Amazon's primary care subsidiary disclosed a breach of archived patient records from a legacy acquisition the same day ShinyHunters claimed responsibility for stealing nearly nine terabytes of data from the company.

 

What happened

One Medical Senior Health, an Amazon-owned primary care provider formerly known as Iora Health, has disclosed that an unauthorized person accessed a third-party file storage system holding archived patient records on June 13, 2026. According to Becker's Hospital Review, the company immediately deactivated the affected system, revoked all access, and launched an investigation. The investigation confirmed that certain patient files related to a limited number of legacy Iora Health and One Medical Senior patients were accessed. One Medical stated no other patients were affected and that the incident was isolated to the third-party storage environment, with no other One Medical or Amazon systems impacted. The company is notifying affected patients directly and has not disclosed how many individuals are involved. ShinyHunters separately claimed responsibility on its leak site, alleging the theft of 8.8 terabytes of data from One Medical. One Medical has not confirmed or denied the ShinyHunters' claim, and the relationship between the group's claim and the company's disclosed breach has not been independently verified.

 

Going deeper

One Medical acquired Iora Health in 2021 for approximately $2.1 billion and rebranded the senior-focused primary care operation as One Medical Senior Health. Iora Health had built a distinctive care model around serving Medicare Advantage patients in dedicated clinics, accumulating years of patient records before the acquisition. According to One Medical's own breach announcement, the compromised storage system held archived information specifically from the Iora Health era, meaning the records at risk predate the integration into One Medical's current systems. The gap between a third-party archive and the acquiring company's active infrastructure shows a common post-acquisition risk, historical data that is retained for regulatory and clinical purposes but managed through legacy storage arrangements that may not be subject to the same security oversight as the acquiring company's live systems.

 

What was said

One Medical stated in its official announcement: "We take the security of patient information seriously and are implementing additional safeguards to prevent similar events in the future." The company confirmed it is working with law enforcement and cybersecurity experts, and that notifications are being sent directly to affected patients. One Medical said the incident was contained to the third-party file storage system and did not affect broader One Medical or Amazon infrastructure.

 

In the know

The One Medical disclosure is the latest in ShinyHunters' sustained campaign against healthcare and technology organizations throughout 2026. According to BleepingComputer, the group has claimed breaches at ADT, Charter, DentaQuest, 7-Eleven, Ameriprise Financial, Vimeo, and the Canvas education platform in the same period, using vishing attacks against employee Okta, Microsoft Entra, and Google single sign-on accounts as its primary entry method. The group also recently claimed a breach of the Council of Europe, alleging theft of more than 409,000 staff payslips and personnel files, according to BleepingComputer. Whether the One Medical breach followed the same vishing methodology has not been confirmed.

 

The big picture

The One Medical breach shows the risks that are specific to healthcare acquisitions, where archived patient data from an acquired organization is in legacy storage systems that were configured before the acquisition and may not align with the acquiring company's current security standards. Amazon acquired One Medical in 2023 for $3.9 billion after the Iora Health acquisition had already occurred, meaning the archived Iora records passed through two ownership transitions before the breach. Each transition represents a point where data governance responsibilities shift, but physical storage environments may not be upgraded. According to Paubox's Top 3 Healthcare Email Attacks report, vendor and business associate exposure accounted for 28% of all email-related healthcare breaches in 2025. The One Medical case extends that pattern to the acquisition context, where the third-party storage relationship was inherited rather than independently established.

 

FAQs

What is One Medical Senior Health, and who are the affected patients?

One Medical Senior Health operates primary care clinics focused on Medicare Advantage patients, continuing the model established by Iora Health before the 2021 acquisition. The affected patients are a limited number of individuals whose records were held in archived Iora Health storage, meaning they received care under the Iora Health brand before or around the time of the acquisition.

 

Why does ShinyHunters' 8.8 terabyte claim differ from One Medical's description of a limited breach?

Threat actors routinely exaggerate the scope of data theft to maximize pressure on victims. One Medical's investigation confirmed access was limited to a specific third-party archive, while ShinyHunters claimed a much larger volume. Until One Medical provides additional detail or an independent forensic analysis is completed, the actual scope of what was accessed or exfiltrated cannot be confirmed from either statement alone.

 

Why do archived systems from acquisitions present an elevated security risk?

Acquired companies' legacy systems are often retained in their original form to preserve historical records for regulatory, clinical, or legal purposes. These systems may run outdated software, use storage configurations designed before current security standards, and fall outside the acquiring company's standard security monitoring and patching cycles, creating gaps that attackers can identify through standard scanning activity.

 

What does Amazon's ownership of One Medical mean for the breach's regulatory implications?

One Medical is a HIPAA-covered entity, and Amazon's ownership does not change that classification. The breach of archived patient records triggers the same HIPAA breach notification requirements as any other covered entity incident, including notification to affected individuals, HHS, and potentially state attorneys general, depending on the number of residents affected in each state.

 

What should healthcare organizations do when assessing security risks after an acquisition?

Acquirers should conduct a full data inventory of all storage systems inherited in the transaction, assess each against current security standards, and determine whether legacy storage environments need to be migrated, decommissioned, or brought into the acquiring organization's security monitoring framework. Retaining legacy archives in their original third-party configurations without review creates exactly the exposure One Medical has now disclosed.