Explore our Topics:

Old records, new owner, fresh breach: the One Medical extortion case

The One Medical data breach traces to a legacy archive from an acquired practice, spotlighting the risk health systems inherit.
By admin
Jul 7, 2026, 8:26 AM

ShinyHunters, a prolific data-extortion group, says it stole 8.8 terabytes of records from Amazon’s One Medical and will leak them unless the company pays. One Medical confirmed on June 17 that an unauthorized party had accessed its systems. The next day, ShinyHunters posted its claim to its dark web leak site and gave the company until June 22 to begin negotiations, a deadline that has come and gone with no public word about what happens next.

The data behind the hacker group’s threat has nothing to do with the clinics One Medical runs today, and it didn’t breach the company’s main electronic medical record system. Instead, ShinyHunters broke into a third-party archive of old files from One Medical Seniors, a primary care practice for older adults that One Medical acquired in 2021.

The exposed files held demographic and clinical records for patients in nine cities and regions, from Atlanta to Seattle. One Medical has not said how many people were affected, ShinyHunters has released no sample data, and the 8.8-terabyte figure remains the group’s unverified claim. This is old data, long set aside, and it draws less scrutiny than the records clinicians use daily, but often it holds the same names, histories, and diagnoses.

Why old, inherited records have become a prime target

One Medical paid $2.1 billion for Iora Health in 2021, and Amazon bought One Medical for $3.9 billion two years later, closing in early 2023. By then the Iora archive was two owners removed from the people who first collected it. Healthcare often grows this way, absorbing other companies’ records along with their patients and leaving data scattered across systems no single team built. Repositories like this fall outside the monitoring, patching, and access reviews that protect active clinical systems, even while holding sensitive records for years. Healthcare absorbs more of this than any industry, accounting for the largest share of breaches that begin with a third party.

What makes these forgotten stores worth stealing is a shift in how extortion groups operate. Rather than encrypting a hospital’s systems for ransom, ShinyHunters and similar groups copy the data and threaten to publish it. Federal breach reports show the same pattern across healthcare, with theft overtaking encryption, often through outside vendors and cloud storage. The standard ransomware defense, restoring from a clean backup, does nothing once attackers already hold a copy. An archive no one would miss is exactly what they want: the leverage is exposure, not disruption.

What HIPAA breach notification and lawsuits mean here

Whoever holds the records also holds the legal exposure. Under HIPAA, a company must report any breach affecting 500 or more people to regulators and notify those patients within 60 days of discovery, giving One Medical until mid-August to report officially. For now, the public activity around this breach is happening in law offices, where attorneys are advertising investigations into 1Life Healthcare, the corporate entity behind Amazon One Medical, and soliciting former patients for a possible class action.


Show Your Support

Subscribe

Newsletter Logo

Subscribe to our topic-centric newsletters to get the latest insights delivered to your inbox weekly.

Enter your information below

By submitting this form, you are agreeing to DHI’s Privacy Policy and Terms of Use.