Back to news
Cybersecurity Alert
June 18, 2026 by EmailMeNow IT Consulting

ShinyHunters Claims 8.8TB One Medical Breach as Amazon-Owned Clinic Faces Dual Incidents

ShinyHunters alleges an 8.8TB One Medical breach while the clinic separately disclosed legacy Iora Health file access. An independent audit of onemedical.com scores 76% overall.

Source: The National CIO Review / Fierce Healthcare

Data BreachShinyHuntersHealthcareHIPAAExtortionCybersecurity
One Medical healthcare data breach claim by ShinyHunters extortion group

One Medical, the primary-care provider acquired by Amazon in 2023, is facing scrutiny on two fronts after the extortion group ShinyHunters claimed it stole 8.8 terabytes of company data and threatened to publish the information unless negotiations begin by June 22, 2026.

Reporting from The National CIO Review notes the allegation remains unverified — attackers have not released sample files to substantiate the claim.

What ShinyHunters Alleged

The group says it exfiltrated more than 8.8TB from One Medical, which operates 250+ clinics and virtual-care services nationwide. If legitimate, exposed records could combine medical and personal identifiers — a mix that fuels identity fraud and highly targeted phishing.

ShinyHunters has been linked to breaches across technology, retail, telecommunications, government, and professional services. Its playbook emphasizes data theft and public leak pressure rather than encryption-only ransomware.

Illustration: dark web leak site countdown threatening public data release after extortion deadline

What One Medical Has Confirmed Separately

One Medical disclosed a distinct security incident involving a third-party file storage system used to retain archived information from legacy Iora Health patients.

According to the company:

  • Only a limited number of legacy Iora Health and One Medical Seniors patient files were accessed
  • No other One Medical or Amazon systems were affected
  • Unauthorized access was confined to the third-party storage environment
  • Access was revoked immediately and affected patients are being notified

Fierce Healthcare covered the seniors-focused disclosure as a separate, confirmed event — not necessarily equivalent to the 8.8TB ShinyHunters claim.

Illustration: attacker viewing stolen customer records in a cloud CRM dashboard via compromised API tokens

Independent Cybersecurity Audit

An EmailMeNow Cybersecurity Audit of onemedical.com on June 19, 2026 scored the primary patient-facing domain at 76% (Good) — stronger than many healthcare targets in our 2026 Washington and Texas AG trackers, but still not a substitute for vendor and archive controls.

DomainOverallRisk Level
One Medical (onemedical.com)76%Good

A passing public-domain score does not rule out compromise via third-party storage, legacy Iora Health archives, or SSO/social-engineering paths — the confirmed seniors incident involved a separate file-storage environment, not necessarily the main marketing site.

Audit link: onemedical.com audit

Why Healthcare Providers Should Pay Attention

Healthcare data remains among the most regulated and valuable categories attackers target. Texas and Washington AG portals show steady healthcare-sector filings in 2026 — see our healthcare AG tracker and HIPAA / HHS OCR statistics.

The One Medical situation illustrates patterns every clinic, insurer, and business associate should plan for:

  1. Extortion claims can precede formal disclosure — and may exaggerate scope until verified.
  2. Archived legacy data on third-party storage still counts as your breach surface (Iora Health archives).
  3. Parent-company acquisitions do not erase legacy systems — Amazon ownership did not prevent a separate storage compromise.
  4. Patients expect timely, accurate notice — conflicting headlines (8.8TB claim vs. “limited” confirmed access) increase phishing risk.

Illustration: executive receiving encrypted extortion demand with ransom deadline and threat of public data leak

Recommendations for Healthcare Organizations

  • Inventory legacy patient archives on SaaS file shares, backup buckets, and M&A-inherited systems.
  • Contractually require breach notification SLAs from every storage vendor holding PHI.
  • Monitor ShinyHunters leak sites and public trackers alongside HHS OCR portal data.
  • Harden email and identity controls — ShinyHunters frequently leverages social engineering and SSO abuse.

Benchmark your clinic’s email and PHI handling posture.

Run a free audit at audit.emailmenow.com/?industry=healthcare-practices or contact EmailMeNow IT Consulting for vendor risk review and incident response planning.


Sources: The National CIO Review · Fierce Healthcare — One Medical Seniors third-party storage breach · EmailMeNow audit — onemedical.com