Billing vendor hack exposes patient data at Oncology Institute

The Oncology Institute has disclosed that patient information may have been exposed following a cybersecurity incident involving a third-party billing vendor.

What happened

According to BankInfo Security, The Oncology Institute, a publicly traded cancer care provider serving nearly two million patients across the United States, disclosed that patient information may have been compromised following a cybersecurity incident involving a third-party vendor. The incident was tied to a software provider used by the company for billing-related services.

Going deeper

The company first disclosed the vendor-related cyber incident in November 2025, but additional findings released in May 2026 confirmed that unauthorized access extended to systems containing patient data. According to the article, the Oncology Institute was informed by Kroll, the vendor’s third-party administrator, that a third party had gained unauthorized access to certain company information systems.

At the time of disclosure, the organization had not publicly revealed how many patients were affected or the exact types of information exposed. However, the company stated that investigations remain ongoing.

In the know

Third-party vendors continue to be a major cybersecurity weak point in healthcare. According to a Paubox report, “28% of breaches reported last year were from vendor and business associate email exposure,” indicating the growing risks associated with external service providers handling protected health information.

The report also cited EY, which noted that “Healthcare organizations report limited visibility into third-party cybersecurity controls, despite increasing reliance on vendors for core operations.” The results show that vulnerabilities in vendor settings can still reveal private patient information and interfere with operations, even if providers bolster their own internal security posture.

What was said

In its SEC filing, the Oncology Institute stated that it was informed on May 20, 2026, that a third-party vendor had experienced “unauthorized access to certain systems affecting data of patients and healthcare providers.” The company said the incident was identified through information provided by the vendor and its representatives during an ongoing investigation.

The filing noted that the company’s own systems were not believed to be directly compromised. “The Company’s internal systems have not been impacted by the incident,” the filing stated, adding that the breach was limited to systems maintained by the external vendor.

The Oncology Institute also said it was still evaluating the broader implications of the incident. According to the filing, the company “has not determined whether the incident is reasonably likely to materially impact the Company’s overall financial condition or results of operations.” The company noted that it is “working with the Vendor and external cybersecurity professionals to assess, mitigate and remediate the incident,” while continuing efforts to determine the scope of the affected information. The filing further stated that the organization is monitoring the situation closely and taking steps to support affected parties as additional details emerge.

In addition, the Oncology Institute said investigations remain ongoing and that the “full scope, nature and potential ultimate impact” of the incident had not yet been determined at the time of disclosure.

Why it matters

Third-party vendors have become a persistent cybersecurity risk in healthcare. Even when a provider’s internal systems are secure, vulnerabilities within external service providers can still expose sensitive patient data and disrupt operations across the care ecosystem.

Healthcare data breaches are particularly consequential because the information involved is highly sensitive and difficult to protect once exposed. Medical records include identifiers, insurance details, and clinical histories that cannot be changed, like passwords or financial account numbers, making them especially valuable to cybercriminals for identity theft and fraud.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQS

What is a supply chain attack in cybersecurity?

A supply chain attack occurs when cybercriminals target a third-party vendor or service provider to gain indirect access to an organization’s systems or data.

What steps are typically taken after a vendor breach?

Organizations typically investigate the incident, work with cybersecurity specialists, assess the scope of affected data, and implement remediation measures with the vendor.

What can healthcare organizations do to reduce vendor risk?

They can strengthen third-party risk management, require stricter security standards from vendors, conduct regular audits, and improve monitoring of external systems.