Medtronic has begun sending breach notification letters to 3,834,294 individuals following a corporate network intrusion attributed to the ShinyHunters extortion group. The incident, which took place in April 2026, resulted in the theft of personal and medical information including names, contact details, dates of birth, Social Security numbers, and health-related data.
What Happened
ShinyHunters added Medtronic to its Tor-based leak site on April 17, claiming the theft of more than 9 million personal records and terabytes of corporate data. The company confirmed the attack in late April, stating that its products, manufacturing operations, and distribution systems were not impacted. Medtronic has since noted the company has no evidence that compromised data was posted publicly or exposed on the open internet, citing language from its notification letter submitted to the California Attorney General’s Office.
The group has since removed Medtronic from its leak site, a pattern often associated with a ransom payment, though Medtronic has not publicly confirmed or denied making any payment.
Data Exposed
- Full names and contact information
- Dates of birth
- Social Security numbers
- Health-related details and medical information
Medtronic’s Response
Affected individuals are being offered 24 months of free credit monitoring, dark web monitoring, and identity theft restoration services. Medtronic stated it has implemented additional security safeguards, engaged third-party cybersecurity experts, coordinated with law enforcement, and is notifying relevant regulatory authorities.
ShinyHunters is a well-established threat actor known for large-scale data theft and extortion campaigns, targeting organizations across multiple sectors. This incident reinforces the ongoing risk that corporate IT infrastructure at healthcare and medical technology companies poses even when operational and manufacturing systems remain unaffected. Security teams at organizations holding large volumes of sensitive patient data should review segmentation between corporate IT and regulated data environments as a priority control.
