Employees Drop Class Action Lawsuit Against Stryker Over Hamdala Cyberattack
A consolidated class action lawsuit against the medtech company Stryker over a March 2026 cyberattack has been voluntarily dismissed by the plaintiffs, shortly after Stryker filed a motion to dismiss the lawsuit, alleging a lack of standing.
The Iranian hacktivist group Hamdala targeted Stryker in response to the military action in Iran by the United States and Israel. The hackers breached certain Stryker systems, stole around 50 terabytes of data, and permanently erased 12 petabytes of data on around 200,000 company devices. The attack caused considerable disruption, taking systems out of action for weeks.
Eight current and former Stryker employees took legal action against the company alleging that their personal information was compromised in the attack. The lawsuits started to be filed within hours of Stryker announcing the cyberattack, before Stryker had completed its investigation. While a significant amount of data was stolen in the attack, Stryker said its forensic investigation found no evidence to suggest that any of the plaintiffs’ data was compromised.
Stryker searched for the plaintiffs’ personally identifiable information (PII) in the compromised files and found the business email addresses of two of the plaintiffs, but no PII. None of the plaintiffs received a notification from Stryker informing them that their PII was involved, but despite that, the plaintiffs took legal action against the company seeking to represent a class of individuals whose PII was compromised. On June 22, 2026, Stryker filed a motion to dismiss the class action litigation.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
In its motion to dismiss, Stryker said the employees started filing lawsuits 48 hours after the cyberattack was announced on March 11, 2026, and that they speculated that their names, Social Security numbers, unspecified financial account information, unspecified health insurance information, and unspecified driver’s license information were compromised in the incident. The plaintiffs asserted claims for negligence, negligence per se, breach of implied contract, intrusion upon seclusion, unjust enrichment, breach of confidence, and declaratory judgment.
Stryker said the plaintiffs vaguely alleged that they had been injured as a result of the incident; however, those injuries were theoretical. Six of the plaintiffs alleged that their PII had been misused, speculating that it was due to the cyberattack on Stryker, but they failed to allege sufficient detail to link the misuse of their data to the Stryker cyberattack. Stryker determined that their PII had been exposed in numerous prior data breaches, including their Social Security numbers. Two of the plaintiffs had their PII exposed in at least 20 prior data breaches.
Stryker maintains that the incident did not involve devices or systems connected to its customers, although the attack did impact its electronic ordering system and other related systems used by its clients. The cyberattack has been reported to the U.S. Securities and Exchange Commission (SEC); however, the company has not issued breach notifications to the HHS’ Office for Civil Rights or state attorneys general at the time of publication.
The eight class action lawsuits filed by employees were consolidated into a single action – In re Stryker Corporation Cyberattack Litigation – in the U.S. District Court for the Western District of Michigan, Southern Division. The plaintiffs opted to voluntarily dismiss the consolidated lawsuit on June 29, 2026. U.S. District Court Judge Hala Jarbou has signed an order dismissing the employees’ claims without prejudice. Should Stryker determine that the plaintiffs’ PII was compromised in the incident, the lawsuits can be refiled.


