Skip to content
Data breachContained

Medtronic notifies 3.8 million people of ShinyHunters data breach

Medical device maker Medtronic began notifying roughly 3.8 million people that their personal data was exposed when the ShinyHunters extortion group accessed its corporate IT systems in April 2026.

Victim
Medtronic
users
3.8M

On 2 July 2026, Medtronic β€” one of the world's largest medical device makers, with operational headquarters in Fridley, Minnesota β€” began notifying roughly 3.8 million people that their personal information was exposed in a data breach earlier in the year. The company has attributed the intrusion to the ShinyHunters extortion group, which gained unauthorised access to certain corporate IT systems in April 2026.

Medtronic first detected suspicious activity on 15 April 2026 and later confirmed that an unauthorised third party had access to certain corporate IT systems between 13 and 19 April 2026. The company disclosed the incident publicly on 24 April 2026 alongside a Form 8-K filing with the U.S. Securities and Exchange Commission, and it has now begun formal notifications to affected individuals as its forensic review has concluded.

What was exposed

According to Medtronic's notifications, the information that may have been accessed includes full names, contact information, dates of birth, Social Security numbers, and health-related information. The exposure stemmed from a compromise of corporate IT systems rather than any patient-facing medical device or clinical network.

Medtronic has emphasised that it found no impact to its products, to patient safety, or to the connections between its devices and customers, noting that the networks supporting its corporate IT systems are kept separate from those supporting its products and manufacturing operations.

Threat actor

The breach has been tied to ShinyHunters, a prolific data-theft and extortion group that has claimed a string of intrusions against large enterprises in 2026. The group has publicly claimed to have stolen more than 9 million records of personally identifiable information from Medtronic β€” a figure higher than the roughly 3.8 million people Medtronic is notifying, and one the company has not confirmed.

Response

Medtronic is offering affected individuals 24 months of complimentary credit monitoring, dark web monitoring, and identity theft restoration services. The company says it has taken steps to further harden its corporate environment following the incident.

Why it matters

The breach underscores how attackers targeting large healthcare and medical-technology firms increasingly go after corporate back-office systems β€” payroll, benefits, and customer records β€” rather than the harder-to-reach clinical or device networks. Even when patient safety is not directly threatened, the exposure of Social Security numbers and health-related data for millions of people carries a long tail of identity-theft and regulatory risk, particularly under U.S. health-privacy rules.

Sources

  1. bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/medtronic-notifies-customers-impacted-by-shinyhunters-data-breach/
  2. securityweek.comhttps://www.securityweek.com/medtronic-data-breach-impacts-3-8-million-people/
  3. hipaajournal.comhttps://www.hipaajournal.com/medical-device-maker-medtronic-data-breach/
  4. news.medtronic.comhttps://news.medtronic.com/Medtronic-statement-on-unauthorized-system-access

Related incidents