Separate Incidents Target One Medical Data
Amazon’s primary care subsidiary, One Medical, has been hit by two distinct security incidents in June 2026, raising alarms about the protection of patient data handled by large technology firms entering healthcare. In the first, the extortion group ShinyHunters claimed on June 18, 2026, to have stolen 8.8 terabytes of data from One Medical, issuing a “final warning” for the company to negotiate by June 22 before allegedly publishing the information. If verified, this breach could involve sensitive medical records and personally identifiable information from over 830,000 patients across more than 250 U.S. clinics. No sample data has been released yet to confirm the claim.
Separately, Amazon One Medical confirmed a cybersecurity event affecting a “limited number” of patients within its senior care clinics, known as One Medical Senior Health (formerly Iora Health). On June 13, 2026, unauthorized access was discovered in a third-party file storage system containing archived Iora Health data. One Medical stated the incident was isolated to that vendor and did not impact other One Medical or Amazon systems. The company is notifying affected patients from the senior health incident, while the ShinyHunters claim remains under investigation.
Implications for Hospital Security Teams
These dual incidents underscore several critical risks for healthcare organizations. First, the reliance on third-party vendors for data storage introduces vulnerabilities, as seen in the senior care breach. Hospital security teams should reassess vendor risk management programs, including contract clauses for data protection and incident response, to mitigate similar exposures.
Second, the ShinyHunters attack highlights the persistent threat from extortion groups targeting large healthcare data repositories. For hospitals and health systems, this reinforces the need for robust data segmentation, encryption, and monitoring of patient records especially for legacy data from acquisitions. The complexity of securing patient data at scale, as demonstrated by Amazon’s expanded healthcare footprint through One Medical, shows that even tech giants face steep challenges in safeguarding protected health information (PHI) and ensuring compliance with HIPAA and HITECH regulations. Healthcare CISOs should prioritize incident response drills that simulate third-party breaches and extortion demands, with a focus on protecting ePHI and maintaining clinical operations.
What This Means for Healthcare Organizations
For healthcare leaders, the One Medical incidents offer a clear warning about the risks of data aggregation post merger. When health systems acquire clinics or legacy practices, they often inherit unsecured data stores that can become targets. The breach of Iora Health’s archived files is a case in point. Clinics and hospitals should conduct thorough security audits of all acquired data repositories and ensure that third-party storage vendors meet HIPAA security rule standards.
Moreover, the involvement of an extortion group like ShinyHunters heightens the stakes for patient safety. If sensitive medical records are publicly leaked, patients could face identity theft, fraud, or even clinical harm if manipulated data impacts treatment decisions. Health systems should work with legal and compliance teams to prepare for such scenarios, including patient notification protocols and credit monitoring services. As technology companies like Amazon continue to enter healthcare, this incident demonstrates that robust cybersecurity must be a non-negotiable foundation for patient trust and regulatory compliance.
Source: CyberNews
