauthorized access to patient '
'information. The breach originated from a third-party '
'software vendor, first reported to the SEC in November 2025. '
'On May 20, 2026, Kroll notified TOI that the vendor had '
'detected unauthorized access to TOI’s systems, including '
'patient data. The incident likely affected multiple '
'healthcare providers.',
'impact': {'brand_reputation_impact': 'Likely negative',
'data_compromised': 'Patient information',
'identity_theft_risk': 'High',
'legal_liabilities': 'Possible'},
'initial_access_broker': {'entry_point': 'Third-party vendor (TriZetto '
'Provider Solutions likely)'},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'root_causes': 'Third-party vendor compromise'},
'references': [{'source': 'SEC filing'}],
'regulatory_compliance': {'regulations_violated': ['HIPAA'],
'regulatory_notifications': 'SEC filing'},
'response': {'communication_strategy': 'SEC filing, patient portal for '
'inquiries',
'third_party_assistance': 'Kroll'},
'title': 'Cybersecurity Incident at The Oncology Institute Exposing Patient '
'Data',
'type': 'Data Breach'}