The Oncology Institute Discloses Data Breach Linked to Third-Party Vendor The Oncology Institute Inc., a California-based healthcare provider, recently confirmed a data breach involving an unnamed third-party software vendor. The incident was first reported to the U.S. Securities and Exchange Commission (SEC) on November 6, 2025, with an initial filing indicating an ongoing investigation by the vendor. At the time, no evidence of compromised patient data had been confirmed. However, on May 20, 2026, the company filed an updated disclosure classifying the breach as a material cybersecurity event. Kroll, a third-party administrator assisting the vendor, notified The Oncology Institute that unauthorized access had been detected in systems containing patient data. While the exact types of exposed information such as medical records, personal details, or financial data were not specified, the filing acknowledged that "healthcare and other personal information" of patients was affected. The breach extended beyond The Oncology Institute, impacting additional unnamed healthcare providers that relied on the same vendor. The total number of affected individuals remains undisclosed. In response, The Oncology Institute stated that its security and continuity plans allowed operations to continue without material disruption. The company plans to collaborate with the vendor to offer credit monitoring and protection services to impacted patients, though details on enrollment and the provider have not been released. The vendor has also established a patient portal for incident-related inquiries, though its web address was not included in the filing.