ShinyHunters Threatens to Leak 8.8TB of Amazon One Medical Patient Data
The ShinyHunters extortion gang claims to have stolen 8.8 terabytes of data from Amazon's One Medical unit and is threatening to publish it unless the company meets ransom demands by June 22.
The prolific cyber extortion group ShinyHunters has claimed responsibility for stealing 8.8 terabytes of data from Amazon's One Medical primary care business, threatening to leak the information on the dark web unless the company responds by June 22. In a post on its leak site Thursday, the gang warned One Medical that it would publish the compromised data "along with several annoying digital problems that'll come your way" if demands are not met. The post concluded with a stark ultimatum: "Final warning - pay or leak."
One Medical, which Amazon acquired for $3.9 billion in 2023, provides onsite and virtual primary care services to employees of more than 8,500 corporate clients across the United States. The company acknowledged the breach in a statement on its website, though it did not name ShinyHunters. One Medical said that on June 13 it learned that "an unauthorized person" had gained access to a third-party file-storage system used to retain archived information for One Medical Seniors, a division formerly known as Iora Health that serves older adults.
The company emphasized that the incident affects "only certain legacy" Iora Health and One Medical Seniors patients and does not impact other One Medical clinics, services, or the company's electronic medical record system. One Medical said it immediately secured the affected system, revoked all user access, and rotated credentials for all employees with access to the platform. An investigation determined that the hacker accessed patient files stored on the file-storage platform between June 8 and June 11.
One Medical identified a subset of files containing demographic and clinical records from patients at designated One Medical Seniors clinics in nine U.S. cities: Atlanta, Cape Cod, Charlotte, Piedmont Triad, Denver, Houston, Phoenix, Tucson, and Seattle. The company said it will notify affected patients and has added safeguards to prevent similar incidents in the future. One Medical did not immediately respond to requests for comment on ShinyHunters' specific claims.
Security experts warn that the breach highlights a common vulnerability in healthcare organizations: legacy systems that fall outside the daily security perimeter. Rachel Seeger, founder of North Country Communications and a former adviser at the U.S. Department of Health and Human Services' Office for Civil Rights, noted that older platforms often lack the monitoring, patching, and governance applied to active clinical systems, yet they contain highly sensitive information. She urged regulated organizations to treat legacy repositories with the same level of protection as primary electronic health record environments.
ShinyHunters has been actively targeting organizations across multiple sectors. Earlier this month, the gang published what it claims is 234 gigabytes of data affecting 2.6 million people stolen from DentaQuest, one of the largest U.S. dental and vision benefits administrators. The group also recently published 26 million records allegedly stolen from Madison Square Garden Entertainment after the company reportedly declined to pay a ransom. The One Medical incident underscores the growing threat posed by extortion gangs that increasingly target the "soft underbelly" of healthcare—aging infrastructure, inherited systems from acquisitions, and data stores that organizations set and forget.