Full Report
The Oncology Institute has confirmed that patient information was impacted in a cybersecurity incident involving a third-party software provider. The healthcare network first disclosed the security breach in November 2025 while the vendor’s investigation was still ongoing. Although the provider has not been officially named, reports suggest Cognizant-owned TriZetto may be involved. The Oncology Institute, Inc. is…
Analysis Summary
# Incident Report: Third-Party Breach at The Oncology Institute
## Executive Summary
The Oncology Institute (TOI) confirmed that patient personal information was compromised following a cybersecurity incident at a third-party software provider, likely Cognizant-owned TriZetto. While initially disclosed as a potential threat in late 2025, confirmation of data impact was only received in May 2026. The breach has affected several other healthcare providers alongside TOI.
## Incident Details
- **Discovery Date:** November 6, 2025 (Initial disclosure); May 20, 2026 (Confirmation of data impact)
- **Incident Date:** Ongoing/Prior to Nov 2025
- **Affected Organization:** The Oncology Institute, Inc. (and multiple unnamed healthcare providers)
- **Sector:** Healthcare (Oncology)
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-November 2025
- **Vector:** Third-party supply chain compromise
- **Details:** Unauthorized third-party access was gained to the systems of a software service vendor utilized by TOI.
### Lateral Movement
- **Details:** Attackers moved from the vendor’s general environment into specific information systems housing sensitive patient data.
### Data Exfiltration/Impact
- **Details:** The breach involved unauthorized access to "certain information systems," including those containing patient-specific data. While the full volume is not specified in this report, related reports suggest the wider vendor breach impacted over 3.4 million patients.
### Detection & Response
- **November 6, 2025:** TOI proactively filed a Form 8-K disclosing a potential incident at their vendor.
- **May 20, 2026:** Kroll (the vendor's third-party administrator) officially notified TOI that patient data was indeed accessed.
## Attack Methodology
*Note: Specific technical TTPs were not fully detailed in the high-level disclosure.*
- **Initial Access:** Exploitation of a third-party software provider (Supply Chain Attack).
- **Collection:** Gathering of patient personal information held within the vendor's database.
- **Impact:** Loss of data confidentiality and regulatory reporting obligations for the healthcare network.
## Impact Assessment
- **Financial:** Costs associated with legal filings, Kroll-led investigations, and potential long-term credit monitoring for patients.
- **Data Breach:** Compromise of patient personal and medical information.
- **Operational:** Diversion of resources to manage vendor communications and SEC compliance.
- **Reputational:** Public disclosure of patient data exposure, though mitigated by the breach occurring at a vendor level.
## Indicators of Compromise
- **Network indicators:** None disclosed in the provided article.
- **File indicators:** None disclosed.
- **Behavioral indicators:** Unauthorized access to patient databases detected by the vendor’s internal monitoring.
## Response Actions
- **Containment measures:** Vendor isolated affected systems.
- **Eradication steps:** The vendor engaged Kroll to perform a full forensic investigation.
- **Recovery actions:** The vendor established a patient portal to manage inquiries; TOI issued updated SEC filings to notify investors.
## Lessons Learned
- **Supply Chain Vulnerability:** Even if an organization’s internal security is robust, third-party software providers represent a significant "blind spot."
- **Delayed Confirmation:** There was a significant gap (approx. 6 months) between the initial suspicion of a breach and the confirmation of what data was actually taken.
- **Proactive Reporting:** TOI’s decision to file a voluntary 8-K in November 2025 allowed for better transparency ahead of the final impact confirmation.
## Recommendations
- **Vendor Risk Management:** Implement stricter security audits and "Right to Audit" clauses for third-party software providers.
- **Data Minimization:** Ensure that vendors only store the minimum amount of patient data necessary for their specific software function.
- **Incident Response Planning:** Develop specific playbooks for "Third-Party Breach Notification" to manage patient communications when the data is not handled on-premises.