The Oncology Institute says a previously disclosed cybersecurity incident has been confirmed to impact patient information.
The Oncology Institute (TOI) is an oncology provider founded in 2007 that delivers specialized cancer care through a network of over 100 clinics across five states.
The healthcare organization told the SEC in November 2025 that it had learned of a cybersecurity incident affecting a third-party software services provider. At the time, the vendor’s investigation was ongoing and it could not say whether patient information had been compromised.
“However, on May 20, 2026, Kroll, who is the third-party administrator for the Vendor, notified [TOI] that the Vendor had detected unauthorized access by a third party to certain information systems of [TOI], including systems affecting data of patients,” TOI said in a new SEC filing last week.
It added, “[TOI] believes that the cybersecurity incident has affected various other healthcare service providers, and the Vendor has set up a patient portal through which it intends to provide information and responses to inquiries.”
