The extortion crew ShinyHunters claims it stole 8.8 terabytes of patient data from Amazon-owned One Medical and has set a June 22, 2026 ransom deadline. One Medical has confirmed that an unauthorized party reached a legacy file storage system holding demographic and clinical records for elderly patients, making this one of the higher-profile healthcare-technology incidents of the year and placing the fallout squarely on Amazon, which paid $3.9 billion for One Medical in 2023.
What Happened
ShinyHunters posted a public countdown to June 22, 2026, warning One Medical to open ransom negotiations or watch its patient files spill onto the open web, along with what the group called "several annoying (digital) problems that'll come your way." The target was not One Medical's flagship app or its network of walk-in clinics, but an older, quieter corner of the business.
One Medical confirmed that an intruder gained access to a third-party file storage platform used to retain archived records from One Medical Seniors, the division formerly known as Iora Health. One Medical acquired Iora Health in 2021 and rebranded it; Amazon then folded the entire company into its healthcare arm two years later. The data ShinyHunters is threatening to publish is, in effect, a paper trail inherited twice over.
What Was Taken
ShinyHunters claims a haul of 8.8 terabytes. One Medical said its investigation found that only a limited number of legacy Iora Health and One Medical Seniors patient files were touched, and that no other One Medical clinics, services, or electronic medical record systems, and no other Amazon systems, were affected.
Even so, the sensitivity of the exposed material is high. The company identified demographic and clinical records tied to One Medical Seniors patients, a population made up of some of its most vulnerable members. Clinical and demographic data on elderly patients is a prime target for downstream fraud, medical identity theft, and highly convincing social-engineering campaigns aimed at both victims and their caregivers.
Why It Matters
This incident is a textbook case of acquisition risk. The compromised archive did not live inside One Medical's core clinical stack; it was a legacy system carried over from an acquired company, sitting on a third-party platform, retained long after the business that created it was rebranded and absorbed. Systems like this rarely receive the same monitoring, patching, and access controls as production infrastructure, yet they hold exactly the kind of long-lived, high-value personal data that attackers monetize.
For defenders, the lesson is that mergers and acquisitions expand the attack surface in ways that outlast the deal. A $3.9 billion acquisition inherited not just clinics and staff but a forgotten storage bucket that has now become a national headline.
The Attack Technique
One Medical's disclosure attributes the breach to unauthorized access to a third-party file storage platform rather than a compromise of its own clinical or EMR systems. The specific initial-access vector has not been publicly detailed. ShinyHunters, however, has a well-documented playbook centered on stolen or exposed credentials, misconfigured cloud storage, and access to third-party and SaaS platforms, often followed by data exfiltration and pure extortion rather than encryption. The pattern here, a legacy archive on an external platform accessed by an unauthorized party and followed by a ransom countdown, fits that model closely.
What Organizations Should Do
- Inventory every data store inherited through acquisitions, including legacy and third-party platforms, and confirm each one has an accountable owner.
- Enforce data-retention and deletion policies so archived records that no longer need to exist are purged rather than left indefinitely.
- Apply strong authentication, including phishing-resistant MFA, to all third-party file storage and SaaS platforms, and rotate or eliminate long-lived credentials.
- Extend logging and anomaly detection to legacy and archival systems, not just production infrastructure, so unusual access to cold storage is caught early.
- Fold cybersecurity due diligence into M&A, mapping and re-securing acquired data assets before and immediately after integration.
- Rehearse an extortion-response plan that assumes data theft without encryption, including legal, regulatory notification, and communications workflows for pure-leak scenarios.
Sources: One Medical Data Breach Exposes Senior Patient Records - Karsane