Key Takeaways
- One Medical says a third-party storage system breach exposed archived data from former One Medical Seniors and Iora Health clinics
- ShinyHunters claims it stole 8.8 TB of data, although the group has not yet provided evidence
- The incident underscores rising supply-chain risk tied to legacy healthcare systems and outsourced storage
One Medical, Amazon's primary care subsidiary, disclosed that archived patient information from legacy One Medical Seniors and Iora Health clinics was compromised after a ransomware intrusion into a third-party file storage system. The company traced the incident back to unauthorized access detected on June 13, and an investigation confirmed the scope of exposure shortly afterward. While the threat group ShinyHunters has asserted that it exfiltrated 8.8 terabytes of data, One Medical has not validated this claim and the group has yet to release proof.
The affected records were not part of the organization's current clinical systems. Instead, they sat in an older archive tied to earlier acquisitions and service lines. That distinction matters because healthcare providers still carry large volumes of historical data in platforms that predate modern security practices. Several industry studies over the past three years have consistently pointed to this as a structural issue. The HHS Office for Civil Rights has reported that hacking and IT incidents accounted for more than 79% of large breaches reported under HIPAA in 2023, with a significant portion involving business associates and outdated systems.
Gartner's 2024 research noted that more than 60% of healthcare delivery organizations are expected to depend on third-party cloud or storage providers for clinical archiving by 2027. The projection aligns with the massive growth of imaging data, telehealth records, and legacy EHR content. Yet this reliance introduces a new layer of supply-chain exposure that many hospitals and clinics are still adjusting to. The One Medical breach offers a clear example of how those third-party dependencies can surface unexpectedly.
The HIMSS 2023 Healthcare Cybersecurity Survey found that 67% of healthcare organizations surveyed experienced at least one significant security incident in the preceding 12 months, and legacy technologies were cited as one of the most common weak points. Organizations frequently prioritize investments in active clinical environments, allowing archived systems to drift out of view and become vulnerabilities.
According to the Ponemon Institute's 2023 healthcare-focused research, 64% of organizations believe legacy IT increases both the likelihood and impact of ransomware incidents. This highlights how aging infrastructure tends to accumulate risk over time. When paired with newer third-party storage layers, the overall attack surface can become more complicated than expected.
CommonSpirit Health and Scripps Health both dealt with major ransomware-linked outages in recent years, and each incident involved some combination of aging platforms and external vendor dependencies. These events differ in scale and technical specifics, but the pattern is familiar enough that many providers now view legacy decommissioning and vendor oversight as strategic priorities rather than routine IT maintenance.
Incidents like the one disclosed by One Medical raise questions about how deeply older archives are mapped and whether third-party partners monitor them with the same rigor applied to live clinical systems. Healthcare is governed by complex and often state-specific retention laws, leading providers to retain data far longer than strictly necessary. Over time, this creates a larger pool of material vulnerable to exposure, even when daily operations are well protected.
The HIPAA Security Rule and Breach Notification Rule, administered by HHS OCR, remain the primary frameworks for evaluating risk and reporting requirements. Many organizations also reference the NIST Cybersecurity Framework to shape their remediation strategies, especially when working through the intricacies of legacy and vendor environments. Both offer a structured path for assessing gaps that might otherwise go unnoticed.
One Medical continues its forensic analysis, coordinating with the affected third-party provider, and will notify impacted individuals as required under federal rules. The company has not released details on the types of data involved or the number of patients affected, which is typical this early in an investigation. What emerges from that process may influence how other Amazon Health entities evaluate their own archived datasets.
ShinyHunters, which has been responsible for a range of high-profile breaches across industries, often makes large data theft claims as a tactic. Whether the group actually accessed the volume it alleges in this case remains unverified. Still, the claim alone can complicate communication efforts while an investigation is underway.
Legacy environments and third-party storage layers are emerging as some of the more difficult risk areas to manage. They sit behind the scenes, operate quietly, and rarely draw attention until something goes wrong. The One Medical breach illustrates how these often overlooked layers can unexpectedly become the center of an organization's security posture.
⬇️