Radiation Oncology Network data breach exposes PHI in California

An email phishing attack led to unauthorized access of sensitive health and personal data affecting nearly 13,000 patients.

What happened

Radiation Oncology Network of Southern California experienced a cybersecurity breach that compromised the personal and health information of 12,944 individuals. The incident occurred between December 13 and December 16, 2024, when attackers gained access to employee email and SharePoint accounts via a phishing attack targeting Integrated Oncology Network (ION), which manages administrative services for several oncology practices.

Compromised data includes names, addresses, Social Security numbers, dates of birth, financial details, diagnoses, lab results, treatment information, medication history, provider names, and insurance claim details.

Going deeper

ION first identified the breach and disclosed it to the Radiation Oncology Network on June 13, 2025, six months after the attack. The breach was officially reported to the U.S. Department of Health and Human Services on June 27, and to the California Attorney General on July 15.

Radiation Oncology Network is offering affected patients complimentary identity monitoring services through Epiq Privacy Solutions. While no confirmation has been given about whether the compromised data was misused, the breach exposed both personally identifiable information (PII) and protected health information (PHI), which could make those affected vulnerable to identity theft or fraud.

What was said

Radiation Oncology Network stated that it responded to the incident by issuing required disclosures and offering support services to patients. The organization has not released further details on whether law enforcement is investigating or what additional security measures are being implemented.

According to the official notice letter, “unauthorized parties accessed a small number of email and SharePoint accounts between December 13, 2024 and December 16, 2024.” While the attack appeared to be aimed at phishing, patient information was exposed during the breach. “To date, there is no evidence that your specific information has been misused,” the letter stated. Radiation Oncology Network is offering identity monitoring through Epiq Privacy Solutions and has taken steps to strengthen cybersecurity training for staff.

FAQs

What is a phishing attack and how does it work?

A phishing attack is a form of social engineering where attackers trick employees into revealing login credentials by impersonating trusted sources, often through email.

Why did it take six months to notify affected patients?

Identifying the full scope of a breach, including what data was accessed and who was affected, often involves complex forensic analysis that can take months to complete.

What services does Epiq Privacy Solutions provide?

Epiq offers credit monitoring, identity restoration support, and fraud resolution services to help individuals protect themselves after a data breach.

Can patients take legal action against the organization?

Yes, affected individuals may be eligible to join class-action lawsuits or file individual claims depending on the extent of the impact and applicable state laws.

What steps can healthcare providers take to prevent phishing breaches?

Organizations can implement multi-factor authentication, employee phishing awareness training, and stricter email security protocols to reduce vulnerability.