
Medtronic says a ShinyHunters attack exposed the personal and medical data of over 3.8 million people. Products and operations were unaffected.
Medtronic is notifying 3,834,294 individuals after a cyberattack by the ShinyHunters extortion group exposed personal and medical information.
In April 2026, Medtronic confirmed a cyberattack on its corporate IT systems after the hacker group ShinyHunters claimed to have stolen over 9 million records. The company did not share details on the security breach.
Medtronic is an international medical equipment giant with 90,000 employees and operations in 150 countries. It is the largest medical device maker in the world by revenue ($33.5 billion) and also develops healthcare technologies and therapies.
The company said an unauthorized party accessed data in some corporate IT systems. It found no impact on products, patient safety, operations, financial systems, or care delivery. The company noted its IT, product, and manufacturing networks are separate, and hospital networks remain independently managed and secure.
“Medtronic has determined that an unauthorized party accessed data in certain Medtronic corporate IT systems. We have not identified any impact to our products, patient safety, connections to our customers, our manufacturing and distribution operations, our financial reporting systems or our ability to meet patient needs.” reads the press release published by the company. “The networks that support our corporate IT systems, our products and our manufacturing and distribution operations are separate. Hospital customer networks remain separate from Medtronic IT networks and are secured and managed by customers’ IT teams.”
Medtronic states it had contained the breach and activated incident response with the help of external cybersecurity experts. It’s assessing if personal data was exposed and will notify affected individuals, offering them support.
On April 18, ShinyHunters added the firm to its Tor data leak site, claiming the theft of over 9 million records, including personal data and internal files. Initially, the group threatened to leak the data if the ransom was not paid by April 21, but the listing has since disappeared. The company is investigating and says it will notify and support affected individuals if data exposure is confirmed.
This week, the technology firm started sending notification letters to the impacted individuals. Medtronic said the breached data may include patients’ names, contact details, dates of birth, Social Security numbers, and health information. The company added that it has found no evidence the stolen information has been publicly released or exposed online.
“On April 15, 2026, Medtronic became aware of unusual activity on certain corporate IT systems. Medtronic launched an investigation with the assistance of leading third-party cybersecurity experts to determine the impact and scope of the incident. The investigation determined that from April 13 to April 19, 2026, an unauthorized actor accessed certain Medtronic corporate IT systems.” reads the data breach notification. “With the assistance of data review specialists, we have been working diligently to determine the types of information that may have been subject to unauthorized activity and to whom they relate. What Information Was Involved? As a patient with a Medtronic medical device, our company collects data related to you in order to provide important product-related updates and to meet our legal obligations. The investigation to date has determined that the following types of information may have been impacted: name, contact information, date of birth, Social Security number, and health-related information. We have no evidence that any of that information was posted publicly or exposed on the Internet.”
Medtronic is offering 24 months of free credit monitoring, dark web monitoring, and identity theft recovery services to those impacted.
“Medtronic is committed to and takes very seriously our responsibility to safeguard all data entrusted to us. As part of our ongoing commitment to the security of personal information in its care, Medtronic has implemented additional safeguards and continues to work with third-party cybersecurity experts to identify opportunities to further strengthen the security of its systems.” concludes the notification. “Medtronic has also worked with law enforcement and is notifying relevant regulatory authorities. In addition, we are offering you access to 24 months of complimentary credit monitoring, dark web monitoring (monitoring certain online sources for publication of personal information), and identity theft restoration services through Epiq. Details on the service and instructions for enrollment can be found in the enclosed Epiq – Privacy Solutions ID.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data breach)



