Material Cybersecurity Incidents (Form 8-K)

UNITED STATES

SECURITIES AND EXCHANGE COMMISSION

Washington, D.C. 20549

___________________________________

Form 8-K

__________________________________________________________

CURRENT REPORT

Pursuant to Section 13 or 15(d)

of the Securities Exchange Act of 1934

Date of Report (Date of earliest event reported) May 20, 2026

___________________________________

THE ONCOLOGY INSTITUTE, INC.

(Exact name of registrant as specified in its charter)

___________________________________

Delaware		001-39248		84-3562323
(State or other jurisdiction of incorporation)		(Commission File Number)		(I.R.S. Employer Identification No.)

18000 Studebaker Road, Suite 800, Cerritos, CA		90703
(Address of principal executive offices)		(Zip Code)

Registrant's telephone number, including area code: (562) 735-3226

(Former name or former address, if changed since last report)

Check the appropriate box below if the Form 8-K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions:

☐ Written communication pursuant to Rule 425 under the Securities Act (17 CFR 230.425)

☐ Soliciting material pursuant to Rule 14a-12 under the Exchange Act (17 CFR 240.14a-12)

☐ Pre-commencement communication pursuant to Rule 14d-2(b) under the Exchange Act (17 CFR 240.14d-2(b))

☐ Pre-commencement communication pursuant to Rule 13e-4(c) under the Exchange Act (17 CFR 240.13e-4(c))

Securities registered pursuant to Section 12(b) of the Act:

Title of each class		Trading Symbol(s)		Name of each exchange on which registered
Common stock, par value $0.0001		TOI		The Nasdaq Stock Market LLC
Redeemable warrants, each whole warrant exercisable for one share of Common stock, each at an exercise price of $11.50 per share		TOIIW		The Nasdaq Stock Market LLC

Indicate by check mark whether the registrant is an emerging growth company as defined in Rule 405 of the Securities Act of 1933 (17 CFR §230.405) or Rule 12b-2 of the Securities Exchange Act of 1934 (17 CFR §240.12b-2).

Emerging growth company ¨

If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☐.

Item 1.05 Material Cybersecurity Incidents.

The Oncology Institute, Inc. (the "Company") is providing this disclosure, as a follow-up to its voluntary disclosure in Item 7.01 of a Current Report on Form 8-K filed on November 6, 2025, regarding a cybersecurity incident affecting a software service provider ("Vendor") utilized by the Company. At the time of the prior voluntary disclosure, the Vendor had indicated that investigation was still ongoing and it could not yet confirm any evidence that any patient personal information was compromised as a result of this incident. However, on May 20, 2026, Kroll, who is the third-party administrator for the Vendor, notified the Company that the Vendor had detected unauthorized access by a third party to certain information systems of the Company, including systems affecting data of patients. The Company believes that the cybersecurity incident has affected various other healthcare service providers, and the Vendor has set up a patient portal through which it intends to provide information and responses to inquiries.

Because of the Company's technology security and continuity plan, the Company worked swiftly in response, and its operations have continued in all material respects since the detection of the incident. The Company remains committed to protecting the healthcare and other personal information of its patients and will work with the Vendor to offer credit monitoring and protection to all impacted patients.

The Company is reserving all rights with respect to potential claims against relevant third parties or service providers. Although the Company's investigation and assessment remain ongoing, as of the date of this filing, the Company believes that the incident has not had a material impact on the Company's operations, financial systems, or its quality of care to its patients, and the Company is currently evaluating any other material impact, if any, including on its financial condition or results of operations.

Cautionary Statement Regarding Forward-Looking Statements

This Current Report on Form 8-K contains statements about future events and expectations which are "forward-looking statements" within the meaning of Sections 27A of the Securities Act of 1933, as amended, and 21E of the Securities Exchange Act of 1934, as amended. Forward-looking statements can be identified by forward-looking words such as "may," "might," "could," "would," "should," "will," "anticipate," "believe," "plan," "estimate," "project," "expect," "intend," "seek," "are encouraged," and other similar expressions. Any statement contained in this Current Report on Form 8-K that is not a statement of historical fact may be deemed to be a forward-looking statement. All forward-looking statements involve risks, uncertainties and other factors that may cause actual results to differ materially from those expressed or implied in the forward-looking statements. For example, all statements regarding the impact of the incident described above on the Company and its operations, financial systems, or its financial condition, the scope of the investigation, expectations regarding the adequacy of insurance, the Company's plans, objectives, projections and expectations regarding the Company's operations or financial condition, and assumptions related thereto are all forward-looking statements. Factors that might cause the Company's actual results to differ materially from those anticipated in forward-looking statements include, but are not limited to, the Company's ongoing assessment of the impacts of the cybersecurity incident, including the Company's potential discovery of additional information related to the incident in connection with its investigation or otherwise; the Company's expectations regarding its ability to contain and remediate the cybersecurity incident; the impact of the cybersecurity incident on the Company's relationships with patients, employees, and governmental regulators; the legal, reputational, and financial risks resulting from the cybersecurity incident, including as may arise from any exfiltrated data or any potential regulatory inquiries and/or litigation to which the Company may become subject in connection with the incident; any further or still undetected cyber security incident; and remediation and other additional costs that may be incurred by the Company in connection with the investigation and remediation of the incident. The forward-looking statements speak only as of the date of this Current Report on Form 8-K. The Company undertakes no obligation to publicly update or revise any forward-looking statements, whether as a result of new information, future events, or otherwise, except as required by applicable law.

Item 9.01. Financial Statements and Exhibits.

(d) Exhibits

Exhibit No.		Description
104		Cover Page Interactive Data File (embedded within the Inline XBRL document).

SIGNATURE

Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.

Dated: May 22, 2026	THE ONCOLOGY INSTITUTE, INC.
	By:	/s/ Minh Merchant
	Name:	Minh Merchant
	Title:	Chief Legal Officer