Skip to content
🗄️ Assets

Medtronic Confirms Data Breach — ShinyHunters Claims 9 Million Medical Device Patient Records Stolen

Medtronic, the world's largest medical device manufacturer, has confirmed a data breach after the ShinyHunters threat actor claimed to have stolen nine million patient records. The breach includes patient names, device serial numbers, implant dates, clinic details, and in some cases diagnostic data from cardiac, diabetes, and spinal device programmes across 150 countries. Regulatory notifications under HIPAA, GDPR, and MDR are expected.

4 min read
#breach#healthcare#medical-devices#shinyhunters#gdpr#hipaa#patient-data
Article asset-security

Medtronic — the Minneapolis-based manufacturer whose cardiac rhythm management devices, insulin pumps, deep brain stimulators, and spinal cord implants are used by patients in over 150 countries — has confirmed a significant data breach following claims by the ShinyHunters threat actor group that they extracted nine million patient-linked records from a Medtronic customer relationship management and device registry platform.

The confirmation arrives weeks after ShinyHunters published a sample dataset on their extortion forum, which security researchers verified contained authentic Medtronic device identifiers, patient demographic fields, and clinic contact data. Medtronic’s public statement acknowledges “unauthorised access to a third-party platform used to manage customer and patient interactions” but has not yet confirmed the total scope of records affected.

What Data Was Exposed

Based on the disclosed sample and Medtronic’s preliminary incident communication, the breach encompasses records from Medtronic’s patient therapy management platforms — the systems clinicians use to track implanted device patients, monitor therapy progression, and coordinate follow-up care. Data categories confirmed or credibly reported include:

  • Patient identity fields: Name, date of birth, gender, contact address, and email
  • Device registration data: Device model, serial number, implant date, implanting physician and hospital
  • Therapy management records: For cardiac and diabetes programmes — scheduled follow-up dates, last device interrogation results, alert flags from remote monitoring
  • Healthcare provider data: Implanting clinic names, addresses, and in some records, patient-assigned follow-up physician details

Financial data and clinical diagnostic records stored in Medtronic’s primary medical record systems are not confirmed as part of this breach. Medtronic states that its device firmware and operational systems were not affected.

Why This Breach Is High Consequence

Unlike conventional consumer data breaches, medical device patient records carry a distinct class of harm risk:

Physical security implications: Device serial numbers combined with patient identity enable targeted attacks. An adversary with knowledge that a specific named patient has a cardiac defibrillator of a known model can correlate that information against vulnerability research on that device class. While over-the-air device attacks remain theoretically complex, the intelligence value of this data for physical targeting is real.

HIPAA and international notification obligations: In the United States, the breach triggers HIPAA Breach Notification Rule requirements — Medtronic must notify affected individuals within 60 days of discovering the breach and report to HHS OCR for breaches affecting 500 or more individuals in any given state.

GDPR obligations: For European patients — a substantial portion of Medtronic’s implanted patient base — GDPR Article 33 requires notification to the lead supervisory authority within 72 hours of becoming aware of a breach. Health data is classified as “special category” under GDPR Article 9, carrying elevated obligations and potential fines up to 4% of global annual turnover.

EU Medical Device Regulation (MDR): MDR Article 87 requires manufacturers to report serious incidents to the relevant national competent authority. Depending on the scope of patient harm risk assessed, this breach may trigger MDR reporting across EU member states.

Attribution and Pattern

ShinyHunters has now claimed breaches affecting major healthcare and medical technology firms in the 2025–2026 campaign, following the ADT, Anodot, Rockstar, and McGraw Hill incidents. The Medtronic claim is the group’s most consequential healthcare sector target to date by patient count. The attack vector is consistent with the group’s established pattern of targeting customer-facing SaaS and CRM platforms rather than core operational systems — exploiting looser access controls and less mature security postures at the periphery of large enterprises.

  • If you are a Medtronic clinical partner or implanting centre: Expect individual patient notification from Medtronic; review your own data sharing agreements with Medtronic and assess whether your clinic’s incident response plan covers third-party breaches involving your patient data.
  • For healthcare organisations generally: Audit third-party platforms used for patient device management and CRM functions — these systems often hold the same regulated patient data as primary EMR systems but receive less security scrutiny.
  • For patients with Medtronic-implanted devices: No action is required on the device itself; monitor for targeted phishing attempts that may use device or clinic details to appear legitimate, and report suspicious contact to your implanting centre.

Share this article

Related Intelligence

🗄️ Assets

OpenEMR: Three Critical Vulnerabilities Expose Patient Records Across 100,000 Healthcare Providers

Aisle security researchers have disclosed 38 vulnerabilities in OpenEMR — the world's most widely deployed open-source electronic medical records and practice management system, used by over 100,000 healthcare providers globally. Three of the vulnerabilities are critical, allowing unauthenticated remote code execution and patient record exfiltration. OpenEMR 7.0.2 patch 2 addresses all reported issues; unpatched instances are a direct patient data and regulatory liability.

#openemr +8
🗄️ Assets

iRhythm Cardiac Monitoring Breach Exposes Patient PHI for 12 Million Zio Patch Wearers

iRhythm Holdings disclosed a data breach after social engineering granted attackers access to third-party systems hosting protected health information for approximately 12 million patients. A ransom demand was received on 9 June, and HIPAA breach notification timelines are now active for any covered entity whose patient data iRhythm processes.

#healthcare +5
🗄️ Assets

Novo Nordisk Discloses Breach of Clinical Trial Participant Data — Ozempic and GLP-1 Research Records Exposed

Danish pharmaceutical giant Novo Nordisk has disclosed a cybersecurity incident in which attackers gained unauthorised access to IT systems holding personal data of clinical trial participants, including individuals enrolled in GLP-1 receptor agonist trials for Ozempic and Wegovy. The breach raises significant regulatory concerns under EU clinical trial data protection requirements and the ICH GCP framework governing trial participant data handling.

#pharmaceutical +7