Hackers say they breached Medtronic's servers—the company confirms access from an 'unauthorized party'

Multinational medical device company Medtronic revealed on Friday that it was the victim of a cyber-intrusion of its corporate IT systems. The company stopped short of calling the incident a data breach, but did say it was “working to identify any personal information that may have been accessed and will provide notifications and support services as needed.”

The cyberattack is currently being investigated.

In a statement, the Irish-American device manufacturer was light on the details, and did not say when or how the “unauthorized party” gained access to its systems. Similarly, it’s unclear what data was accessed.

Medtronic does have a lot of patient data at its disposal. If a posting on the dark web by the supposed perpetrators of the digital intrusion is to be believed, the breach of Medtronic exposed records from 9 million people.

On April 17, a cybercrime syndicate known as ShinyHunters claimed on a dark web forum that they had successfully accessed data stored on Medtronic’s servers. The group said they were able to access terabytes of data, some of which contained personal information.

All the same, it’s not clear if the breach would be subject to reporting under the Health Insurance Portability and Accountability Act (HIPAA), as it’s still unknown if data on patients was truly stolen by the hackers.

Subscribe to Health Exec News

Ransomware deployment an unknown

The dark web claim made by ShinyHunters predates the official announcement from Medtronic by seven days. During that time, individuals posted about the breach on social media and cybersecurity journalists and researchers were reviewing the information posted by the alleged hackers.

In its coverage, Bleeping Computer provided a screenshot of the posting from the cybercrime cell. Its demands were clear: Pay or leak, with a deadline for ransom set for April 21—three days before Medtronic released its statement.

To date, the company has not confirmed the posting by ShinyHunters was legitimate. HealthExec reached out to Medtronic for comment.

If true, the posting implies that ransomware may have been deployed—either that, or hackers silently gained access to systems and stole data.

Medtronic downplayed the impact of the breach on its business operations. The company said that it has “not identified any impact to our products, patient safety, connections to our customers, our manufacturing and distribution operations, our financial reporting systems or our ability to meet patient needs.”

There has not been any data trove linked to Medtronic found on the dark web. It’s unclear if the alleged stolen data was posted for sale to the general dark web public.

This is a developing story.

Chad Van Alstin Health Imaging Health Exec

Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.

Subscribe to Health Exec News

Subscribe to Health Exec News