On May 9, 2025, Integrated Oncology Network (ION), a company that provides administrative services to Southwest Urology, discovered that unauthorized actors had accessed specific email accounts and SharePoint files over a three-day period between December 13 and December 16, 2024.
What happened
As a result, sensitive data belonging to at least 7,214 individuals was compromised. The breach affected both personally identifiable information (PII) and protected health information (PHI), including names, addresses, dates of birth, Social Security numbers, financial account information, diagnosis details, lab results, medications, treatment records, provider names, health insurance information, and claims data. On June 27, 2025, Southwest Urology officially reported the incident to the U.S. Department of Health and Human Services (HHS).
What was said
According to a report by ClaimDepot, “The information compromised in this breach could be used for identity theft, financial fraud or to gain unauthorized access to medical services.”
In the know: What is the difference between PII and PHI?
PII refers to any data that can be used to identify an individual on its own or when combined with other information. Examples include names, Social Security numbers, addresses, dates of birth, and financial account details.
PHI, on the other hand, is a specific subset of PII that relates to a person’s health status, medical history, or health care services and is created, received, or maintained by a covered entity (like a doctor, hospital, or insurance provider). PHI includes items such as diagnoses, lab results, treatment records, medication history, and insurance data.
The key difference is that PHI is tied directly to health care and is protected under HIPAA laws, while PII is a broader category of personal data that can apply across many industries. When PHI is exposed in a breach, it often includes PII, but not all PII is considered PHI unless it is connected to health care services.
Why it matters
When both PII and PHI are exposed together, as in this breach, it creates a dangerous combination that can lead to identity theft, insurance fraud, and even unauthorized access to medical care. Beyond the personal harm to over 7,000 patients, the breach underscores systemic weaknesses in how third-party vendors like Integrated Oncology Network (ION) manage data security across multiple healthcare providers.
Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQs
What is a data breach?
A data breach occurs when sensitive, protected, or confidential information is accessed, disclosed, or stolen by an unauthorized individual or system.
What is credit monitoring?
Credit monitoring is a service that alerts you to changes in your credit report, like new accounts or suspicious activity. It’s often provided for free after a data breach.
Are data breaches common in healthcare?
Yes. Healthcare is one of the most targeted sectors because medical data is extremely valuable on the black market.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
Kirsten Peremore
