Email Hack Hits 24+ Cancer Care Practices

A 2024 email phishing breach at the Integrated Oncology Network (ION), part of Cardinal Health’s Navista alliance, exposed sensitive patient data across at least 24 HIPAA‑covered oncology and imaging centers spanning 12 states, affecting approximately 123,000 individuals.  Unauthorized access occurred between December 13–16, 2024.  A May 9, 2025 notice that attackers accessed both email and SharePoint accounts, intending phishing but also inspecting files and attachments.  Breaches were officially reported on June 27, 2025, with notifications sent to affected practices on June 13, and patient letters dispatched by June 27.  Exposed information included names, contact information, dates of birth, financial accounts, diagnoses, lab results, medications, treatment details, insurance/claims, provider identities, treatment dates—and in some cases, Social Security numbers.  

California saw the largest concentration, including Orange County Radiation Oncology and multiple California Cancer Associates for Research and Excellence offices.

In Florida, Lake City Cancer Care disclosed the largest single incident (15,142 patients); Bardmoor Cancer Center was also impacted.

Texas practices (e.g., PET Imaging in Houston, Sugar Land, Dallas Northeast, The Woodlands), plus facilities in Alaska, Louisiana, Georgia, Wyoming, Oklahoma, Ohio, Colorado, and Tennessee, have all reported breaches.

This breach accounts for nearly a quarter of the 108 major email-based breaches reported in 2025 to the HHS OCR—affecting over 1.75 million people in total.

ION implemented immediate remediation, notification, and strengthened cybersecurity training.

Its focus now is on bolstering email/SharePoint security, improving employee phishing defenses, and offering protective identity services.

Takeaway: Even smaller, specialized healthcare networks can suffer major phishing attacks. With over 123,000 patient records exposed, this incident underlines how crucial robust email security, rapid breach response, and comprehensive training are in protecting sensitive health data—especially in oncology settings.

It ranks among the five largest health-related email breaches of the year.

Source