Phishing attack causes data breach at North Florida Cancer Care Center

Cancer Care Center of North Florida recently disclosed a series of data security incidents that exposed the protected health information (PHI) of 1,789 patients.

What happened

Cancer Care Center of North Florida confirmed that it was impacted by two separate security incidents:

1. Email phishing incident (December 2024): Between December 13–16, 2024, unauthorized access was gained to certain email accounts and SharePoint files. Exposed data included names, addresses, dates of birth, financial account details, diagnoses, lab results, medications, treatment information, health insurance and claims records, provider names, and dates of treatment. A limited number of Social Security numbers were also compromised. The Cancer Care Center’s Lake Butler location reported that 976 patients were affected.
2. Network hacking incident (March–April 2025): Unauthorized access to certain Integrated Oncology Network (ION) systems occurred between March 31 and April 10, 2025. The breach was discovered on April 11. Affected files contained names, addresses, dates of birth, medical record numbers, diagnostic imaging and test results, medications, treatment information, health insurance data, provider names, dates of treatment, and, in some cases, driver’s license or financial account information. 

These incidents were disclosed between July 11 and August 6, 2025, after ION completed initial investigations, confirming a total of 1,789 affected patients.

In the know

The Integrated Oncology Network (ION) is a management services organization that partners with oncology practices to provide shared administrative, clinical, and technical infrastructure. ION’s systems store and transmit patient records across its member practices, handling large volumes of PHI.

Under HIPAA, PHI includes any identifiable patient data connected to medical care, like diagnoses, treatments, lab results, insurance information, and billing details. Since ION supports multiple practices through centralized platforms, a single breach in its systems can expose sensitive data from several providers at once. So, while the interconnected model increases efficiency, it also magnifies the potential impact of a cyber incident.

The big picture

In the first half of 2025 alone, healthcare data breaches reported to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) affected more than 29 million individuals. The Cancer Care Center of North Florida incidents are part of this wider surge, showing how cybercriminals exploit phishing and server vulnerabilities.

As phishing campaigns and server hacks remain common entry points, healthcare providers also face greater pressure to adopt better defenses like HIPAA compliant email solutions. 

Go deeper: Top healthcare data breaches of 2025 affect over 29 million (so far)

FAQs

What is a data breach?

A breach occurs when an unauthorized party gains access to, uses, or discloses protected health information (PHI) without permission. Examples of breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.

What should individuals do if their data has been compromised?

If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.

Are there any costs associated with placing a fraud alert or credit freeze?

No, under U.S. law, consumers are entitled to a free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. So, placing a fraud alert or credit freeze does not incur any costs.