25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Medtronic Notifies 3.8M Individuals About April 2026 Cyberattack

Medtronic has started issuing notifications to individuals affected by an April 2026 cyberattack. The ShinyHunters threat group claimed responsibility for the cyberattack and alleges that more than 9 million records containing personally identifiable information (PII) were stolen.

Medtronic explained in the notification letters that it learned about the intrusion on April 15, 2026, when suspicious activity was identified within certain corporate IT systems. Assisted by leading third-party cybersecurity experts, Medtronic confirmed unauthorized access to certain IT systems from April 13 to April 19, 2026. The medical devices manufactured by Medtronic collect patient data. The review of that data confirmed that names, contact information, dates of birth, Social Security numbers, and health-related information may have been impacted. At the time of issuing the notification letters, Medtronic said it was unaware of any release of the stolen data on the public Internet.

Medtronic confirmed that it takes privacy and security seriously and had implemented many safeguards to protect its systems and patient data prior to the attack, and has since implemented additional safeguards to enhance security and is continuing to work with cybersecurity experts to identify further opportunities to strengthen its security posture.

The affected individuals have been offered 24 months of complementary credit monitoring and identity theft protection services, which include dark web monitoring for the release of their data, identity theft restoration services, healthcare insurance plan ID monitoring, Medicare beneficiary ID monitoring, and an insurance policy providing identity theft reimbursement of up to $1 million ($0 deductible).

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Medtronic did not name the group behind the attack. The data breach has been reported to state attorneys general including California, Massachusetts, Texas, Oregon, and Vermont. The Oregon Attorney General was informed that 3,834,294 individuals were affected. The incident has yet to be added to the HHS’ Office for Civil Rights breach portal. The websites of other state attorneys general show that 297,307 Texas residents were affected, as were 63,534 Massachusetts residents, and 8,668 Vermont residents. Several class action lawsuits have already been filed over the data breach.

April 28, 2026: Medical Device Maker Medtronic Announces Data Breach

The medical device manufacturing giant Medtronic has confirmed that hackers breached its network and exfiltrated data. The company announced the cyberattack on Friday, April 24, 2026, and said the attack was quickly contained and its incident response protocols were activated.

Medtronic manufactures a range of medical products, including pacemakers, defibrillators, heart valves, coronary stents, insulin pumps, continuous glucose monitoring systems, neurosurgery products and imaging systems, surgical robotics, ventilators, and gastrointestinal products. The company is the world’s largest medical device company by revenue, which was $33.5 billion in fiscal year 2025. The company operates in more than 150 countries, employs around 95,000 people worldwide, and serves around 79 million patients annually.

The hackers only accessed a limited portion of its network. Medtronic confirmed that the networks that support its corporate IT systems, products, manufacturing, and distribution operations are separate. Further, hospital customer networks are separate from Medtronic IT networks and are secured and managed by customers’ IT teams. A leading cybersecurity firm has been engaged to investigate the incident and support its investigation and remediation efforts. At present, there has been no identified impact on its products, patient safety, customer connections, manufacturing and distribution operations, or financial reporting systems, and the company is continuing to meet patient needs.

What is not currently known is whether personal or protected health information was accessed or stolen in the incident. If such information has been accessed or stolen, the affected individuals will be identified, and notifications will be issued, and support services will be made available. While mitigating the incident, Medtronic said it is simultaneously working on identifying additional ways that it can optimize system security to prevent similar incidents in the future.

Medtronic is a publicly traded company and is therefore required to notify the U.S. Securities and Exchange Commission (SEC) about material events that may affect shareholders. Its Form 8-K filing with the SEC, Medtronic states that the incident is not expected to have a material impact on its business or financial results. Prior to the announcement and SEC filing on April 18, 2026, the ShinyHunters data theft and extortion group claimed responsibility for the attack. The group claimed to have exfiltrated terabytes of Medtronic data, including personally identifiable information.

ShinyHunters claimed to have stolen more than 9 million records containing PII, although that claim has not been verified by Medtronic. ShinyHunters said it would publish the stolen data if the ransom was not paid by April 21, 2026. The amount of money demanded has not been made public. Medtronic has been removed from the ShinyHunters data leak site, which suggests that the ransom has been paid, although Medtronic has not confirmed whether that is the case.

“This incident highlights a recurring pattern where attackers prioritize corporate IT environments as an entry point, knowing they often contain high-value data but are less rigorously segmented than production or patient-facing systems. Even if Medtronic states there is no impact to products or patient safety, the theft of millions of records, if confirmed, still represents a significant risk, particularly for identity theft, targeted phishing, and supply chain exploitation. In healthcare, “no operational impact” does not mean “no risk”; sensitive data exposure can have long-term downstream consequences.” said, Ensar Seker, CISO at SOCRadar. “From a defender’s perspective, this reinforces the need to treat corporate IT systems with the same level of scrutiny as clinical or operational environments. Strong identity controls, strict network segmentation, and continuous monitoring of data exfiltration paths are critical. Additionally, organizations should assume that groups like ShinyHunters will attempt to monetize even partial or low-sensitivity datasets, so rapid validation, transparent communication, and proactive threat intelligence engagement are essential to reduce reputational and regulatory fallout.”

Medtronic is not the only medical device manufacturer to experience a data breach this year. In January 2026, Massachusetts-based UFP Technologies, a manufacturer of devices and components for wound care, implants, and orthopedic and surgical products, notified the SEC about a cyberattack and data breach. In March 2026, the California implantable orthopedic device manufacturer TriMed announced a cyberattack and data breach, and the medtech company Stryker experienced wiper attack.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist