Cyber Incident Victim: St. Jude Medical
Date:
Jan 2013
Location:
China
Summary
Hackers infiltrated St. Jude Medical and two other major medical device manufacturers, with intrusions persisting for several months before federal authorities alerted the companies. The attackers exhibited sophisticated methods suggestive of potential Chinese involvement, though their exact objectives remained unclear. While the compromised networks contained sensitive intellectual property and clinical data involving patient information—raising risks of identity theft, discrimination, or corporate espionage—no breaches of protected health data were formally disclosed. The companies established task forces to investigate the incidents, which targeted valuable proprietary research and collaboration records with healthcare providers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early 2013, hackers breached the computer networks of St. Jude Medical, Medtronic, and Boston Scientific—three leading U.S. medical device manufacturers. The intrusions occurred during the first half of the year and persisted undetected for potentially several months. Federal authorities discovered the breaches and alerted the companies, prompting them to form internal task forces to investigate the incidents. The attackers demonstrated sophisticated capabilities, executing what a source described as a "very thorough" operation showing characteristics potentially linking it to hackers based in China. None of the companies publicly acknowledged the breaches at the time of reporting in February 2014, with St. Jude Medical declining to comment on the incident entirely when contacted by journalists. While the exact objectives remained unclear, medical device firms represent high-value targets due to their extensive intellectual property portfolios and collaborations with healthcare providers involving sensitive data.
The breaches carried significant implications for both corporate assets and patient privacy. Medical device manufacturers like St. Jude Medical routinely handle clinical trial data and collaborate with physicians, creating potential exposure points for protected health information. Federal health privacy regulations would have required disclosure if patient data was compromised, but no such notifications were issued by the companies. Industry experts highlighted the broader risks of intellectual property theft, estimating cybercrime costs to the U.S. economy at $100 billion annually. The incident occurred amid heightened U.S.-China tensions over cyberespionage, with President Obama raising concerns about state-sponsored intellectual property theft during bilateral talks months earlier. While Boston Scientific disputed the Chronicle's reporting as "inaccurate" without elaborating, and Medtronic declined to discuss specifics, all three companies maintained general cybersecurity protocols including dedicated response teams to address network penetration attempts.