Cyber Incident Victim: One Medical
Date:
Sep 2022
Location:
United States of America
Summary
A healthcare provider experienced a data breach where unauthorized access exposed patients' names, addresses, Social Security numbers, and medical information, potentially including protected health information under HIPAA. The incident affected at least 964 individuals in Texas and an undetermined number nationwide, with compromised data containing identifiers that could lead to identity theft or medical fraud.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 9, 2022, One Medical, Inc., a Sherman, Texas-based healthcare provider operating an urgent care facility, confirmed a data breach involving unauthorized access to sensitive consumer information. The compromised data included names, addresses, Social Security numbers, and medical information, though the specific nature of the medical data was not detailed in the company’s filing with the Texas Attorney General. One Medical dispatched breach notification letters to affected individuals on the same date, confirming 964 impacted Texas residents while leaving the total national victim count undisclosed. The breach exposed multiple identifiers that could qualify as protected health information (PHI) under HIPAA regulations, including demographic and medical record details combined with personal identifiers. No technical specifics regarding the attack vector, intrusion timeline, or system vulnerabilities were disclosed in the available reporting. The company’s public response was limited to breach notifications without additional mitigation measures or operational adjustments being described in the source material.
The incident created risks of identity theft, medical fraud, and financial harm due to the exposure of Social Security numbers and potential PHI containing at least 12 HIPAA-defined identifiers such as names, addresses, dates more specific than years, and medical record numbers. While One Medical did not confirm whether clinical data like test results or treatment histories were compromised, the breadth of exposed identifiers enabled potential misuse for fraudulent medical services or insurance claims. The breach occurred within a broader 2022 healthcare threat landscape where over 55 million Americans had sensitive data compromised, with healthcare breaches specifically affecting more than 2 million individuals that year prior to September. One Medical’s notification letters advised affected parties to take unspecified protective measures but did not disclose whether credit monitoring or identity theft protection services were offered. No law enforcement involvement, regulatory penalties, or legal actions were referenced in the available documentation of the incident.