Medtronic Announces Cyberattack and Data Breach
Medtronic, the world’s largest medical device manufacturer, has announced a cybersecurity incident involving the theft of company data. What is currently unclear is whether the Medtronic data breach involved protected health information. As such, it is unclear whether the incident is a reportable breach under the Health Insurance Portability and Accountability Act (HIPAA), although it is reportable under the U.S. Securities and Exchange Commission’s (SEC) public company cybersecurity disclosure rules.
On April 24, 2026, Medtronic announced the incident and confirmed in a Form 8-K filing with the SEC that there had been a cyber intrusion involving the theft of corporate data. Medtronic has engaged a leading cybersecurity firm to assist with the investigation and is working to identify any personal information that may have been exposed or stolen in the incident. Should that prove to be the case, notifications will be issued, and resources will be made available to assist the affected individuals.
Medtronic said the incident affected only parts of its network and confirmed that the networks that support its corporate IT systems, products, manufacturing, and distribution operations are separate, as are the systems that support hospital customer networks, which are secured and managed by its customers’ IT teams. According to the SEC filing, Medtronic does not believe the incident will have any material impact on its operations or financial position. Medtronic is continuing to meet customer needs, and its products, patient safety, customers’ connections, manufacturing and distribution operations, and financial reporting systems are all fully operational.
While investigating the incident and reviewing the data, Medtronic is simultaneously assessing its current security measures and working on ways to optimize security to prevent similar incidents in the future. Medtronic has not released any information about the nature of the incident, such as how access was gained, only that the intrusion was detected on April 14, 2026, and that corporate data was exfiltrated.
This has the potential to be a colossal healthcare data breach, given that Medtronic’s products are used by around 79 million individuals worldwide. It is unclear if ransomware was used in the attack, although there has been a claim from a threat group. ShinyHunters, a group well known for extortion and ransom attacks, added Medtronic to its data leak site and threatened to leak the stolen data if the ransom was not paid by April 21, 2026. The listing has since been removed, which, if the group’s claim is legitimate, suggests that a ransom was paid. ShinyHunters claimed that the data exfiltrated in the incident included around 9 million records, including personally identifiable information, and that terabytes of data were exfiltrated in the attack.
Medical device manufacturers store large volumes of patient data and are an attractive target for cybercriminals. So far this year, at least 3 other medical device companies have announced cyberattacks and data breaches – UFP Technologies, TriMed, and Stryker.
