ShinyHunters threatens to leak One Medical Seniors patient data

Amazon's One Medical disclosed a cybersecurity incident last week that involved unauthorized access to certain files related to One Medical Senior Health patients. A prolific cyber extortion group known as ShinyHunters has now claimed responsibility for the hack and is threatening to publish sensitive patient data unless it receives a payment.

One Medical disclosed the incident via a notice on its website on June 17, stating that an unauthorized person gained access to a third-party file storage system used to retain archived information of Iora Health, a company that One Medical acquired in 2021.

Tech giant Amazon is involved in the incident through a series of acquisitions over the past five years. Following One Medical's acquisition of Iora Health, the company was rebranded as One Medical Seniors. In 2023, Amazon acquired One Medical, folding One Medical Seniors under its umbrella.

Following the incident, One Medical said it immediately deactivated the legacy system and revoked all access. Further investigation revealed that certain patient files related to legacy Iora Health and One Medical Seniors patients were accessed. No other One Medical patients were affected, nor were other One Medical or Amazon systems.

"We apologize for this event and are notifying affected patients directly," the notice stated. "We take the security of patient information seriously and are implementing additional safeguards to prevent similar events in the future."

On June 18, ShinyHunters posted on its leak site, claiming to have stolen over 8.8 terabytes of data.

"This is a final warning to reach out by 22 June 2026 before we leak along with several annoying (digital) problems that'll come your way. Make the right decision, don't be the next headline," the message stated. The message did not specify how much money ShinyHunters is demanding in exchange for the data.

ShinyHunters typically uses sophisticated voice phishing and victim-branded credential harvesting sites to gain access to corporate environments, Google Cloud's Mandiant stated in a January 2026 blog post. Once inside, the cyberthreat actors often use cloud-based software-as-a-service applications to exfiltrate sensitive data. Later, they use that data to make extortion demands.

According to the FBI, ShinyHunters and other threat groups often "use their real or exaggerated claims of access to sensitive or personal information to prompt payment from victims."

"Threat actors may falsely claim to have sensitive or compromising information, including embarrassing photographs or videos of victims, which frequently do not exist. Following these pressure tactics, [ShinyHunters] actors have sometimes posted exfiltrated data to various iterations of the [ShinyHunters] data leak site on the Tor network," the FBI stated in a May 2026 alert regarding the group.

One Medical has not explicitly named ShinyHunters as the culprit in this incident.

Jill Hughes has covered health tech news since 2021. Her coverage areas include cybersecurity, HIPAA compliance, interoperability, AI and EHRs.