ShinyHunters Claims 8.8TB Breach of Amazon-Owned One Medical, Gives June 22 Deadline

Notorious extortion group ShinyHunters claimed on June 18 to have stolen 8.8 terabytes of data from One Medical, the primary care network acquired by Amazon in 2023. The group posted the claim on its dark web leak site and issued a "final warning" demanding negotiations begin before June 22, or the data would be published.

One Medical serves more than 830,000 patients across more than 250 clinics in the United States. If ShinyHunters' claim is accurate, the breach would rank among the largest healthcare data thefts of 2026.

One Medical separately confirmed a related incident. On June 13, the company discovered that an unauthorized party had accessed a third-party file storage system used for archived records from Iora Health, a senior-focused primary care company that One Medical acquired in 2021. One Medical said it "immediately deactivated the system and revoked all access" and launched an investigation. The company stated that "a limited number of legacy Iora Health and One Medical Seniors patients" were affected, and that no other One Medical patients were impacted.

There is a gap between the two accounts. One Medical's disclosure describes a limited incident affecting archived legacy data. ShinyHunters claims 8.8TB—a volume that would imply significantly broader exposure. No sample data has been released by the attackers to verify the claimed scope, and as of June 19, the authenticity and full extent of the theft remain unconfirmed.

ShinyHunters has a well-documented history of targeting healthcare organizations and major consumer platforms. The group was responsible for the 2020 Tokopedia breach (91 million records), the 2021 AT&T data exposure, and more recently targeted Ticketmaster in a 2024 attack that exposed 560 million records. The pattern of issuing public deadlines before releasing or selling stolen data is consistent with prior ShinyHunters operations.

Amazon, which owns One Medical's parent company, has not issued a separate public statement. One Medical has not confirmed whether ShinyHunters is responsible for the third-party storage breach it disclosed, or whether the two incidents are connected.

The June 22 deadline gives the company three days to begin negotiations or face the publication of whatever data the group actually obtained. Healthcare records—which typically include diagnoses, treatment histories, insurance information, and personally identifiable information—are among the most valuable data categories on criminal markets.

The story was first reported by TechNadu and Cybernews.