Skip to main content
doctor seen reading medical records on a tablet

The Oncology Institute Data Breach Investigation

Written by M. G. Lyon on . Posted in Data Breach.

Cancer patients already carry one of the heaviest burdens a person can face. When the organization entrusted with their most sensitive medical information fails to protect it, the consequences can be devastating at the worst possible time. That is the situation now facing some patients of The Oncology Institute, a cancer care provider operating more than 100 clinics across California, Oregon, Nevada, Arizona, and Florida. Contact our data breach lawyers to learn more and to consider legal action. 

What Happened at The Oncology Institute?

The Oncology Institute disclosed the incident in a filing with the U.S. Securities and Exchange Commission in November 2025. At that point, the company acknowledged a cybersecurity incident at one of its third-party information technology software vendors and noted the vendor’s investigation was still ongoing. The institute could not confirm at that time whether patient data had been accessed.

That changed in May 2026. According to a follow-up SEC filing, Kroll, the third-party administrator handling disclosures on behalf of the vendor, notified third parties on May 20, 2026 that unauthorized access had in fact occurred to certain Oncology Institute systems, including systems containing patient data. Reports indicate the vendor involved may be TriZetto, a healthcare technology company whose separate data breach reportedly affected multiple healthcare clients and approximately 3.4 million individuals nationwide.

The breach was not limited to The Oncology Institute, and the incident appears to have impacted other healthcare service providers through the same vendor, and that a patient portal has been established to provide information to affected individuals.

What Data May Have Been Exposed?

While the origanization has not released a full accounting of what patient data was compromised, third-party vendor breaches in the healthcare space typically involve data stored in billing, claims, and administrative systems. Based on the nature of TriZetto’s platform, the types of information potentially at risk may include:

  • Full names and dates of birth
  • Social Security numbers
  • Health insurance and claims information
  • Diagnoses, treatment records, and medication histories
  • Provider names and appointment history
  • Financial account and billing details

For cancer patients specifically, this category of information is extraordinarily sensitive. Diagnoses, treatment protocols, and medication records reflect some of the most private details of a person’s life. Their exposure can lead to insurance complications, identity theft, and serious emotional harm.

California Patients Have Stronger Legal Protections

California law provides some of the strongest data privacy protections in the country. Under the California Consumer Privacy Act (CCPA) and the California Confidentiality of Medical Information Act (CMIA), healthcare organizations and their business associates are required to implement reasonable security measures to protect patient information. When they fail to do so, affected individuals may have grounds to pursue legal action.

California also imposes strict data breach notification timelines. Under state law, healthcare providers are required to notify the California Department of Public Health within 15 business days of discovering a breach. The timeline between TOI’s November 2025 SEC disclosure and the confirmed May 2026 patient notification raises questions about whether applicable notification requirements were met.

HIPAA, the federal law governing the privacy and security of protected health information, also applies here. When covered entities and their business associates fail to maintain adequate safeguards, they may face regulatory enforcement and civil liability.

Why You Should Contact The Lyon Firm

The Lyon Firm has a documented track record in healthcare data breach litigation. Joe Lyon has personally helped secure millions in settlements and protections for patients affected by medical data breaches. The firm represents individuals in class action and individual litigation against healthcare providers, vendors, and insurers who fail to protect patient data.

Healthcare organizations have a heightened duty of care when it comes to protecting patient information. When a vendor breach compromises that information and patients are left exposed, accountability matters. The Lyon Firm investigates these cases with the depth and experience that complex healthcare litigation demands.

If your information was compromised in the Oncology Institute data breach, contact our attorneys at The Lyon Firm for a free, confidential consultation. There are no upfront costs, and you will receive honest guidance on your legal options. Call us at (513) 381-2333 or submit a confidential consultation request online.

CONTACT THE LYON FIRM TODAY

Please complete the form below for a FREE consultation.

  • This field is for validation purposes and should be left unchanged.