Cyber Incident Victim: Medtronic
Date:
Apr 2026
Location:
Ireland
Summary
Medtronic reported an unauthorized access to its corporate IT systems that was contained after engaging cybersecurity experts, with the breach linked to a ransomware group exploiting Salesforce Experience Cloud and potentially exfiltrating internal data and personal records while assuring that patient‑facing technologies and hospital networks remained unaffected. The incident follows a similar attack on another medical device maker, Stryker, and reflects a broader campaign targeting companies using the Salesforce platform, during which threat actors claimed to have stolen large volumes of data and used extortion tactics.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 0 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In early March 2026, the pro‑Iran group Hawala Hack launched a global cyberattack on Stryker, wiping data from employee electronic devices and forcing the postponement of some surgeries due to delivery delays. Approximately one month later, in mid‑April 2026, Medtronic detected unauthorized access to its corporate IT systems and reported the incident on Monday of the week of April 21‑28, 2026. The company stated that the breach did not affect any of its products, patient safety, manufacturing and distribution operations, financial reporting systems or its ability to meet patient needs. Medtronic emphasized that the networks supporting its corporate IT systems, products, manufacturing and distribution are separate from hospital customer networks, which remain under the control of customers’ IT teams.
Medtronic disclosed that an unknown amount of data was exfiltrated from its corporate systems during the past month, and that it is working to identify any personal information that may have been accessed. The company noted that the breach may be linked to other cybersecurity exploits targeting companies using the Salesforce Experience Cloud platform and that the ShinyHunters ransomware group, known for social engineering tactics such as vishing of IT helpdesk personnel, is suspected. According to Infosecurity Magazine, the incident appears to be part of a larger campaign allegedly perpetrated by ShinyHunters in March, during which the group claimed to have breached 400 websites and stolen data from hundreds of companies through misconfigurations of publicly accessible Salesforce Experience Cloud sites. Threat actors associated with the campaign have claimed to have exfiltrated large volumes of internal corporate data and more than nine million records containing personal information across their targets, although Medtronic has not publicly specified what data was affected in its own case.
Upon identifying the unauthorized access, Medtronic immediately took steps to contain the incident, activated its incident response protocols and engaged leading cybersecurity experts to support the investigation and remediation. The company said it is working to identify any personal information that may have been accessed and will provide notifications and support services as needed. Medtronic also stated that it does not expect the attack to have a material impact on its business or financial results and continues to look for any compromised personal information. The firm reiterated that protecting patients and the trust placed in Medtronic remains its highest priority and that the privacy and security of all data entrusted to it is a vital part of that commitment.