Integrated Oncology Network Data Breach Investigation
The data privacy lawyers at The Lyon Firm are investigating a data breach at California Cancer Associates for Research and Excellence, as reported by Integrated Oncology Network. Contact our attorneys to discuss taking legal action if you or a loved one has been impacted by the breach. We represent plaintiffs in California and nationwide and our firm has settled numerous class action data breach lawsuits on behalf of our clients.
Breach reports are starting to appear on the HHS’ Office for Civil Rights breach portal from the affected oncology physician practices. The following cancer clinics may have been impacted:
| Rocky Mountain Oncology Care | 10,268 |
| e+ Oncologics Louisiana, LLC | 8,270 |
| California Cancer Associates for Research and Excellence – Fresno | 7,670 |
| Mojave Radiation Oncology Medical Group | 4,403 |
| South Georgia Center for Cancer Care | 4,108 |
| PET Imaging of Tulsa | 3,159 |
| Acadiana Radiation Therapy, LLC | 2,219 |
| PET Imaging of Dallas Northeast | 1,935 |
| PET Imaging of Sugar Land | 1,808 |
| PET Imaging of Houston Medical Center | 1,236 |
| Cancer Care Center of North Florida-Lake Butler | 976 |
What Happened at Integrated Oncology Network?
According to a “Notice of Email Phishing Incident” on the Integrated Oncology Network website, on June 13, 2025, California Cancer Associates for Research and Excellence – Fresno (cCARE Fresno) discovered that a December 2024 email phishing attack resulted in unauthorized access to employee email and SharePoint accounts. The compromised SharePoint files contained sensitive patient data. The breach allegedly occurred from December 13 to December 16, 2024.
According to an official disclosure send out to the California AG, the hackers gained access to accounts with the intention to launch further phishing schemes. An investigation concluded that the exposed information included both personally identifiable information (PII) and protected health information (PHI), including the following: Social Security numbers, names, addresses, dates of birth, financial account information, diagnosis, lab results, medication, treatment information, health insurance and claims information, provider names, and dates of treatment.
The incident was reported to the California Attorney General’s office on June 27, 2025, and data breach notification letters should be sent out to all known impacted individuals. It is important to understand the privacy risks of a data theft incident and to take certain measures to mitigate the risks moving forward.
With locations in Chula Vista, Fresno, La Jolla, Encinitas, High Desert, Murrieta, San Marcos, San Diego and Riverside, cCARE serves California residents as the largest private oncology practice in the state, providing treatments for breast cancer, lung cancer, prostate cancer, colon cancer and all other forms of cancers. In response to the data breach, cCARE Fresno secured the affected email and SharePoint accounts and has since implemented additional cybersecurity training to help prevent future phishing attacks.