Three breaches in one week, and your medical records are the target

In one week this June, three names you would recognize landed in data breaches. One Medical, the primary care chain Amazon owns. Kodak. And Novo Nordisk, the company behind Ozempic and Wegovy. Three industries. One week. And in every case, the data at risk was personal and medical.

This is not a run of bad luck. Health records have become one of the most sought-after things to steal, and a credit card shows you why. A stolen card is a quick fix. Cancel it and the problem ends. You cannot cancel your medical history, your Social Security number, or your date of birth. They do not expire and they do not reissue. That permanence is what makes them so valuable.

Confirmed vs. claimed

The three are not the same kind of event, and One Medical is the clearest example of why.

The company confirmed that someone got into a third-party storage system holding archived records from Iora Health, a senior-care group it absorbed years ago. It says a limited number of patients were affected. That is the confirmed part.

Then there is the claim. An extortion crew says it took 8.8 terabytes and has threatened to publish unless One Medical pays by June 22. No sample data backs that up. One figure comes from the company telling you what it found. The other comes from the people who stole the data and want to get paid. Those are very different things, and they tend to share a headline.

Novo Nordisk is the heavier confirmed case. Intruders reached its internal systems and took clinical trial data. The hackers who claimed it say they were inside for about two months. Kodak rounds out the week with a confirmed breach of its own. Back in May, New York City's public hospital system disclosed that attackers took medical data and fingerprints on more than 1.8 million people, through a vendor it has not named.

For most of us, none of this is preventable. The breach happens inside a company you handed your information to, often through a vendor you have never heard of, on a system you will never log into. You cannot freeze Amazon's vendors for them. You can freeze your own credit. Unfortunately the steps you can take are reactive, not proactive.

A few steps you can take

Freeze your credit. A freeze locks new lenders out of your file, which is what stops someone opening accounts in your name. It is free at all three bureaus (Equifax, Experian, and TransUnion), and you lift it just as easily when you need credit. Monitoring only tells you after someone has used your information. A freeze stops them first.

Read the breach notice, do not skim it. When a company notifies you, it has to say what was taken. Names and birthdates are one problem; Social Security numbers and medical records are a worse one. The notice also spells out what you are owed, often free monitoring. And "limited," in a company statement, means the company believes few people were hit. It does not mean you are in the clear.

Check your explanation of benefits. That is the summary your insurer sends after it pays a claim, the one listing the care that got billed (on Medicare it arrives as a Medicare Summary Notice). Read it. Care you never received, billed under your name, is the clearest sign someone is using your medical identity. Most people toss these. Do not.

Treat any surprise bill or account message as suspect. A health breach feeds the next scam real details about you, so a text about a bill you half-recognize seems more legitimate than generic spam. Slow it down. Hang up. Find your provider's number yourself, and call them. If you owe them money, they'll wait. (Same instinct as spotting a phishing email: verify through a channel you chose, not the one they handed you.)

Use IdentityTheft.gov if something is already wrong. It is the FTC's free walk-through for identity theft, and it generates the reports and letters you will need. Faster than improvising.

If you run a business, there is a different angle. The One Medical access came through a third-party storage system. The New York hospital breach came through an unnamed vendor. Neither started at the front door. The companies you hand customer data to are part of your own attack surface, whether you vetted them or not.

None of these steps will stop a breach. The company holds the data, loses the data, and mails the letter. The cleanup falls to you. Luckily it is mostly free and mostly quick. Freeze the credit. Read the notices. Watch your own statements. You cannot control the breach, but you can control what happens after it.

Have you frozen your credit yet, or is it one of those things still on the list? And if you have ever opened a breach notice and couldn't tell how worried to be, tell me about it.

Source: One Medical breach disclosure and the ShinyHunters extortion claim, reported by Cybernews, plus One Medical's own notice. Novo Nordisk and Kodak: the June 2026 breach reporting cluster (Novo Nordisk's disclosure). NYC Health + Hospitals: TechCrunch, May 2026. Reader steps: the FTC's credit-freeze guidance and IdentityTheft.gov.