Integrated Oncology Network (ION) filed a breach report with government authorities on June 27, 2025. By July 10, a federal lawsuit had been filed against the company in the U.S. District Court for the Southern District of California, alleging breach of privacy. The breach affected 113,789 individuals at over 20 locations.

ION is a Tennessee-based company that partners with physicians, hospitals, and other healthcare providers to offer administrative support, oncology services, and technologies to patients of these providers. ION has 50 centers across the country, providing care that includes diagnostic testing, radiation oncology, medical oncology, urology, and ancillary services. In December 2024, ION was acquired by Cardinal Health.

Integrated Oncology Network is a HIPAA Business Associate

ION is a HIPAA business associate because it provides support services to healthcare providers and handles patients’ protected health information (PHI).

On the same day that ION filed its breach report with the U.S. Department of Health and Human Services (HHS), twenty-two providers (of oncology, cancer treatment, urology, radiation, etc.) filed similar reports that appear to be related. The hacking/IT incident is suspected to have stemmed from a phishing email.

According to ION’s website notice, the incident occurred in December 2024. ION does not specify when it became aware of the breach, but notes that its investigation concluded on May 9.

“On May 9, 2025, we concluded our investigation of an email phishing incident that resulted in unauthorized access to patient information in a small number of email and SharePoint accounts. The investigation determined that unauthorized parties accessed a small number of email and SharePoint accounts between December 13, 2024 and December 16, 2024. Although the likely purpose of the unauthorized access was to perpetuate an email phishing scheme, certain emails and SharePoint files were accessed by the unauthorized parties.”

Private information disclosed to intruders may have included patient names and addresses, dates of birth, financial account information, diagnosis, lab results, medication, treatment information, health insurance and claims information, provider names, and dates of treatment. Some Social Security numbers were also disclosed.

On June 13, 2025, ION notified its oncology physician practice customers that their patients’ information may have been compromised by the incident. On June 27, 2025, ION began mailing notice letters to the affected patients.

HIPAA requires notifications within 60 days of the date ION discovered or should have discovered the incident. Notifications may have been outside the required timeframe. Some states, including California, have stricter reporting and notification requirements (CA requires notice to the Department of Public Health within 15 days of discovery).

Breach Notification Requirements

HIPAA requires business associates to report potential breaches to their covered entity customer within 60 days of discovering the breach, or sooner if their business associate agreement requires.

HIPAA requires covered entities to report all breaches to HHS.

• Large breaches (affecting 500 or more individuals) must be reported without unreasonable delay, and in no case later than 60 days after the breach is discovered.

ION may be making the notifications on behalf of its covered entity customers.

OCR Will Investigate Integrated Oncology Network for HIPAA Violations

The HHS Office for Civil Rights (OCR) investigates all HIPAA breaches affecting 500 or more individuals. Therefore, ION will need to answer to regulators about its cybersecurity practices and whether it follows HIPAA. Key questions include whether ION performs a HIPAA risk analysis and conducts workforce training.

Class Action Lawyers are Circling

Although HIPAA does not provide individuals with a right to sue for violating its rules, lawsuits often follow a large breach of health data.

Individuals whose data has been compromised can sue for negligence, breach of contract, and violations of state statutes that protect their privacy. At least one lawsuit has already been filed, and as of today, July 16, 2025, at least eight law firms are advertising that they are investigating the breach and asking individuals affected to contact them to potentially join a lawsuit.

HIPAA Compliance Reduces Risks

The HIPAA Security Rule is a blueprint for defense against cybercrime and keeping patient data secure. Start with a HIPAA risk analysis to find the gaps and make a plan to improve where needed.

Use the Security Rule Checklist in The HIPAA E-Tool^® to ensure you have the safeguards required by HIPAA. Conduct HIPAA workforce training to bolster your defense against phishing and other hacking tactics.

HIPAA compliance helps strengthen cybersecurity and defend against investigations and lawsuits in case a breach occurs.