VYPR
breachPublished Jun 30, 2026· 1 source

ShinyHunters Claims Medtronic Data Breach Affecting Millions of Patients

Medical device manufacturer Medtronic has begun notifying patients of a data breach claimed by the ShinyHunters ransomware group, which alleges the theft of over 9 million records.

Medical device giant Medtronic is initiating notifications to patients whose personal and health information was compromised in a data theft incident that occurred in April. The ransomware group ShinyHunters has claimed responsibility, asserting that it exfiltrated more than 9 million records from the company's systems.

Publicly available records indicate that Medtronic, headquartered in Minnesota, informed Massachusetts regulators that the breach affected approximately 64,000 patients in that state alone. As of late June, official breach reports related to this incident had not yet been posted on federal regulatory platforms, such as the U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool, which tracks breaches impacting 500 or more individuals.

ShinyHunters first publicized its claim on April 17, alleging on a Tor network site that it had successfully breached a Medtronic database. The group stated it had stolen over 9 million records containing personally identifiable information, alongside terabytes of internal corporate data. They issued a ransom demand, threatening to release the stolen data if Medtronic did not comply by April 21.

Medtronic acknowledged the breach in a public statement on April 24 and also informed the U.S. Securities and Exchange Commission about the compromise of its corporate IT systems. By the end of April, the listing for Medtronic on ShinyHunters' dark web site was reportedly removed, suggesting a potential resolution or negotiation.

In an updated statement, Medtronic confirmed the breach of "some" of its corporate IT systems, emphasizing that its investigation is ongoing. The company stated it has begun communicating with individuals whose information is believed to have been impacted. Medtronic has also asserted that there is no evidence to suggest that the compromised data has been publicly posted or exposed online.

Crucially, Medtronic has reported no identified impact on its product security or patient safety, assuring that its devices continue to operate safely and deliver intended therapies. Similarly, the company has not detected any disruptions to its manufacturing, distribution operations, or its capacity to meet patient and customer needs.

To assist affected individuals, Medtronic is offering 24 months of complimentary credit monitoring, dark web monitoring, and identity theft restoration services. The company has also advised physicians to contact their local Medtronic representative for any specific concerns.

Despite Medtronic's assurances regarding operational and safety impacts, the company is already facing multiple proposed federal class-action lawsuits filed by patients, including those with cardiac devices. These lawsuits allege negligence and other claims against Medtronic in the wake of the recent hack.

Synthesized by Vypr AI