Medical Device Maker Medtronic Announces Data Breach

Posted by Steve Alder

The medical device manufacturing giant Medtronic has confirmed that hackers breached its network and exfiltrated data. The company announced the cyberattack on Friday, April 24, 2026, and said the attack was quickly contained and its incident response protocols were activated.

Medtronic manufactures a range of medical products, including pacemakers, defibrillators, heart valves, coronary stents, insulin pumps, continuous glucose monitoring systems, neurosurgery products and imaging systems, surgical robotics, ventilators, and gastrointestinal products. The company is the world’s largest medical device company by revenue, which was $33.5 billion in fiscal year 2025. The company operates in more than 150 countries, employs around 95,000 people worldwide, and serves around 79 million patients annually.

The hackers only accessed a limited portion of its network. Medtronic confirmed that the networks that support its corporate IT systems, products, manufacturing, and distribution operations are separate. Further, hospital customer networks are separate from Medtronic IT networks and are secured and managed by customers’ IT teams. A leading cybersecurity firm has been engaged to investigate the incident and support its investigation and remediation efforts. At present, there has been no identified impact on its products, patient safety, customer connections, manufacturing and distribution operations, or financial reporting systems, and the company is continuing to meet patient needs.

What is not currently known is whether personal or protected health information was accessed or stolen in the incident. If such information has been accessed or stolen, the affected individuals will be identified, and notifications will be issued, and support services will be made available. While mitigating the incident, Medtronic said it is simultaneously working on identifying additional ways that it can optimize system security to prevent similar incidents in the future.

Medtronic is a publicly traded company and is therefore required to notify the U.S. Securities and Exchange Commission (SEC) about material events that may affect shareholders. Its Form 8-K filing with the SEC, Medtronic states that the incident is not expected to have a material impact on its business or financial results. Prior to the announcement and SEC filing on April 18, 2026, the ShinyHunters data theft and extortion group claimed responsibility for the attack. The group claimed to have exfiltrated terabytes of Medtronic data, including personally identifiable information.

ShinyHunters claimed to have stolen more than 9 million records containing PII, although that claim has not been verified by Medtronic. ShinyHunters said it would publish the stolen data if the ransom was not paid by April 21, 2026. The amount of money demanded has not been made public. Medtronic has been removed from the ShinyHunters data leak site, which suggests that the ransom has been paid, although Medtronic has not confirmed whether that is the case.

“This incident highlights a recurring pattern where attackers prioritize corporate IT environments as an entry point, knowing they often contain high-value data but are less rigorously segmented than production or patient-facing systems. Even if Medtronic states there is no impact to products or patient safety, the theft of millions of records, if confirmed, still represents a significant risk, particularly for identity theft, targeted phishing, and supply chain exploitation. In healthcare, “no operational impact” does not mean “no risk”; sensitive data exposure can have long-term downstream consequences.” said, Ensar Seker, CISO at SOCRadar. “From a defender’s perspective, this reinforces the need to treat corporate IT systems with the same level of scrutiny as clinical or operational environments. Strong identity controls, strict network segmentation, and continuous monitoring of data exfiltration paths are critical. Additionally, organizations should assume that groups like ShinyHunters will attempt to monetize even partial or low-sensitivity datasets, so rapid validation, transparent communication, and proactive threat intelligence engagement are essential to reduce reputational and regulatory fallout.”

Medtronic is not the only medical device manufacturer to experience a data breach this year. In January 2026, Massachusetts-based UFP Technologies, a manufacturer of devices and components for wound care, implants, and orthopedic and surgical products, notified the SEC about a cyberattack and data breach. In March 2026, the California implantable orthopedic device manufacturer TriMed announced a cyberattack and data breach, and the medtech company Stryker experienced wiper attack.

The post Medical Device Maker Medtronic Announces Data Breach appeared first on The HIPAA Journal.

SAG-AFTRA Health Plan Settles Lawsuit Over 2024 Phishing Incident

Posted by Steve Alder

SAG-AFTRA Health Plan has settled a class action lawsuit over a September 2024 email data breach. Hackers gained access to the health plan’s email systems between September 17 and September 18, 2026, after employees responded to phishing emails. The attack exposed sensitive personal and protected health information, which was potentially copied by the hackers.

Data compromised in the incident included names and Social Security numbers and, for some individuals, health information, claims information, and plan participant identification numbers. The breach was reported to the HHS’ Office for Civil Rights initially as affecting 35,592 individuals, although that total was later increased to 98,474 individuals. The lawsuit states that approximately 94,546 notification letters were mailed.

The first class action lawsuit over the data breach was filed by plaintiffs Matthew Rouillard and Kristy Munden in December 2024, and a further three class action lawsuits were subsequently filed by other plaintiffs. The lawsuits had overlapping claims, so were consolidated into a single action – In re SAG Health Data Breach Litigation – in the U.S. District Court for the Central District of California.

The consolidated lawsuit asserted several claims, including negligence and violations of California laws. To avoid the expense, distraction, and uncertainty of a trial and related appeals, SAG-AFTRA Health Plan and the plaintiffs agreed to a settlement. SAG-AFTRA Health Plan has agreed to establish a $950,000 settlement fund to cover attorneys’ fees and expenses, claims administration costs, service awards for the class representatives, and benefits for the class members.

Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. A claim may also be submitted for a pro rata cash payment, which will be paid from the remaining funds after claims and costs have been deducted. Individuals who were not California residents at the time of the data breach will receive one pro rata share of the remainder of the settlement fund, and California residents will receive two shares.

All class members will receive an 18-month membership to a credit monitoring and identity theft protection service, even if they do not submit a claim for reimbursement of losses or a cash payment. Claims must be submitted by July 23, 2026. The deadline for objection and exclusion is June 23, 2026, and the final fairness hearing has been scheduled for September 24, 2026.

December 13, 2026: SAG-AFTRA Members Sue Health Plan Over Email Breach

A class action lawsuit has been filed by members of the Screen Actors Guild – American Federation of Television and Radio Artists (SAG-AFTRA) health plan over a recent email phishing attack that exposed their protected health information. An unauthorized third party accessed an employee’s email account between September 17 and September 18, 2024, after the employee responded to a phishing email and potentially viewed or copied names, Social Security numbers, health insurance information, and claims information. The breach was reported to the HHS’ Office for Civil Rights as affecting 35,592 individuals, and individual notifications were mailed on December 2, 2024. The total was later increased to 98,474 individuals.

Three days after notification letters were mailed, a lawsuit was filed by Clarkson Law Firm P.C. in the U.S. District Court in Los Angeles that names SAG-AFTRA members Matthew Rouillard and Kristy Munden as plaintiffs. The lawsuit alleges SAG-AFTRA failed to implement reasonable and appropriate cybersecurity measures to prevent unauthorized access to members’ sensitive data, which was exfiltrated in the attack, failed to adequately monitor its network and computer systems, and failed to issue timely notifications about the breach. Notification letters were sent more than 2 months after the email account breach was discovered.

The lawsuit alleges the plaintiffs and class members have suffered injuries such as out-of-pocket expenses associated with preventing, detecting, and remediating identity theft, social engineering, and fraud; lost opportunity costs while attempting to mitigate the consequences of the data breach; lost time; an invasion of privacy; diminution in value of their private information; and an increased risk of identity theft and fraud.

The lawsuit claims that in light of the data breach and lack of cybersecurity protections, members overpaid for their health plans. The lawsuit asserts claims of unjust enrichment, invasion of privacy, negligence, breach of express warranty, and violations of the California Civil Code (Deceit by concealment), California Unfair Competition Law (Business & Professions Code), and the California Confidentiality of Medical Information Act.

The lawsuit seeks class action status, a jury trial, monetary damages, restitution, and an order from the court requiring adequate security protocols to be implemented, proper notice to be provided to the affected individuals, and prohibiting the health plan from engaging in further wrongful acts.

The post SAG-AFTRA Health Plan Settles Lawsuit Over 2024 Phishing Incident appeared first on The HIPAA Journal.

Cyberattacks Announced by Florida Physician Specialists & Mile Bluff Medical Center

Posted by Steve Alder

Florida Physician Specialists has started notifying patients affected by a November 2025 hacking incident. Mile Bluff Medical Center in Wisconsin has announced that it is working under downtime procedures as it recovers from an April 2026 ransomware attack.

Florida Physician Specialists

Florida Physician Specialists, a Jacksonville, FL-based multi-specialty private physician practice serving patients in Northeast Florida, started notifying patients on April 24, 2026, about a November 2025 hacking incident that exposed some of their personal and protected health information.

An investigation was launched into a security incident in late November, which confirmed that an unauthorized third party accessed its network between November 27, 2025, and November 29, 2025. The review of the exposed data was completed on April 6, 2026, when it was confirmed that a limited amount of patient data may have been exfiltrated from its network. Data potentially compromised in the incident included names in combination with one or more of the following: Social Security numbers, driver’s license numbers or state identification numbers, other government identification numbers, financial account information, credit or debit card information, medical information, and/or health insurance policy information.

While data may have been stolen, Florida Physician Specialists is unaware of any actual or attempted misuse of the data; however, out of an abundance of caution, the affected individuals have been offered complimentary credit monitoring services. The data breach was reported to the Maine Attorney General as affecting 47 Maine Residents, but it is currently unclear how many individuals have been affected in total. There is currently no listing on the HHS Office for Civil Rights website.

Mile Bluff Medical Center

Mile Bluff Medical Center in Mauston, Wisconsin, is dealing with a cyberattack that resulted in the encryption of files on its network.  Security protocols were immediately implemented when the attack was discovered, and an investigation has been launched with assistance provided by third-party partners.

The medical center has confirmed that the cyberattack caused limited and temporary interruptions to certain computer systems, and its phone system has also been impacted. Clinical teams have been working under downtime procedures while the attack is mitigated, and systems can be safely restored. The priority has been to ensure that care continues to be provided to patients. The medical center is working to fully resolve the issues as soon as possible. At this stage of the recovery process, it is too early to tell to what extent, if any, patient data has been affected. No threat group appears to have claimed responsibility for the attack at the time of writing.

The post Cyberattacks Announced by Florida Physician Specialists & Mile Bluff Medical Center appeared first on The HIPAA Journal.

South Texas Oncology and Hematology Pays $1.1M to Settle Data Breach Lawsuit

Posted by Steve Alder

South Texas Oncology and Hematology, a San Antonio, TX-based provider of leading-edge cancer treatment and other medical services, has settled a class action lawsuit stemming from a February 2024 cyberattack and data breach that involved unauthorized access to the personal information of 176,303 individuals, including the protected health information of 175,195 individuals.

Suspicious network activity was identified on February 15, 2024, and the forensic investigation confirmed that an unauthorized individual accessed its network and potentially obtained employee and patient information. Data exposed in the incident included names, contact information, dates of birth, health information, and Social Security numbers. The affected individuals were notified about the incident in June 2024.

The first class action lawsuit over the data breach was filed by plaintiff Doris Flores on June 24, 2024, in the U.S. District Court for Bexar County, Texas, 438th Judicial District. Several other lawsuits were subsequently filed, and since they made similar claims and had overlapping classes, the plaintiffs’ counsel agreed to work cooperatively and litigate in a single action – Flores v. South Texas Oncology and Hematology, PLLC.

The consolidated lawsuit alleged that the defendant failed to implement reasonable and appropriate cybersecurity measures to protect sensitive data on its network, and that the data breach should have been prevented. South Texas Oncology and Hematology maintains that there was no wrongdoing, there is no liability, and denies all claims and contentions in the lawsuit. The defendant and the plaintiffs agreed to a settlement to avoid the costs and risk associated with a trial, with no admission of fault or liability.

The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for July 21, 2026. Under the terms of the settlement, South Texas Oncology and Hematology has agreed to pay $1,075,000 to cover attorneys’ fees and expenses, settlement administration and notification costs, service awards for the class representatives, and benefits for the class members.

Class members may submit a claim for reimbursement of up to $5,000 in documented, unreimbursed losses due to the data breach, or they may claim an alternative pro rata cash payment. The cash payments are estimated to be $100 per class member, but may be higher or lower depending on the number of valid claims received. In addition to one of those benefits, class members may also claim two years of free medical data monitoring services. Claims must be submitted by July 6, 2026, and individuals wishing to object to the settlement or exclude themselves must do so by June 22, 2026.

The post South Texas Oncology and Hematology Pays $1.1M to Settle Data Breach Lawsuit appeared first on The HIPAA Journal.

Former FBI Deputy Cyber Chief Calls for Terrorism Classification for Healthcare Ransomware Actors

Posted by Steve Alder

At a recent joint hearing by the Subcommittee on Border Security and Enforcement and the Subcommittee on Cybersecurity and Infrastructure Protection, a former FBI cyber chief called on the U.S. government to consider applying terrorism designations to ransomware actors who attack hospitals and other critical infrastructure entities that put lives or safety at risk.

Ransomware attacks on hospitals typically result in cancelled appointments and surgeries, and ambulances are often put on divert, causing emergency patients to travel further to alternative facilities. These delays to patient care put patient safety at risk, and studies have shown that mortality rates increase at hospitals following ransomware attacks. Ransomware actors conduct attacks on hospitals in the full knowledge that patient care is threatened, as it increases the probability of a ransom being paid.

The subcommittee members heard testimony from Cynthia Kaiser, the former deputy assistant director of the FBI’s Cyber Division from 2022 to 2025 and the current senior vice president of the Halcyon Ransomware Research Center. “When a ransomware gang encrypts a hospital’s systems and demands payment under threat of continued system lockout — knowing that patients are being diverted, that dialysis is being delayed, that surgery schedules are being canceled — I believe a serious legal argument exists that this conduct falls within [terrorism] definitions,” Kaiser said. “At minimum, it merits a formal, deliberate analysis by the Departments of State, Justice, and Treasury, who collectively hold designation authority under Executive Order 13224.”

Executive Order 13224 was signed by President Bush on September 23, 2001, following the 9/11 attacks on the World Trade Center. The purpose of the Executive Order was to disrupt the financial support network for terrorists and terrorist organizations, authorizing the U.S. government to designate and block the assets of foreign individuals and entities that commit, or pose a significant risk of committing, acts of terrorism.

By designating ransomware attacks on hospitals and other critical infrastructure entities as an act of terrorism, attacks would be classed as national security threats, and the government would have a much broader range of tools at its disposal than are currently available, making it easier to restrict financial transactions, freeze assets, and pursue charges against overseas ransomware actors. It would also allow the government to take diplomatic actions against countries – such as Russia – for harboring ransomware actors. Further, Kaiser argued that in the event of a ransomware attack resulting in the death of a patient, the government should be able to pursue murder or manslaughter charges, which may act as a powerful deterrent.

“Federal prosecutors should be empowered — and encouraged — to evaluate whether homicide charges are appropriate in cases where ransomware actors targeted hospitals, where deaths resulted, and where the actors demonstrated clear foreknowledge that their actions endangered life,” said Kaiser. “Those targeting healthcare, those who have caused documented deaths, those operating with impunity under the protection of hostile foreign governments — deserve to face consequences that match the gravity of what they have done.”

The post Former FBI Deputy Cyber Chief Calls for Terrorism Classification for Healthcare Ransomware Actors appeared first on The HIPAA Journal.