The Oncology Institute Discloses Data Breach to SEC

The Oncology Institute Inc., headquartered in Cerritos, California, disclosed a data breach involving an unnamed software service provider.

The company first reported the situation to the U.S. Securities and Exchange Commission on Nov. 6, 2025, through a voluntary filing. It filed a follow-up disclosure with the SEC on May 20, 2026, this time classifying the incident as a material cybersecurity event.

The incident involved an unnamed software service provider, referred to as a "Vendor" in the company's SEC filing, that was used by The Oncology Institute. At the time of the company's earlier disclosure, the vendor had indicated that its investigation was still ongoing. The vendor said it could not yet confirm any evidence that patient personal information had been compromised as a result of the incident, according to the filing.

That changed on May 20, 2026, when Kroll, the third-party administrator working on behalf of the vendor, notified The Oncology Institute that the vendor had detected unauthorized access by a third party to certain information systems of the company. Those affected systems included ones containing data belonging to patients, according to the company's filing with the SEC.

The company stated that the cybersecurity incident has affected various other healthcare service providers beyond The Oncology Institute, though it did not name those providers. The specific types of patient information exposed were not detailed in the filing. The company referenced "the healthcare and other personal information of its patients" but did not list the exact data categories involved. The total number of individuals affected was also not disclosed.

The Oncology Institute's response

According to its SEC filing, The Oncology Institute stated that it worked swiftly in response to the incident because of its technology security and continuity plan. The company said its operations have continued in all material respects since the breach was detected.

The company said it remains committed to protecting the healthcare and other personal information of its patients. It plans to work with the vendor to offer credit monitoring and protection to all impacted patients. The company has not yet named the credit monitoring provider or described how affected individuals can enroll in those services.

The vendor has set up a patient portal through which it intends to provide information and respond to inquiries about the incident. The company did not include the portal's web address in its SEC filing.