Medtronic notifies 3.8 million people of ShinyHunters data breach
Medical device maker Medtronic began notifying roughly 3.8 million people that their personal data was exposed when the ShinyHunters extortion group accessed its corporate IT systems in April 2026.
- Victim
- Medtronic
- users
- 3.8M
On 2 July 2026, Medtronic β one of the world's largest medical device makers, with operational headquarters in Fridley, Minnesota β began notifying roughly 3.8 million people that their personal information was exposed in a data breach earlier in the year. The company has attributed the intrusion to the ShinyHunters extortion group, which gained unauthorised access to certain corporate IT systems in April 2026.
Medtronic first detected suspicious activity on 15 April 2026 and later confirmed that an unauthorised third party had access to certain corporate IT systems between 13 and 19 April 2026. The company disclosed the incident publicly on 24 April 2026 alongside a Form 8-K filing with the U.S. Securities and Exchange Commission, and it has now begun formal notifications to affected individuals as its forensic review has concluded.
What was exposed
According to Medtronic's notifications, the information that may have been accessed includes full names, contact information, dates of birth, Social Security numbers, and health-related information. The exposure stemmed from a compromise of corporate IT systems rather than any patient-facing medical device or clinical network.
Medtronic has emphasised that it found no impact to its products, to patient safety, or to the connections between its devices and customers, noting that the networks supporting its corporate IT systems are kept separate from those supporting its products and manufacturing operations.
Threat actor
The breach has been tied to ShinyHunters, a prolific data-theft and extortion group that has claimed a string of intrusions against large enterprises in 2026. The group has publicly claimed to have stolen more than 9 million records of personally identifiable information from Medtronic β a figure higher than the roughly 3.8 million people Medtronic is notifying, and one the company has not confirmed.
Response
Medtronic is offering affected individuals 24 months of complimentary credit monitoring, dark web monitoring, and identity theft restoration services. The company says it has taken steps to further harden its corporate environment following the incident.
Why it matters
The breach underscores how attackers targeting large healthcare and medical-technology firms increasingly go after corporate back-office systems β payroll, benefits, and customer records β rather than the harder-to-reach clinical or device networks. Even when patient safety is not directly threatened, the exposure of Social Security numbers and health-related data for millions of people carries a long tail of identity-theft and regulatory risk, particularly under U.S. health-privacy rules.
Sources
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/medtronic-notifies-customers-impacted-by-shinyhunters-data-breach/
- securityweek.comhttps://www.securityweek.com/medtronic-data-breach-impacts-3-8-million-people/
- hipaajournal.comhttps://www.hipaajournal.com/medical-device-maker-medtronic-data-breach/
- news.medtronic.comhttps://news.medtronic.com/Medtronic-statement-on-unauthorized-system-access