Medtronic is notifying approximately 3.8 million individuals that their personal and health information was exposed in a breach attributed to the ShinyHunters cybercrime group. The company confirmed unauthorized access to certain corporate IT systems on April 24, though it initially stated it had found no connections to customer data.
That picture changed when California’s Attorney General published a copy of Medtronic’s notification letter on June 29. The letter acknowledged that patient data had in fact been compromised, noting that Medtronic collects information on patients who use its devices in order to deliver product updates and meet regulatory obligations.
Data Exposed
According to the notification letter, the following categories of information were accessed by the attackers:
- Social Security numbers
- Health-related data
- Full names
- Contact information
- Dates of birth
Medtronic stated it has found no evidence that the compromised data has been publicly posted or otherwise exposed on the internet. As a remediation measure, affected individuals are being offered 24 months of free credit monitoring, dark web monitoring, and identity theft restoration services.
Broader Pattern in Med Tech
The Medtronic incident is part of a continuing wave of cyberattacks targeting the medical device and med tech sector. Earlier this year, Stryker disclosed that its systems were wiped in a destructive cyberattack carried out by Iran-backed hackers, according to federal prosecutors. That incident had direct operational consequences, disrupting emergency medical services and hospitals in Maryland and prompting some facilities to temporarily cut connections to Stryker systems out of concern over further exposure.
Taken together, these incidents underscore the increasing risk posed to healthcare infrastructure by both financially motivated cybercriminal groups and state-linked threat actors. Organizations handling sensitive patient data face heightened pressure to segment corporate IT systems from device-related data and to accelerate breach detection and disclosure timelines.
