One Medical Data Breach Privacy Risks

Ads like the one below are popping up online and are similar to the other ads we warned about like the Cargurus, Questrade, and Morgan & Morgan Athletic Privacy lawsuit ads that are becomming prevalent online. Now is the time to get compliant and avoid data privacy issues for non-compliance. Get a free privacy audit and see if you are at risk.  If you’re a patient of One Medical, One Medical Seniors, or Iora Health and you’ve recently seen ads or received an email about a “data breach investigation,” here’s what’s actually going on — and what you should think carefully about before you click anything or hand over your information. This article breaks down the One Medical breach itself, explains what law firms like the one behind DataPrivacyJustice.com are doing with it, and gives you the full picture so you can make an informed decision.

First, the Warning

If you’ve landed on a site like DataPrivacyJustice.com after seeing a targeted Instagram or social media ad about the One Medical breach, you should know upfront what that site is: it is an attorney advertising platform run by New York-licensed attorney Adam Harris, designed to identify and recruit plaintiffs for a potential class action lawsuit. That is not inherently a bad thing — class action litigation is a legitimate legal mechanism and data breach victims do have real rights. But the ads and pages are built to feel urgent, and urgency can lead to rushed decisions. Before you fill out any form, understand that submitting your information does not immediately give you legal representation or create an attorney-client relationship. It puts you in a lead intake pipeline. Your case may or may not be accepted. You may be added to a marketing communications list. And the ultimate recovery, if any, may be modest. Go in with eyes open.

What Happened: The One Medical Data Breach

On or around June 13, 2026, One Medical — the Amazon-owned primary care organization operated by 1Life Healthcare, Inc. — discovered that an unauthorized party had gained access to a third-party file storage system. That system was used to retain archived records from two of its business lines: One Medical Seniors and Iora Health, the Medicare-focused practice that One Medical acquired in 2021. One Medical has publicly stated that the incident affected the patient files of a “limited number” of individuals — but as of the time of writing, the company has not disclosed the total number of people affected, nor has it published a detailed breakdown of exactly what data elements were compromised. There is also a separate, unverified claim. A threat actor group known as ShinyHunters has publicly claimed responsibility for the breach and has threatened to release data it says it took from One Medical. As of this writing, that claim has not been independently confirmed, and One Medical has not publicly validated the scope the group is asserting. The investigation remains ongoing.

What Data May Have Been Compromised

Because One Medical has not yet published a complete list of compromised data elements, the full scope of the exposure isn’t confirmed. However, given that the affected system held archived patient files for a primary care and Medicare-focused practice, the types of information that could be involved include:

• Names and contact information
• Dates of birth
• Health and medical treatment information
• Health insurance and billing information

This is sensitive data by any measure. Health information combined with insurance and billing details creates a particularly rich target for identity theft and fraud. Patients of One Medical Seniors and Iora Health — who skew older and are often on Medicare — are among the most vulnerable populations for downstream harm from this type of exposure.

Who Is Most at Risk

Based on what One Medical has disclosed, the patients most likely to have been affected are those who received care through One Medical Seniors or through Iora Health before or after One Medical’s 2021 acquisition of that practice. If you were a patient of either of those services — particularly if you received Medicare-focused primary care — your archived patient records may have been stored in the affected system. One Medical has also indicated that if you receive a breach notification letter from the company, you are almost certainly among those affected. If you have not received a notification but believe you were a patient of these services, it is worth monitoring your credit, reviewing your health insurance statements for any unfamiliar claims, and considering a credit freeze as a precautionary measure.

What the Law Firms Are Doing — and Why

Within days of the One Medical breach becoming public, plaintiff law firms had already published investigation pages and began running targeted ads — on Instagram and other platforms — aimed at One Medical patients. The DataPrivacyJustice.com page went live on June 18, 2026, just five days after the breach was discovered. This is standard practice in the data breach litigation space. Plaintiff attorneys monitor breach disclosures closely — including notifications filed with state attorneys general and with the U.S. Department of Health and Human Services (since One Medical handles protected health information subject to HIPAA). As soon as a breach becomes public, they move quickly to identify potential class members. The model is a contingency fee arrangement: the attorneys cover the costs of litigation, and if the case succeeds — either through a settlement or a judgment — they take a percentage of the recovery. Individual class members typically receive a smaller payout, but the goal of the litigation is broader accountability. Companies that face financial and reputational consequences for inadequate data security are more incentivized to invest in better protections.

The Compliance Angle: What One Medical’s Breach Tells Us

For compliance and privacy professionals, the One Medical breach carries several important lessons worth examining. Third-party storage risk is real and underestimated. The breach didn’t originate in One Medical’s core systems — it involved a third-party file storage system used for archived records. This is a pattern that appears repeatedly in healthcare breaches. Archived records are often treated as lower-priority from a security standpoint precisely because they’re not actively in use, and the third-party vendors that manage them may not be held to the same security standards as primary systems. HIPAA’s Business Associate Agreement requirements exist precisely to address this gap — but having a BAA doesn’t guarantee adequate controls. Acquisitions inherit liabilities. Iora Health’s patient records were still in play years after One Medical’s 2021 acquisition. When organizations acquire other companies, they absorb not just assets and customers but also legacy data infrastructure, legacy security practices, and legacy exposure. A thorough data privacy due diligence process should map all data repositories, including those used for archived records, and assess their security posture before the acquisition closes — not years later. Disclosure ambiguity has a cost. One Medical’s statement that the breach affected a “limited number” of individuals — without a concrete figure — is legally defensible in the early stages of an investigation, but it creates uncertainty for patients who need to know whether to act. Ambiguous disclosures also tend to fuel speculative claims, as evidenced by the unverified ShinyHunters assertion that followed. Clearer, faster disclosure — even if it means updating patients in stages — generally serves both patients and organizations better in the long run.

What Should Affected Patients Actually Do?

If you believe you may have been affected by the One Medical breach, here are practical steps to take — independent of whether you choose to engage with any law firm:

• Watch for a notification letter. One Medical is required to notify affected individuals. If you receive one, read it carefully — it will contain specific information about what was exposed and what One Medical is offering (often free credit monitoring).
• Review your health insurance statements. Look for any claims or services you don’t recognize — this can be an early sign of medical identity theft.
• Consider placing a credit freeze. It’s free at all three major bureaus (Equifax, Experian, TransUnion) and prevents new accounts from being opened in your name.
• Be skeptical of follow-up contact. Scammers often exploit high-profile breaches to conduct phishing campaigns targeting breach victims. Be cautious of any unsolicited calls, emails, or texts claiming to be from One Medical or a law firm about your breach.
• If you’re considering legal action, consult more than one attorney. You’re not obligated to use the first firm that advertised to you. Research your options.

The Bottom Line

The One Medical data breach is a real incident with real potential consequences for patients — particularly older adults whose Medicare-focused primary care records may have been archived in the affected system. The investigation is ongoing, the full scope of exposure is not yet confirmed, and a separate claim by the threat group ShinyHunters adds an additional layer of uncertainty. If you were a One Medical, One Medical Seniors, or Iora Health patient, stay informed and take precautionary steps now — don’t wait for a notification letter to arrive. And if you’re weighing legal options, understand what you’re actually signing up for before you submit your information to any intake form. For organizations, this breach is yet another reminder that data security obligations don’t end at your own perimeter. Your archived records, your third-party vendors, and your acquired companies’ legacy systems all carry risk — and that risk has a litigation price tag attached to it.