ShinyHunters Steals 8.8 TB from Amazon One Medical Seniors: What Every Healthcare Provider Must Do Right Now

⚠ Healthcare Cybersecurity Alert

ShinyHunters Steals 8.8 TB from Amazon One Medical Seniors — What Every Healthcare Provider Must Do Right Now

The same threat actor behind the Carnival and Charter breaches just hit a major home health network — and the vulnerability is one your organization probably shares

Published by CMIT Solutions · Healthcare Cybersecurity · 5 min read

What Happened: ShinyHunters Breaches Amazon One Medical Seniors

Between June 8 and June 11, 2026, an unauthorized party gained access to third-party file storage systems owned by One Medical Seniors — formerly known as Iora Health, and now a subsidiary of Amazon following a $3.9 billion acquisition in 2023. The breach was discovered on June 13 and publicly disclosed on June 24.

The data extortion group ShinyHunters claimed responsibility, adding One Medical Seniors to its dark web leak site and threatening to release 8.8 terabytes of stolen patient health data unless a ransom was paid by June 22. That deadline has now passed. The stolen files are believed to include demographic and clinical records — protected health information (PHI) — belonging to patients at former Iora Health clinics in Atlanta, Denver, Houston, Phoenix, Tucson, Seattle, and locations across Massachusetts and North Carolina.

What makes this breach especially significant for the broader healthcare cybersecurity landscape is not the size of the company targeted — it is the type of vulnerability that was exploited. The compromised systems were not active production environments. They were legacy archives from an acquisition that changed hands three times in five years, never fully brought under a unified security program. That pattern is everywhere in healthcare — including in home health agencies, specialty practices, and regional medical groups that have grown through mergers, software migrations, or vendor transitions.

⚠ Breaking: June 2026

ShinyHunters breached One Medical Seniors on June 8–11, 2026, claiming 8.8 TB of patient PHI including clinical and demographic records. The ransom deadline of June 22 has passed. The same group previously attacked Medtronic, Carnival Corporation, and Charter Communications — demonstrating a deliberate focus on organizations holding large volumes of sensitive data.

The Inherited Risk Problem That Healthcare Ignores at Its Peril

This breach follows a pattern that security experts have been warning about for years. When One Medical acquired Iora Health in 2021, it also inherited Iora’s patient data, vendor relationships, and every HIPAA obligation attached to them. When Amazon acquired One Medical in 2023, those inherited liabilities transferred again. The legacy file storage system that ShinyHunters accessed was sitting in an external third-party environment that had passed through three ownership changes — and at each handoff, the security review was apparently incomplete.

HIPAA’s Security Rule is unambiguous: the obligation to protect electronic PHI does not pause or transfer away when organizations change hands. If your home health agency has switched EHR platforms, migrated to a new billing vendor, absorbed a practice, or outsourced any data archiving in the last decade, you may be holding legacy data liabilities you have not fully inventoried — and ShinyHunters is actively looking for exactly that.

  • How ShinyHunters operates: The group identifies organizations holding large volumes of sensitive data, compromises third-party file storage or vendor systems — not always the primary EHR — and exfiltrates quietly before triggering a ransom demand on a tight deadline.
  • Why legacy systems are the entry point: Archived systems often lack the MFA, encryption, and network segmentation that production systems have. They are low-visibility, rarely audited, and frequently forgotten after a platform migration or acquisition.
  • What escalation looks like: ShinyHunters has a documented history of escalating beyond data threats — including DDoS attacks on victim websites and coordinated email flooding — when organizations resist. Once the ransom deadline passes, the group’s leverage shifts to reputational and operational destruction.
  • The HIPAA breach notification clock: Under HIPAA, covered entities have 60 days from discovery to notify affected individuals. For One Medical, that clock started June 13. For any organization that experiences a breach today, the same 60-day window begins immediately — and OCR is watching.

What This Means for Home Health Agencies and Small Medical Practices

You do not need to be Amazon’s size to face this risk. Home health agencies, hospice providers, specialty clinics, and small medical practices frequently operate with fragmented data environments: an older EHR that was never fully decommissioned, a billing vendor who holds archived claim data, a file-sharing system left over from a previous software vendor. Each of those represents exactly the kind of surface area ShinyHunters — and groups like them — actively probe.

  • HIPAA fines for unsecured PHI can reach $1.9 million per violation category — and “I didn’t know that system still held patient data” is not a defense
  • Third-party vendors who archive your data are your Business Associates under HIPAA — their breach is legally your breach
  • Patient trust is the core asset of any home health or primary care practice — a public data leak can devastate referral networks overnight
  • Extortion groups increasingly target mid-size healthcare organizations knowing they lack the legal and PR resources of a large hospital system to manage fallout
  • The OCR breach portal wall of shame lists organizations of every size — no home health agency or small practice is below the radar of federal regulators

Three Steps Healthcare Providers Must Take Now

• Step 1: Conduct an Emergency Audit of All Data Stores — Including Legacy and Third-Party Systems

THE GAP Most home health agencies and small practices cannot answer the question “where does every piece of patient data we’ve ever collected currently reside?” — especially for patients seen three or more years ago, or data held by a vendor who is no longer your primary system.

THE FIX Work with your IT provider to map every location where PHI exists: current EHR, billing system, cloud file storage, email archives, third-party labs and imaging vendors, and any system from a prior platform migration. For each data store, verify: Who controls it? Is MFA enforced? Is it encrypted at rest? Has it been security-reviewed in the last 12 months? For data stores you no longer actively need, begin a documented destruction process under your retention policy.

• Step 2: Review Every Business Associate Agreement for Data Handling and Breach Notification Terms

THE GAP Business Associate Agreements (BAAs) are often signed once and forgotten. Many healthcare providers cannot confirm that every vendor currently holding their patient data has an active, signed BAA — or that the BAA covers the specific system where the data actually sits.

THE FIX Audit every BAA in your files against your current vendor list. For any vendor without a current BAA, stop transmitting PHI until one is executed. Ensure each BAA includes a breach notification clause requiring the vendor to notify you within 60 days of discovering a breach — so your own HIPAA clock starts on time. If a vendor resists updating their BAA, treat that as a serious red flag.

• Step 3: Isolate, Encrypt, or Destroy Data Archives You Are No Longer Actively Using

THE GAP The One Medical breach exploited a passive, unmonitored archive — a system not actively used but still accessible on the network. Data that is not actively used is still a liability if it is accessible. “We don’t use that system anymore” is not the same as “that system cannot be breached.”

THE FIX For archives you must retain under state or federal retention requirements, ensure they are encrypted at rest, network-isolated (not publicly accessible), and covered by your security monitoring. For archives past their retention window, follow a documented secure destruction process and record the destruction. The best defense against a breach of data you no longer need is to no longer have it.

Healthcare Providers: Your Legacy Data Is a Live Liability

ShinyHunters found One Medical Seniors’ forgotten archive. Do you know where yours is? A free IT security assessment can find it before they do.

Get Your Free Security Assessment

Healthcare Cybersecurity You Can Count On — CMIT Solutions

CMIT Solutions works with home health agencies, medical practices, and healthcare-adjacent businesses to identify exactly the kind of hidden legacy risk that brought down One Medical Seniors. From HIPAA risk assessments and Business Associate Agreement audits to managed security monitoring and vendor security reviews, we help small and mid-size healthcare organizations close the gaps that extortion groups like ShinyHunters actively hunt for.

The One Medical breach is a warning, not an anomaly. Extortion groups are systematically targeting healthcare because the data is valuable, the regulatory stakes are high, and the legacy infrastructure problem is widespread. Do not wait to find your forgotten archive on a dark web leak site.

Protect Your Healthcare Practice Today

Healthcare cybersecurity is not just an IT problem — it is a HIPAA obligation, a patient trust issue, and a business survival question.

CMIT Solutions is ready to help you find and close the gaps before an extortion group does.

Schedule Your Free Consultation

Prefer to talk? Call (702) 725-2877 or email LVSupport@cmitsolutions.com

Back to Blog

Share:

Related Posts

Las Vegas skyline — guide to choosing the best managed IT services in Las Vegas

Your 2025 Guide: Best Managed IT Services in Las Vegas | SMB Buyer’s Checklist

Your 2025 Guide: Choosing the Best Managed IT Services in Las Vegas…

Read More
From casino breaches to law firm hacks, here’s what 2025 looks like for Las Vegas cybersecurity — and how local SMBs can defend themselves.

Las Vegas Cybersecurity Threats in 2025

Las Vegas Cybersecurity Threats in 2025: What SMBs Must Know & How…

Read More

How Data Backup Protects You from Ransomware (Las Vegas SMB Guide)

How Data Backup Protects You from Ransomware: A Practical Guide for Las…

Read More