A coordinated phishing campaign has breached sensitive patient data at several cancer care providers affiliated with a Tennessee-based network of oncology practices. Cybersecurity experts have long warned that healthcare organizations are particularly vulnerable to such attacks due to their often weak defenses and the high value of the data they store. The latest attack has impacted multiple cancer centers across the U.S., affecting over 130,000 people.
The breach, which occurred over a three-day period between Dec. 13 and 16, 2024, allowed attackers to access employee email and SharePoint accounts, according to notices filed with state regulators and the U.S. Department of Health and Human Services. The compromised accounts contained protected health information, including names, addresses, birth dates, diagnoses, lab results, treatment details, medications, insurance information, and in some cases, Social Security numbers and financial data.
ION, which operates under the larger Cardinal Health’s Navista oncology alliance, initially did not respond to inquiries for comment. However, the company has since updated its cybersecurity protocols and provided additional training to staff. The breach notifications were sent to impacted practices on June 13, 2025, with patient letters beginning to be mailed out on June 27. ION has offered affected individuals free credit monitoring, dark web monitoring, and identity theft protection services to help mitigate potential damage.
Investigators believe the phishing campaign was likely designed to harvest data for use in wider fraud schemes. While SharePoint access was also compromised, the primary focus appeared to be email-based data collection. The breach is now listed on the HHS Office for Civil Rights breach portal, which tracks healthcare data exposures involving more than 500 individuals. So far, at least 11 practices have reported being affected, with significant facilities in Texas, Louisiana, and North Florida impacted.
Despite the scale of the breach, ION claims there is no current evidence of misuse of the stolen data. However, the incident underscores the growing threat of cyberattacks in the healthcare sector. Experts warn that phishing attacks remain a leading cause of healthcare data breaches, often exploiting gaps in email security and employee awareness. The ION breach highlights how a single phishing campaign can expose tens of thousands of patient records across multiple systems and locations.
Those affected by the breach are advised to take proactive steps to protect their personal information. This includes avoiding clicking on unexpected emails, using strong antivirus software, and considering identity theft protection services. Additionally, users are encouraged to use password managers to generate and store secure passwords, and to enable two-factor authentication (2FA) for an extra layer of security. Regularly reviewing bank statements and credit reports is also recommended to detect any signs of fraudulent activity early.
The ION breach has sparked renewed calls for improved cybersecurity measures in the healthcare industry, with many experts emphasizing the need for stronger defenses against phishing attacks. As the healthcare sector continues to digitize, the risk of data breaches will likely remain a critical concern. For now, ION has taken steps to address the breach, but the incident serves as a stark reminder of the importance of robust cybersecurity practices in protecting sensitive patient information.