Medtronic is notifying more than 3.8 million people that attackers may have accessed their personal and health information, according to a breach notice released by the California Attorney General on June 29.
The notice is a sharper patient-facing version of what the medical device maker said in April. On April 24, Medtronic said an unauthorized party had reached data inside some of its corporate IT systems. At that point, the company said it had not found any links to customers.
The letter posted by California officials says affected people are patients with Medtronic medical devices, and that Medtronic collects data about them to send product-related updates and satisfy legal requirements. The exposed data included names, contact information, dates of birth, Social Security numbers and health-related information, according to the company’s letter.
Medtronic said in the notification that it has not found evidence that the affected information has been published or otherwise exposed on the internet. That is a narrower claim than saying the data is safe. The company is saying it has not seen the data posted publicly.
The Record reported that the attack has been linked to the ShinyHunters cybercrime group. Medtronic’s notice, as released by the California Attorney General, does not describe how the attackers got in, how long they had access, or which specific systems were reached.
What Medtronic is offering
Medtronic said it is offering affected people 24 months of free credit monitoring, dark web monitoring and identity theft restoration services.
Those services address the identity-fraud risk created by the data types listed in the notice, especially Social Security numbers paired with names, dates of birth and contact details. The health-related information adds another layer of sensitivity, since medical data cannot be replaced in the way a payment card can.
The notification does not say that Medtronic medical devices were affected, and it does not report any patient-safety impact. Based on the public notice, this is a data breach involving corporate IT systems and patient information, not a disclosed compromise of device operation.
Med tech remains a target
The Medtronic disclosure follows other attacks on medical technology companies. In March, medical device firm Stryker disclosed that malware had wiped some of its systems in a cyberattack that federal prosecutors attributed to hackers backed by Iran.
According to federal prosecutors cited in that case, the Stryker attack directly affected emergency medical services and hospitals in Maryland. Some hospitals temporarily cut connections to Stryker because they feared the wiper incident could spread or affect their own systems.
That history is why breaches at medical device companies draw extra scrutiny. The immediate facts in Medtronic’s notice concern exposed personal data. The broader risk for hospitals and patients is that the same sector also runs connected systems that care teams depend on, and attackers have shown they are willing to hit companies sitting inside that clinical supply chain.
A copy of Medtronic’s notification letter is available through the California Attorney General’s office.
This story draws on original reporting from The Record.