ShinyHunters Claims Responsibility for Amazon One Medical Seniors Data Breach
A massive data breach has been experienced by Amazon-owned One Medical Seniors Health, if the claims of the ShinyHunters threat group are to be believed. The group claims to have exfiltrated 8.8 terabytes of data from One Medical in a post on its dark web data leak site last week.
While many threat groups use ransomware to encrypt files and demand payment to decrypt data and prevent the publication of data stolen in their attacks, ShinyHunters solely engages in data theft and extortion. The group is known for big game hunting – the targeting of large companies with the financial means to pay large ransom payments. The group specializes in abusing compromised credentials, OAuth token theft, and voice phishing (vishing) for initial access. The group breaches networks, identifies sensitive data, and is skilled in rapid data exfiltration, often exfiltrating large volumes of data undetected.
ShinyHunters is known to attack healthcare organizations, and its recent victims include the medical device manufacturing giant Medtronic and DentaQuest, one of the largest dental benefits administrators in the United States. The latest claim, posted by ShinyHunters on June 18, 2026, came one day after One Medical disclosed a security incident related to One Medical Seniors, formerly Iora Health. ShinyHunters gave One Medical a short window of opportunity to respond and start ransom negotiations. “This is a final warning to reach out by 22 June 2026 before we leak, along with several annoying (digital) problems that’ll come your way. Make the right decision, don’t be the next headline,” wrote the group on its data leak site.
One Medical did not acknowledge the ShinyHunters’ claim; however, a cyberattack and data breach were confirmed. In its June 17, 2026, website post, One Medical said an unauthorized third party gained access to a third-party storage system used to retain archived information of Iora Health. One Medical acquired Iora Health in 2021, two years before Amazon acquired One Medical.
One Medical deactivated the legacy system when the breach was detected, and its investigation has confirmed that patient files related to Iora Health/One Medical Seniors were accessed. No other One Medical or Amazon systems or patients were involved. One Medical said it will be notifying the affected patients directly.
The post did not explain the types of data involved or the number of patients whose data were compromised in the incident. The breach was detected on June 13, 2026, and the unauthorized access occurred between June 8 and June 11, 2026. The affected patients received medical services from Iora Health/One Medical Seniors at clinics in Atlanta, Cape Cod, Charlotte, Piedmont Triad, Denver, Houston, Phoenix, Tucson, and Seattle.
