Columbia University Data Breach Exposes Unaffiliated Individuals’ Sensitive Data In February, a puzzling text from a family member led to the discovery of a months-long data breach mystery involving Columbia University one that affected individuals with no apparent ties to the institution. The text included a letter from Columbia, dated six months after the initial public notice, informing the recipient that their Social Security number (SSN) and other sensitive data had been exposed in a June 2023 breach. Columbia’s initial breach notifications, issued last year, were directed solely at "members of the Columbia community," warning of unauthorized access to admissions, enrollment, financial aid, and employee records. Major media reports echoed this, framing the incident as limited to students, applicants, and staff, while noting that the hacktivist behind the attack claimed motivation tied to Columbia’s admissions policies. However, the breach extended far beyond the university’s direct affiliates. The recipient a non-student, non-employee with no prior connection to Columbia received no explanation in the letter about how their data was obtained or exposed. The only remedy offered was enrollment in free credit monitoring via Kroll, the third-party firm hired to manage victim support. After repeated attempts to seek clarity through Kroll’s hotline where escalations yielded no follow-up a Columbia IT representative eventually revealed the cause: decades of third-party data collection, combined with failed data-removal efforts, had left the university holding sensitive information on individuals with no formal affiliation. The source of the exposed data, including SSNs, may trace back to standardized testing (such as the SAT) or other external partnerships, though Columbia has not provided a full account of its data retention practices. The breach underscores the risks of unchecked data aggregation by institutions, even for those with no direct relationship to the entity holding their information. As of now, the full scope of affected unaffiliated individuals remains unclear.

Cybersecurity Incident at The Oncology Institute Exposes Patient Data via Third-Party Vendor The Oncology Institute (TOI), a U.S.-based cancer treatment provider with over 100 clinics across California, Oregon, Nevada, Arizona, and Florida, disclosed that patient data was compromised in a 2025 cybersecurity incident involving a third-party software vendor. The breach, first reported in an SEC filing on November 3, 2025, initially appeared to disrupt fee-for-service collections without evidence of patient data exposure. However, a subsequent update on May 20 revealed that threat actors accessed systems containing patient information, as confirmed by Kroll, the vendor’s third-party administrator. TOI stated that its security protocols allowed operations to continue largely unaffected, and the company is collaborating with the vendor to provide credit monitoring and protection for impacted patients. The extent of the breach including the number of affected individuals and whether healthcare data was exposed remains undisclosed.