Full Report
Amazon bought One Medical for $3.9 billion in 2023 in its bid to bring transformational healthcare experiences to patients through a network of onsite and virtual primary care services. It serves employees of more than 8,500 U.S. clients. Now, prolific digital extortion gang ShinyHunters is threatening to dump 8.8 terabytes of data it allegedly stole…
Analysis Summary
# Incident Report: Extortion Threat Against Amazon One Medical by ShinyHunters
## Executive Summary
In June 2026, the prolific cybercriminal group ShinyHunters claimed to have exfiltrated 8.8 terabytes of data from Amazon’s healthcare subsidiary, One Medical. The group has threatened to leak the data and cause further operational disruptions if unspecified demands are not met. The incident potentially impacts thousands of corporate clients and millions of patients reliant on One Medical’s primary and virtual care services.
## Incident Details
- **Discovery Date:** June 18, 2026 (Date of public threat post)
- **Incident Date:** Ongoing / June 2026
- **Affected Organization:** Amazon One Medical
- **Sector:** Healthcare
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** Undisclosed
- **Vector:** Undisclosed (Likely credential theft or cloud misconfiguration, common in ShinyHunters' history)
- **Details:** The exact point of entry has not been publicly specified by the group or Amazon.
### Lateral Movement
- Not disclosed in the initial report; however, the volume of data (8.8 TB) suggests broad access across One Medical’s data storage environments or cloud infrastructure.
### Data Exfiltration/Impact
- ShinyHunters claims to have stolen 8.8 terabytes of sensitive data.
- The group threatened to release the data publicly by June 22, 2026.
### Detection & Response
- **Discovery:** Public post by ShinyHunters on their leak site on Thursday, June 18, 2026.
- **Response Actions:** Amazon has not publicly detailed internal mitigation steps as of the reporting date; the group explicitly warned of "annoying digital problems" if ignored.
## Attack Methodology
- **Initial Access:** Not disclosed (ShinyHunters frequently uses stolen API keys or leaked credentials).
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Not disclosed.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Potential theft of credentials facilitating access to cloud repositories.
- **Discovery:** Scanning of network data stores and patient record databases.
- **Lateral Movement:** Not disclosed.
- **Collection:** Gathering 8.8 TB of healthcare and organizational data.
- **Exfiltration:** Transfer of data to attacker-controlled infrastructure.
- **Impact:** Extortion and threat of data leak.
## Impact Assessment
- **Financial:** Potential for massive regulatory fines (HIPAA) and a significant drop in the $3.9B valuation investment.
- **Data Breach:** High risk; 8.8 TB of medical records, PII, and corporate data.
- **Operational:** Threat of "digital problems" suggests potential DDoS attacks or further service disruption.
- **Reputational:** High; threatens patient trust in Amazon’s healthcare expansion and the security of 8,500+ corporate clients.
## Indicators of Compromise
- **Network indicators:** hxxp[://]shinyhunters[.]onion (Leak site - defanged)
- **File indicators:** Not disclosed.
- **Behavioral indicators:** Large-scale outbound data transfers to unauthorized external IPs.
## Response Actions
- **Containment:** Likely isolation of affected database servers and revoking of compromised API keys/tokens.
- **Eradication:** Investigation into the footprint left by the actors to ensure no dormant backdoors remain.
- **Recovery:** Restoration of data from secure backups if any deletion occurred; implementation of forced password resets.
## Lessons Learned
- **Cloud Security is Critical:** For an entity the size of Amazon, securing subsidiary cloud environments is as vital as the parent company's core infrastructure.
- **M&A Risks:** Acquisitions (One Medical) often bring legacy security vulnerabilities that must be rigorously audited post-merger.
- **Extortion Evolution:** Groups like ShinyHunters are bypassing encryption (ransomware) in favor of pure data theft and public shaming.
## Recommendations
- **Zero Trust Architecture:** Implement strict identity-based access controls to prevent bulk data exfiltration.
- **DLP Implementation:** Deploy Data Loss Prevention (DLP) tools to flag and block the transfer of multi-terabyte data volumes to unknown destinations.
- **IAM Audit:** Conduct a comprehensive audit of all IAM roles and API keys associated with One Medical’s AWS environment.
- **Third-Party Risk Management:** Notify the 8,500+ corporate clients to ensure their own integration points with One Medical are secured.