The Oncology Institute has confirmed that patient information was impacted in a cybersecurity incident involving a third-party software provider. The healthcare network first disclosed the security breach in November 2025 while the vendor’s investigation was still ongoing. Although the provider has not been officially named, reports suggest Cognizant-owned TriZetto may be involved.
The Oncology Institute, Inc. is a U.S.-based healthcare company that provides community-based cancer care services. It operates a network of oncology clinics focused on treating patients with cancer in outpatient settings, aiming to make care more accessible outside of large hospital systems.
“The Oncology Institute, Inc. (the “Company”) is providing this disclosure, as a follow-up to its voluntary disclosure in Item 7.01 of a Current Report on Form 8-K filed on November 6, 2025, regarding a cybersecurity incident affecting a software service provider (“Vendor”) utilized by the Company. At the time of the prior voluntary disclosure, the Vendor had indicated that investigation was still ongoing and it could not yet confirm any evidence that any patient personal information was compromised as a result of this incident.” reads the Form 8-K report filed with SEC. “However, on May 20, 2026, Kroll, who is the third-party administrator for the Vendor, notified the Company that the Vendor had detected unauthorized access by a third party to certain information systems of the Company, including systems affecting data of patients. The Company believes that the cybersecurity incident has affected various other healthcare service providers, and the Vendor has set up a patient portal through which it intends to provide information and responses to inquiries.”
On May 20, 2026, Kroll, acting as a third-party administrator, informed the company that a vendor had detected unauthorized access to its systems, potentially affecting patient data. The incident may also involve other healthcare providers.
The attackers remain unknown, and no ransomware group has claimed responsibility for the incidents involving TriZetto or The Oncology Institute.
In March 2026, a data breach at Cognizant’s TriZetto Provider Solutions exposed sensitive information belonging to more than 3.4 million patients.
On October 2, 2025, the company detected suspicious activity in a web portal used by healthcare providers. An investigation revealed that, starting in November 2024, an unauthorized actor accessed records linked to insurance eligibility verification transactions. The firm engaged cybersecurity experts, notified law enforcement, and began informing affected providers in December 2025.
Around November 28, 2025, TriZetto determined the breach may have exposed personal and health data, including names, addresses, birth dates, Social Security numbers, insurance details, and provider information. Financial data was not affected, and no identity theft or fraud linked to the incident has been reported so far.
After discovering the incident, the company implemented additional safeguards to better protect its systems and services.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data breach)
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。