Cyber Incident Victim: Boston Scientific
Date:
Jan 2013
Location:
China
Summary
Hackers infiltrated Boston Scientific and two other major medical device manufacturers' networks, maintaining unauthorized access for several months. The sophisticated intrusion, suspected to originate from China, was detected following federal notifications, prompting internal investigations. While the attackers' objectives remain unclear, potential risks included theft of valuable intellectual property and confidential patient data linked to clinical trials. The company acknowledged routine cyberattack attempts but disputed reported details as inaccurate without elaborating. No breaches of protected patient information were disclosed under regulatory requirements.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early 2013, hackers infiltrated the computer networks of three major U.S. medical device manufacturers—Medtronic, Boston Scientific, and St. Jude Medical—with intrusions occurring sometime during the first half of the year and potentially persisting for several months. Federal authorities discovered the breaches and notified the companies, none of which had detected the intrusions independently. All three companies established internal task forces to investigate the scope and nature of the compromise. The attacks were characterized as "very thorough" by a source familiar with the incidents, with technical indicators suggesting potential involvement of hackers based in China. Boston Scientific maintained offices in San Jose, Santa Clara, and Fremont at the time of the breach, while the other affected firms also had significant Bay Area operations. No company disclosed evidence of patient data exfiltration, which would have triggered mandatory breach notifications under federal health privacy laws.
The medical device makers uniformly declined to confirm specific details about the attacks when contacted by media. Boston Scientific's Senior Vice President Denise Kaigler acknowledged routine attempts to penetrate company networks and described having dedicated teams for threat detection, mitigation, and prevention of future incidents, while dismissing the Chronicle's reporting as "inaccurate" without elaborating. Medtronic similarly avoided commenting on specific attacks, and St. Jude Medical did not respond to inquiries. The breaches highlighted concerns about theft of valuable intellectual property from medical technology firms, which collectively held billions of dollars in proprietary research and development assets. Concurrent healthcare sector breaches, such as the compromise of 400,000 patient records at St. Joseph Health System in Texas during the same general timeframe, underscored broader vulnerabilities in medical data security. Legal experts noted that device manufacturers could face liability under health privacy laws if breaches involved patient information collected during clinical collaborations with healthcare providers. Federal investigators did not publicly attribute the attacks or confirm whether any proprietary data or protected health information was actually exfiltrated during the intrusions.