Medtronic says patient and health data may have been exposed in April network breach

Medtronic, the medical device maker known for pacemakers and insulin pumps, has told some patients that their personal and health information may have been accessed during a cyberattack earlier this y...

Medtronic, the medical device maker known for pacemakers and insulin pumps, has told some patients that their personal and health information may have been accessed during a cyberattack earlier this year.

In breach notices sent to affected individuals, the company said it detected suspicious activity on April 15 and later concluded that an unauthorized actor had access to certain corporate systems from April 13 through April 19. The systems involved contained data including names, contact information, dates of birth, Social Security numbers, and health-related details.

Medtronic said it gathers some of this information to support product updates and meet regulatory obligations. The company added that it has found no indication the data was made public or posted online, though it did not say whether copies were taken by the intruder.

Patient devices were not affected, Medtronic says

The company also sought to reassure patients that the incident did not interfere with the safety or functioning of its devices. In the notice, Medtronic said its investigation found no evidence that any device was impacted in a way that would prevent it from delivering intended therapy.

When the breach was first disclosed in April, Medtronic said the event had not affected patient safety, manufacturing, distribution, financial reporting, or its ability to serve customers. The company also noted that its internal corporate environment is separated from the networks that support its products, and that hospital customer networks are managed independently.

Shortly after the intrusion, the ShinyHunters extortion group added Medtronic to its leak site and claimed to have stolen more than nine million records. The group threatened to release the material unless payment was made, although the listing was later removed and no data was publicly posted. Medtronic has not publicly identified the attackers or linked the incident to any specific group.

The breach notice leaves several questions unanswered, including how many people were affected, how access was gained, and why notification took more than two months. Medtronic said it has added security measures, notified law enforcement and regulators, and is offering affected individuals two years of credit monitoring, dark web monitoring, and identity restoration services.