What Happened in the Hematology Oncology Consultants Data Breach?
Hematology Oncology Consultants, a private medical practice in Michigan that treats cancer and blood disorder patients, has confirmed a data breach tied to a ransomware attack. The Hematology Oncology Consultants data breach affected files containing sensitive patient information. According to the notice, unauthorized access to the practice’s network occurred on or about Sept. 20, 2025.
A ransomware group known as Rhysida claimed responsibility for the attack. On Oct. 17, 2025, the group posted a message on the dark web through the Tor network, claiming it had obtained data from the organization. This public claim signaled that stolen files might already be circulating outside the practice’s control.
However, it was not until Feb. 12, 2026, that Hematology Oncology Consultants determined files containing personally identifiable information had actually been compromised. As a result, the company secured its systems and brought in cybersecurity specialists to investigate. The review process took several more weeks, and the company completed it on April 7, 2026.
Because forensic reviews of this kind can involve sorting through large volumes of files, the multi-month gap between the initial attack and final confirmation is not unusual. Still, the timeline shows how long it can take for a healthcare provider to fully understand what an attacker actually accessed.
Who was affected?
The Hematology Oncology Consultants data breach primarily affects patients of the practice. Given that the organization specializes in cancer and blood disorder treatment, those affected likely include individuals currently undergoing or who have previously undergone treatment for serious illnesses.
The exact number of affected individuals has not been publicly disclosed. The practice reported the incident to the Massachusetts Office of Consumer Affairs and Business Regulation and to the New Hampshire Attorney General, which suggests residents in those states were among those affected, in addition to patients in Michigan.
Because medical records were involved, it’s possible that highly sensitive diagnostic and treatment information was exposed alongside identity data. This combination increases the seriousness of the incident compared to breaches involving only basic contact details.
What Information Was Potentially Exposed?
According to the notification, the breach exposed several categories of sensitive personal and medical information. This data could be used by criminals for identity theft or medical fraud schemes.
- Full names
- Medical records
- Health insurance information
- Social Security numbers
The exposure of Social Security numbers is particularly concerning because this number is a key identifier used across many financial and government systems. As a result, affected individuals face a heightened risk of new-account fraud, tax fraud, and other forms of identity theft that can persist for years.
In addition, the exposure of medical records and health insurance details raises the risk of medical identity theft. This occurs when someone uses stolen insurance information to obtain medical services, prescriptions, or equipment under another person’s name. Consequently, victims may find fraudulent claims mixed in with their own legitimate medical history, which can complicate future care and billing.
What is the company doing?
Once Hematology Oncology Consultants discovered the incident, it took immediate steps to secure its digital environment. The practice then launched an investigation with the help of outside cybersecurity specialists to determine the scope of the compromise.
After completing its review on April 7, 2026, the company began notifying affected individuals through letters dated April 24, 2026. In addition, it reported the breach to state regulators in Massachusetts and New Hampshire, as required by law.
To support affected patients, the practice set up a dedicated call center staffed by representatives available Monday through Friday, from 8 a.m. to 8 p.m. Eastern time. This resource allows individuals with questions about the breach to get direct answers about their specific situation.
What Should Affected Individuals Do?
Place a Fraud Alert or Credit Freeze
Because Social Security numbers were exposed, affected individuals should contact one of the three major credit bureaus to place a fraud alert or credit freeze. Equifax, Experian, and TransUnion each offer this service, and placing an alert with one bureau typically requires that bureau to notify the other two.
A credit freeze restricts access to your credit file, which makes it harder for identity thieves to open new accounts in your name. This step is one of the most effective ways to prevent long-term financial damage after a breach involving Social Security numbers.
Monitor Your Credit Reports and Financial Accounts
Individuals affected by this breach should request free credit reports at AnnualCreditReport.com and review them closely. Look for unfamiliar accounts, inquiries, or changes that could indicate fraudulent activity.
In addition, review bank and credit card statements regularly for unauthorized transactions. If anything looks unfamiliar, contact the financial institution right away so it can investigate and, if necessary, freeze the affected account.
Watch for Medical Identity Theft
Since medical records and health insurance information were exposed, affected patients should closely monitor Explanation of Benefits statements from their health insurers. These statements can reveal whether someone has used stolen insurance details to receive medical services, prescriptions, or equipment.
If you notice services or charges you don’t recognize, contact your insurer immediately. This helps prevent fraudulent claims from becoming part of your permanent medical history, which can otherwise be difficult to correct later.
Stay Alert for Phishing and Scams
Scammers sometimes use real data breaches to craft convincing phishing messages. Be cautious of any calls, emails, or texts that mention Hematology Oncology Consultants or reference this breach by name, since these could be attempts to steal even more personal information.
Avoid clicking links or providing personal details in response to unsolicited messages. Instead, verify any communication by contacting the company directly through its official phone number or website.
Report Suspicious Activity Promptly
If you notice signs of fraud, report them right away to your financial institution, local law enforcement, and the Federal Trade Commission. Prompt reporting can limit the damage and create a record that helps with disputing fraudulent charges.
Furthermore, individuals concerned about their legal options after this breach may want to speak with a data breach attorney. A free consultation can help clarify whether you qualify for compensation related to the exposure of your information.
More Information
Official Data Breach Notification Letter (PDF)
