One Medical, the primary-care provider acquired by Amazon in 2023, is facing scrutiny on two fronts after the extortion group ShinyHunters claimed it stole 8.8 terabytes of company data and threatened to publish the information unless negotiations begin by June 22, 2026.
Reporting from The National CIO Review notes the allegation remains unverified — attackers have not released sample files to substantiate the claim.
What ShinyHunters Alleged
The group says it exfiltrated more than 8.8TB from One Medical, which operates 250+ clinics and virtual-care services nationwide. If legitimate, exposed records could combine medical and personal identifiers — a mix that fuels identity fraud and highly targeted phishing.
ShinyHunters has been linked to breaches across technology, retail, telecommunications, government, and professional services. Its playbook emphasizes data theft and public leak pressure rather than encryption-only ransomware.

What One Medical Has Confirmed Separately
One Medical disclosed a distinct security incident involving a third-party file storage system used to retain archived information from legacy Iora Health patients.
According to the company:
- Only a limited number of legacy Iora Health and One Medical Seniors patient files were accessed
- No other One Medical or Amazon systems were affected
- Unauthorized access was confined to the third-party storage environment
- Access was revoked immediately and affected patients are being notified
Fierce Healthcare covered the seniors-focused disclosure as a separate, confirmed event — not necessarily equivalent to the 8.8TB ShinyHunters claim.

Independent Cybersecurity Audit
An EmailMeNow Cybersecurity Audit of onemedical.com on June 19, 2026 scored the primary patient-facing domain at 76% (Good) — stronger than many healthcare targets in our 2026 Washington and Texas AG trackers, but still not a substitute for vendor and archive controls.
| Domain | Overall | Risk Level |
|---|---|---|
| One Medical (onemedical.com) | 76% | Good |
A passing public-domain score does not rule out compromise via third-party storage, legacy Iora Health archives, or SSO/social-engineering paths — the confirmed seniors incident involved a separate file-storage environment, not necessarily the main marketing site.
Audit link: onemedical.com audit
Why Healthcare Providers Should Pay Attention
Healthcare data remains among the most regulated and valuable categories attackers target. Texas and Washington AG portals show steady healthcare-sector filings in 2026 — see our healthcare AG tracker and HIPAA / HHS OCR statistics.
The One Medical situation illustrates patterns every clinic, insurer, and business associate should plan for:
- Extortion claims can precede formal disclosure — and may exaggerate scope until verified.
- Archived legacy data on third-party storage still counts as your breach surface (Iora Health archives).
- Parent-company acquisitions do not erase legacy systems — Amazon ownership did not prevent a separate storage compromise.
- Patients expect timely, accurate notice — conflicting headlines (8.8TB claim vs. “limited” confirmed access) increase phishing risk.

Recommendations for Healthcare Organizations
- Inventory legacy patient archives on SaaS file shares, backup buckets, and M&A-inherited systems.
- Contractually require breach notification SLAs from every storage vendor holding PHI.
- Monitor ShinyHunters leak sites and public trackers alongside HHS OCR portal data.
- Harden email and identity controls — ShinyHunters frequently leverages social engineering and SSO abuse.
Related trackers
- Healthcare AG breach tracker
- Texas healthcare breaches (2026)
- Washington healthcare breaches (2026)
- HIPAA / HHS OCR statistics
- Ransomware threat landscape
- Monitoring guide
- All state AG trackers
- Have I Been Pwned
Benchmark your clinic’s email and PHI handling posture.
Run a free audit at audit.emailmenow.com/?industry=healthcare-practices or contact EmailMeNow IT Consulting for vendor risk review and incident response planning.
Sources: The National CIO Review · Fierce Healthcare — One Medical Seniors third-party storage breach · EmailMeNow audit — onemedical.com