ShinyHunters Data Extortion Group Threatens to Leak 8.8 TB of Stolen One Medical Data

Posted by Steve Alder

One Medical, the Amazon-owned primary care provider, has recently announced a cybersecurity incident in which an unauthorized third party gained access to a third-party file storage system containing archived information for One Medical Seniors patients. Last week, the ShinyHunters threat group added One Medical to its dark web data leak site and claimed to have exfiltrated 8.8 terabytes of data.

According to the One Medical website data breach notice, the unauthorized access was identified on June 13, 2026, and was limited to the file storage system, which contained legacy data of One Medical Seniors patients. One Medical Seniors is the new name for Iora Health, which One Medical acquired in 2021. When the breach was discovered, the affected system was immediately secured, and all access was revoked. An investigation was launched to determine the nature and scope of the unauthorized activity, which confirmed that the file storage system was accessed by an unauthorized third party between June 8 and June 11, 2026. While it has only been a few days since the breach was discovered, One Medical has confirmed that the breach was limited to the file storage platform, which only contained legacy data of certain Iora Health/One Medical Seniors patients. No other One Medical clinics, services, or the One Medical electronic medical record system were accessed.

The data review has begun, and One Medical has confirmed that the system contained demographic information and the clinical records of Iora Health/One Medical Seniors patients in Atlanta, Cape Cod, Charlotte, Piedmont Triad, Denver, Houston, Phoenix, Tucson, and Seattle. The exact data types involved have yet to be made public.  In response to the breach, One Medical said it has revoked all user access and is rotating credentials for all employees with access to the system, and has implemented additional safeguards to prevent similar incidents in the future. The number of affected individuals has yet to be publicly disclosed. One Medical has not confirmed the name of the group behind the attack.

ShinyHunters is a prolific data extortion group that targets large companies, breaches their networks, exfiltrates sensitive data, and demands a ransom to prevent a data leak. The group’s previous healthcare victims include dental benefits administrator DentaQuest, and the medical device manufacturer Medtronic. Last week, ShinyHunters claimed it had stolen 8.8 TB of data from One Medical and threatened to publish the stolen data unless One Medical entered ransom negotiations. One Medical was given until June 22, 2026, to do so, or the data would be leaked. The claim has not been verified by One Medical, and currently, no samples of the stolen data have been provided as proof of data theft. “This is a final warning to reach out by 22 June 2026 before we leak along with several annoying (digital) problems that’ll come your way,” states ShinyHunters on its dark web data leak site.

The post ShinyHunters Data Extortion Group Threatens to Leak 8.8 TB of Stolen One Medical Data appeared first on The HIPAA Journal.

New HHS-OIG Exclusions

Posted by Steve Alder

The Department of Health and Human Services Office of Inspector General (HHS-OIG) has announced new additions to its List of Excluded Individuals and Entities (LEIE). The LEIE, often referred to as the HHS-OIG exclusion list, is a centralized registry for individuals and entities that have been prohibited from participating in federally funded healthcare programs, including Medicare and state healthcare programs.

There are mandatory exclusions for individuals and entities convicted of criminal offenses such as Medicare or Medicaid fraud, patient abuse or neglect, and for felony convictions for other health care-related fraud, theft, or other financial misconduct, and felony convictions related to the unlawful manufacture, distribution, prescription, and dispensing of controlled substances. HHS-OIG also has the authority to exclude individuals and entities on other grounds, termed permissible inclusions. Reasons for permissive inclusions include misdemeanor convictions, engaging in unlawful kickbacks, suspension or revocation of a healthcare license, and defaulting on health education loans or scholarship obligations.

If an excluded individual or entity continues to work in the healthcare industry and participates in a federally funded healthcare program, they can face criminal prosecution, fines, permanent loss of licensure, or disbarment. An employer can face substantial civil monetary penalties, triple damages for all items and services claimed in connection with that individual or entity, and potentially loss of all federal funding or costly and highly intrusive ongoing monitoring by HHS-OIG.

Each healthcare entity is responsible for ensuring that no new hires or existing employees are excluded. The LEIE must be checked prior to any hire, and routine checks should be conducted to ensure that no current employee has been added to the LEIE.

The following entities and individuals have recently been added to the LEIE:

Myers Southern – Myers Southern, LLC, of Bartow, Florida, was excluded for a period of 7 years from participation in federally funded health care programs for failing to respond to an HHS-OIG subpoena that was necessary to determine whether Medicare payments were due, and the amounts associated with those payments.

Dr. Nathan Hanflink and Pain Management Institute – Dr. Nathan Hanflink and Pain Management Institute in Florida, have been excluded from participation in federally funded healthcare programs for 5 years following an HHS-OIG investigation that determined they submitted claims to Medicare Part B for chronic care management services that were never rendered.

Sunshine Care Partners and Rusty McMurray – Sunshine Care Partners, and owner Rusty McMurray have been excluded from participation in healthcare programs for 10 years after knowingly submitting claims for complex chronic care management services for individuals who were never provided with those services. According to HHS-OIG, those complex care management services only involved having employees take the temperature of all individuals entering the facility, sanitizing and cleaning front desk areas, and organizing paperwork.

The post New HHS-OIG Exclusions appeared first on The HIPAA Journal.

Multi-million-dollar Settlement Agreed to Resolve MCNA Dental Data Breach Lawsuit

Posted by Steve Alder

A settlement has been agreed to resolve class action data breach litigation against Managed Care of North America (MCNA), Inc., and MCNA Insurance Company, doing business as MCNA Dental and Healthplex, Inc. The companies were sued in response to a massive data breach in 2023 that affected almost 9 million individuals. In March 2023, the defendants identified unauthorized access to the MCNA network. The LockBit ransomware group was behind the attack and first gained access to the network on February 22, 2023. Access was maintained until March 7, 2023, when ransomware was used to encrypt files. Prior to file encryption, sensitive data was exfiltrated from the network, including personal and protected health information (PHI).

MCNA Dental is one of the largest providers of government-sponsored dental benefits to children through state Medicaid and Children’s Health Insurance Programs, and stores a vast amount of PHI. The investigation determined that the ransomware group accessed or exfiltrated the PHI of 8,923,662 individuals, including names, contact information, Social Security numbers, driver’s license numbers, government-issued ID numbers, health information, and health insurance information. When the ransom was not paid, the LockBit group proceeded to leak the stolen data. The affected individuals were notified about the data breach in late May 2023.

A data breach of this scale was certain to trigger multiple class action lawsuits, the first of which was filed on June 5, 2023. In total, the defendants were named in 25 putative class action lawsuits. The lawsuits were materially and substantively identical, with overlapping claims, and on July 13, 2023, the lawsuits were consolidated into a single action – Crowe et al. v. Managed Care of North America Inc. d/b/a MCNA Dental, MCNA Insurance Company dba MCNA Dental, and Healthplex, Inc.  – in the United States District Court for the Southern District of Florida.

The consolidated lawsuit asserted claims for negligence, negligence per se, breach of implied contract, unjust enrichment, violations of state consumer protection act statutes, and declaratory and injunctive relief. A settlement failed to be agreed upon during court-appointed mediation, and the defendants sought to have the case dismissed. The lawsuit survived, and extensive discovery and litigation followed, along with a second failed attempt at mediation. After extensive subsequent settlement discussions, the material terms of a settlement were agreed upon.

The terms of the settlement have now been finalized, with no admission of liability or wrongdoing by the defendants. The defendants have agreed to establish a multi-million-dollar settlement fund to pay benefits to the class members, attorneys’ fees (up to $6,400,000), attorneys’ expenses (up to $1,313,000), and settlement administration costs (up to $2,000,000). The total value of the settlement has not been made public.

Class members may submit a claim for reimbursement of documented losses due to the data breach up to a maximum of $2,500 per class member; however, these claims have been capped at a total of $250,000. Class members are eligible to claim two years of medical data monitoring services, which include a $1 million identity theft reimbursement policy. These services have a retail cost of $179.40 per year for each class member who enrolls. In addition to paying the costs and benefits, MCNA has agreed to take several steps to improve security and has updated its business practices to reduce the risk of similar breaches in the future.

While all parties have agreed to the terms of the settlement, it has yet to receive preliminary approval from the court. The dates for objection, exclusion, and submitting claims will be set when and if the court approves the settlement. Class members will start to be notified directly about the settlement within 30 days of the court’s preliminary approval order. The notifications will include information on how to submit a claim and a code to activate the medical data monitoring service.

The post Multi-million-dollar Settlement Agreed to Resolve MCNA Dental Data Breach Lawsuit appeared first on The HIPAA Journal.

Spencer Gifts Pays $450,000 Penalty to Resolve HIPAA Failures

Posted by Steve Alder

The national retail company Spencer Gifts LLC has agreed to a $450,000 settlement to resolve alleged violations of the HIPAA Rules that OCR identified while investigating a data breach affecting 10,023 members of its employer-sponsored group health plan (Spencer Gifts LLC Flexible Benefits and Welfare Benefit Plans).

In November 2021, staff were prevented from connecting to the company’s virtual private network. The IT issue was investigated, and the access issues were determined to be due to a ransomware attack. A threat actor had accessed the company’s network between November 24, 2021, and November 26, 2021, and used ransomware to encrypt files, including files on servers that stored plan members’ electronic protected health information (ePHI). Data exposed and potentially stolen in the incident included names, addresses, zip codes, phone numbers, email addresses, and Social Security numbers. OCR was notified about the data breach on January 24, 2022.

OCR investigates all reported breaches affecting 500 or more individuals to determine whether they were the result of HIPAA noncompliance. Under its current enforcement initiative, OCR is laser-focused on the risk analysis provision of the HIPAA Security Rule. OCR requires evidence to demonstrate that a regulated entity has conducted a thorough and accurate risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.

OCR determined that Spencer Gifts had failed to conduct a HIPAA-compliant risk analysis, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A) of the HIPAA Security Rule.  Spencer Gifts was also found to have failed to implement policies and procedures to comply with the HIPAA Privacy, Security, and Breach Notification Rules, in violation of 45 C.F.R. § 164.316(a) and 45 C.F.R. § 164.530(i)(1).

OCR determined that the HIPAA violations warranted a financial penalty. Spencer Gifts was informed of OCR’s determination and intention to impose a financial penalty, and the health plan was given the opportunity to settle the alleged violations informally. Spencer Gifts agreed to pay a $450,000 financial penalty and adopt a corrective action plan to address the alleged areas of noncompliance.

The corrective action plan requires Spencer Gifts to conduct a comprehensive and accurate risk analysis, review and update its HIPAA policies and procedures, distribute those policies and procedures to the workforce, and provide HIPAA training to its workforce.

This is the 20th OCR investigation of a ransomware attack resulting in a financial penalty for noncompliance with the HIPAA Rules, the 14th enforcement action under OCR’s risk analysis enforcement initiative, and the 7th HIPAA penalty to be announced this year. So far this year, OCR has collected $1,728,000 in penalties to resolve alleged violations of the HIPAA Rules from three healthcare providers, two health plans, and two business associates.

The post Spencer Gifts Pays $450,000 Penalty to Resolve HIPAA Failures appeared first on The HIPAA Journal.