Abbott Laboratories is investigating two separate cybersecurity incidents after confirming unauthorized access to internal legacy Exact Sciences systems within its Cancer Diagnostics business, while also probing a second, unconfirmed claim involving its LabCentral customer portal.

The Cancer Diagnostics incident came to light after the extortion group ShinyHunters added Abbott to its data leak site, initially setting a July 18 deadline for negotiation before extending it to July 21. Abbott confirmed the breach in a public statement, saying there was unauthorized access to “a limited number of internal systems” in the Cancer Diagnostics unit, and that the incident has not affected business operations, manufacturing, lab operations, or patient care. The company said the affected legacy Exact Sciences systems are separate from Abbott’s core infrastructure, and that it has activated incident response procedures, engaged outside cybersecurity experts, and notified law enforcement. Abbott does not expect a material financial impact.

ShinyHunters told BleepingComputer it gained initial access through a vishing (voice phishing) attack on several Abbott employees in mid-June, ultimately compromising a Microsoft Entra single sign-on account. The group said this allowed it to pivot into connected SaaS platforms including ServiceNow, SharePoint, Databricks, and Coupa. It claims to have exfiltrated internal documents, contracts, customer information, more than 30 million rows of PII (including over one million Social Security numbers), over 22 million client notes containing doctor-patient conversations, and more than 20 million medical orders. BleepingComputer has not independently verified these claims.

Second claim: LabCentral portal

A separate threat actor calling itself ShadowByt3$ separately contacted BleepingComputer, claiming to have breached Abbott’s Core Laboratory diagnostics business through its LabCentral customer portal using compromised customer credentials. The actor says it gained access on July 4, 2026, and slowly exfiltrated data via API endpoints, allegedly obtaining CE manufacturing certificates, operation manuals, technical specifications, regulatory documentation, and assay files, though not customer data.

Abbott acknowledged awareness of a “potential” incident but disputed the sensitivity of the data involved, stating that LabCentral is an externally hosted, publicly facing portal containing only publicly available technical reference documents, not proprietary or customer information.

Neither group has yet publicly released the data it claims to have stolen. ShinyHunters has escalated attacks against medtech and healthcare-adjacent firms this year, previously linked to breaches at Medtronic, OneMedical, AdaptHealth, iRhythm, and an attempted intrusion at Stryker. The group’s tactics typically involve social engineering against Microsoft Entra, Okta, and Google SSO accounts to reach downstream SaaS applications such as Salesforce, Microsoft 365, SAP, and Slack.