Medtronic said an unauthorized party accessed data in portions of its corporate IT environment and that it has contained the incident, activated response procedures, and engaged external cybersecurity experts. The company said it has not identified any impact on products, patient safety, customer connections, manufacturing and distribution operations, financial reporting systems, or its ability to meet patient needs, stressing that corporate IT, product, manufacturing, and hospital customer networks are segmented.
The disclosure followed extortion claims tied to ShinyHunters, which said it stole more than 9 million records containing personally identifiable information along with terabytes of internal corporate data and briefly listed Medtronic on its leak site before the entry disappeared. Medtronic said its investigation is ongoing to determine whether personal data was accessed and that it will notify affected individuals and provide support services if exposure is confirmed, while separate reporting also linked the incident to Handala, underscoring uncertainty around attribution even as the breach itself has been confirmed.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
10 events from the most recent confirmed update back to the earliest known activity.
Medtronic disclosed that its April 2026 data breach affected 3,834,294 individuals. The company said the stolen data included personal and medical information, and that it had no evidence the information was publicly posted.
A filing with Texas regulators said the Medtronic breach affected at least 297,307 individuals. Medtronic said the compromised data included personal and health-related information and that it had not found evidence of misuse.
Medtronic disclosed that personal data was exposed in the breach and said it is notifying affected individuals. The company is offering 24 months of credit monitoring and identity theft protection services to those impacted.
By May 1, Medtronic was facing at least six proposed federal class action lawsuits tied to the recently disclosed cyber incident. The suits allege the company failed to adequately protect sensitive personal and health information potentially exposed in the breach.
After the initial extortion posting and deadline, Medtronic was later removed from the group's leak site. The references do not specify whether this reflected payment, negotiation, or another outcome.
In its SEC Form 8-K, Medtronic said the cyber incident is not expected to have a material impact on its business, operations, or financial condition. The statement accompanied the company's disclosure that it had contained the intrusion and was continuing its investigation.
In its disclosure, Medtronic said it was still determining whether personal data was accessed and that it would notify and support affected individuals if such exposure is confirmed. The company also emphasized segmentation between corporate IT, product, manufacturing, and hospital customer networks.
Medtronic publicly stated that an unauthorized party accessed data within certain corporate IT systems. The company said it had contained the incident, launched an investigation with external cybersecurity experts, and found no impact on products, patient safety, customer connections, manufacturing and distribution, financial reporting, or patient care.
On its leak site, the ShinyHunters extortion group claimed it had stolen more than 9 million Medtronic records and terabytes of internal corporate data. The group threatened to leak the data unless ransom negotiations began by April 21.
Medtronic said its investigation found that a threat actor accessed specific corporate IT systems between April 13 and April 19, 2026. The company also said it detected unusual activity on April 15, 2026, providing a more precise timeline for the intrusion.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
19 references tracked. Mallory keeps watching after this page renders.
securityweek.com
Open sourcescworld.com
Open sourcecybersecuritynews.com
Open sourcebleepingcomputer.com
Open sourcebleepingcomputer.com
Open sourcetheregister.com
Open sourcenews.medtronic.com
Open sourceoag.ca.gov
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.