Medtronic confirms cyberattack on corporate IT systems amid claims of massive data theft

Medtronic, a global medical device manufacturer, confirmed that an unauthorized party breached portions of its corporate IT systems last week, accessing data while leaving core operations, products, and patient safety unaffected. The company disclosed the incident publicly as a cybercriminal group claimed responsibility for stealing millions of records and internal data.

The company, which employs about 90,000 people and operates in 150 countries, identified unauthorized access within certain corporate IT systems. Medtronic stated that its investigation has not found any disruption to its medical devices, manufacturing and distribution operations, financial reporting systems, or its ability to deliver care to patients.

“We have not identified any impact to our products, patient safety, connections to our customers, our manufacturing and distribution operations, our financial reporting systems, or our ability to meet patient needs,” the company said in a statement. It emphasized that its corporate IT infrastructure operates separately from systems supporting products and manufacturing, and that hospital customer networks remain independently managed and secured.

Medtronic, the world’s largest medical device maker by revenue at $33.5 billion, said it has contained the incident and activated its incident response protocols with assistance from external cybersecurity experts. The company is continuing to assess the scope of the breach, including whether any personal data was accessed.

The cybercriminal group ShinyHunters publicly claimed responsibility for the intrusion, alleging it obtained more than 9 million records containing personally identifiable information, along with terabytes of internal corporate data. The group listed Medtronic on its data leak site on April 18 and threatened to release the data unless ransom negotiations began by April 21. The listing has since been removed.

Medtronic has not confirmed the volume or nature of the data allegedly stolen. The company said it will notify affected individuals and provide support services if its investigation determines that personal data exposure occurred.

The investigation into the breach remains ongoing as the company works to determine the full extent of the incident.