The Oncology Institute Discloses Patient Data Breach via Third-Party Billing Vendor
The Oncology Institute, a publicly traded cancer care provider, notified the SEC that patient data was compromised in a 2025 breach involving a third-party billing software vendor.
The Oncology Institute, a California-based cancer treatment firm serving nearly 2 million patients across more than 100 clinics in five states, has disclosed that patient information was compromised in a 2025 cybersecurity incident involving a third-party billing software vendor. In a filing with the U.S. Securities and Exchange Commission, the company revealed that it learned from Kroll—the firm working with the breached vendor—that unauthorized access was detected in certain Oncology Institute IT systems, including those containing patient data.
The incident was first reported to the SEC in November 2025, but at that time the vendor could not confirm whether patient data had been accessed. The latest filing updates that disclosure, confirming that data was indeed compromised. The Oncology Institute said its operations have continued in all material respects since the incident was detected, and it will work with the affected vendor to offer credit monitoring to impacted patients.
The number of affected individuals has not been disclosed. The company reported consolidated revenue of $502.7 million in 2025, and so far the breach has not appeared to materially affect its financial performance, based on its fourth-quarter 2025 and first-quarter 2026 earnings results and analyst calls.
The Oncology Institute provides advanced cancer treatment care in California, Oregon, Nevada, Arizona, and Florida. The company was founded in 2007 and has grown to become a significant player in oncology services, but like many healthcare organizations, it relies on third-party vendors for critical administrative functions such as billing.
This breach is part of a troubling pattern of incidents targeting medical billing and revenue cycle management vendors. In February 2026, Trizetto Provider Solutions, a unit of Cognizant, reported a hack affecting 3.4 million individuals. ApolloMD also reported a breach in February affecting nearly 627,000 people. Last September, Veradigm (formerly Allscripts) disclosed a breach affecting nearly 2.7 million individuals.
Healthcare data breaches involving third-party vendors are particularly concerning because they can expose sensitive patient information—including medical histories, treatment plans, and personal identifiers—to unauthorized actors. The Oncology Institute has not yet identified the specific billing software vendor involved, nor has it provided details on the nature of the data accessed.
The company said it will continue to monitor the situation and cooperate with law enforcement and regulatory authorities. Patients are advised to remain vigilant for signs of identity theft or fraud, and the company has committed to providing credit monitoring services to those affected.
This incident underscores the growing risk that healthcare organizations face from supply-chain attacks targeting the software vendors they depend on for daily operations. As billing and revenue cycle management platforms become more interconnected, a single vendor compromise can ripple across multiple healthcare providers, amplifying the impact on patient privacy and organizational trust.