HHS added ten listings to its public leak site today, all of which are part of the Integrated Oncology Network (“ION”). See updates to 22 listings.
According to its substitute notice, on May 9, ION concluded an investigation of a phishing incident that occurred between December 13 and December 16, 2024. The incident resulted in “unauthorized access to patient information in a small number of email and SharePoint accounts.”
The information potentially involved includes names in combination with one or more of the following: addresses, dates of birth, financial account information, diagnosis, lab results, medication, treatment information, health insurance and claims information, provider names, and/or dates of treatment. For a small number of individuals, the incident could have involved their Social Security numbers.
“To date,” they write, “there is no evidence that your specific information has been misused.”
On June 13, 2025, ION provided notifications to oncology physician practices that have patients whose information may have been involved in the incident. On June 27, 2025, ION began mailing notice letters to patients whose information may have been involved in the incident.
The substitute notice does not indicate that any complimentary services are being offered to those affected. To help prevent something like this from happening again, they state they are providing additional cybersecurity training to their staff.
So far, ten of their locations have shown up on HHS:
- South Georgia Center for Cancer Care, LLC – 4108 affected
- Rocky Mountain Oncology Care – 10268 affected
- PET Imaging of Tulsa – 3159
- PET Imaging of Sugar Land – 1808
- PET Imaging of Houston Medical Center- 1236
- PET Imaging of Dallas Northeast – 1935
- Mojave Radiation Oncology Medical Group – 4403
- e+ Oncologics Louisiana, LLC – 8270
- Cancer Care Center of North Florida-Lake Butler – 976
- California Cancer Associates for Research and Excellence – Fresno – 7670
- Southwest Urology – 7214
- Radiation Oncology Network of Southern California, LLC – 12944
- PET Imaging of The Woodlands – 2978
- PET Imaging of Northern Colorado – 4824
- Orange County Radiation Oncology Medical Group – 1911
- Lake City Cancer Care, LLC – 15142
- Fairbanks Urology – 4289
- Denali Biomedical 2413
- California Cancer Associates for Research and Excellence – High Desert – 17250
- Bardmoor Cancer Center – 991
- Golden State Radiation Oncology – 2130
- California Cancer Associates for Research and Excellence – San Diego – 638
- Golden State Radiation Oncology – 2130
DataBreaches has sent an inquiry to Navista, asking whether all of the locations have been affected, but no reply was immediately available.
This post was updated to add more entities/locations as they appeared on HHS’s breach tool:
- As of Update 1, there are 20 locations for a total of 113,789 patients affected.
- As of Update 2, there are 22 locations for a total of 116,557 patients affected.