Iran Linked Hacking Group Wipes Data of Leading U.S. Medical Device Manufacturer

Posted by Steve Alder

Stryker, a U.S. medical device and medical equipment manufacturer based in Portage, Michigan, is dealing with a cyberattack linked to the current U.S. military action in Iran. The cyberattack started shortly after midnight and has caused an outage of systems across the organization. An Iran-linked hacking group has claimed responsibility for the attack.

Stryker has operations in 61 countries and has a global workforce of more than 56,000 employees. Stryker said in a filing with the U.S. Securities and Exchange Commission (SEC) that the attack has and is expected to continue to cause “disruptions and limitations of access to certain of the Company’s information systems and business applications.” Stryker is currently unable to provide a timeline for when systems and data will be recovered and when normal operations will resume.

This does not appear to have been a ransomware attack, but rather a data theft and wiping attack. The attack affected Stryker’s Microsoft programs, including the wiping of Windows-based devices such as mobile phones and laptops. Stryker said it has found no indications that ransomware or malware was used, and said it believes it has contained the attack. An investigation has been launched to determine the impact of the attack on its computer systems.

According to the Wall Street Journal, Stryker’s login pages were defaced with the hacking group’s logo. Stryker said it has business continuity measures in place and will continue to support its customers and partners while it recovers from the attack. Stryker has also committed to transparency and said it will keep stakeholders informed as the investigation and recovery processes progress.

An Iran-linked hacking group called Handala immediately claimed responsibility for the attack in an announcement on X. The group claimed its attack has caused disruption at 79 Stryker offices around the world, involved more than 200,000 systems, servers, and mobile devices being wiped, and 50 terabytes of data were exfiltrated in the attack. “We announce to the world that, in retaliation for the brutal attack on the Minab school and in response to ongoing cyber assaults against the infrastructure of the Axis of Resistance, our major cyber operation has been executed with complete success,” the group said in a post on X.

While the initial access vector is not known, security researcher Kevin Beaumont suggests that Handala actors gained access to Stryker’s Active Directory services and used the Microsoft endpoint management tool Intune to remotely wipe Microsoft devices, including devices used by employees managed under its bring-your-own-device policy.

While Handala appears at face value to be a hacktivist group, the group has been linked to Iran’s Ministry of Intelligence and Security. Palo Alto Networks suggests that Handala is part of the Ministry of Intelligence and Security and masquerades as a hacktivist group, allowing Iran to deny responsibility for its cyber operations.

While Iran has executed a military response to the US-Israel military action, retaliation to the attacks was always likely to involve more than just missiles. Iran has sophisticated cyber capabilities, and any response was likely to take place in cyberspace. Iranian officials stated this week that Tehran would expand its targeting to include economic centers and banks tied to the United States or Israel, and that U.S. companies with ties to the U.S. military or Israel would also be attacked. Stryker has a presence in Israel, including OrthoSpace, an orthopedic device maker that the company acquired in 2019. Handala claimed that Stryker was “a Zionist-rooted corporation.”

“Attacks like this unfortunately aren’t surprising. Even before the latest geopolitical tensions, hacktivist activity targeting healthcare and other critical infrastructure had been steadily increasing, and that trend makes organizations like medical device manufacturers and hospitals more likely to be caught in the crossfire. In many cases, attackers simply find the path of least resistance—an exposed system, an unsecured management console, or credentials that allow them to move deeper into the environment—and once they gain administrative access, they effectively hold the keys to the kingdom and can disrupt everything from mobile devices to operational systems,” Skip Sorrels, Field CTO and CISO, Claroty, said in a statement provided to The HIPAA Journal. “As a former ICU nurse, I’ve seen firsthand how even small technology outages ripple through care delivery, which is why cybersecurity in healthcare must be treated as part of patient safety, with organizations prioritizing visibility into their cyber-physical systems and closing those “open doors” before attackers find them.”

Steve Povolny, Vice President of AI Strategy & Security Research at Exabeam told The HIPAA Journal the attack illustrates how cyber operations are increasingly becoming the asymmetric response of choice during periods of regional conflict or political tension, and that cyber activity from proxy groups provides Tehran with a deniable way to impose costs on Western economies and technology ecosystems.

“Groups like Handala blur the line between hacktivism and state operations, giving governments plausible deniability while still achieving strategic signaling. The cautionary lesson for defenders is that these campaigns are rarely isolated events,” said Povolny. “They are often part of a broader pressure strategy designed to create disruption across multiple industries that support national stability, from healthcare and logistics to energy and manufacturing. Organizations that do not traditionally view themselves as geopolitical targets may increasingly find themselves on the front lines of state-linked cyber conflict.”

The post Iran Linked Hacking Group Wipes Data of Leading U.S. Medical Device Manufacturer appeared first on The HIPAA Journal.

Paubox Research on Email Security Identifies Top Security Risks in 2026

Posted by Steve Alder

New research from Paubox has highlighted the top email security risks for healthcare organizations in 2026. The greatest risk lies not with novel and increasingly sophisticated threats, but the foundational weaknesses in email security that have existed and been exploited by threat actors for years.

The latest data show that cyber threat actors are relying less on vulnerabilities and are focused on compromised credentials for initial access to networks. Email is the leading entry point for cybercriminals and the root cause of many data breaches, especially in healthcare. Cybercriminals are using email to obtain credentials that provide them with the foothold they need for an extensive compromise, including data theft, extortion, and file encryption with ransomware. The extent to which email is used, and the weaknesses in email security that facilitate attacks, have been explored by the leading HIPAA-compliance email firm Paubox in its 2026 Healthcare Email Security Report.

Based on data reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), at least 170 email-related data breaches occurred in 2025 that involved the exposure or acquisition of electronic protected health information (ePHI). There was a slight decline in email incidents year-over-year, although Paubox’s analysis has shown that email-based data breaches are still highly prevalent and, in most cases, were the result of foundational security gaps – poorly configured security tools, a lack of appropriate safeguards, and human factors – that have remained largely unchanged for years and are widespread among HIPAA-covered entities and their business associates.

A concerning number of HIPAA-regulated entities were found to have failed to implement email security measures that have been recommended for many years. Paubox’s analysis of organizations that experienced an email security incident in 2025 found that three-quarters lacked effective DMARC enforcement, a basic security measure that instructs receiving mail servers to ignore, quarantine, or reject emails that fail authentication checks. Worringly, more than half of breached organizations relied on missing or permissive Sender Policy Framework (SPF) records to determine whether an email was sent from a server authorized to use a domain, leaving them at a high risk of phishing and spear phishing emails being delivered to end users.

Out of the HIPAA-covered entities and business associates that experienced an email breach, none enforced the Mail Transfer Agent Strict Transport Security (MTA-STS) security standard, which forces mail servers to encrypt messages to prevent interception in transit. MTA-STS ensures that emails are only delivered via a trusted and secure connection. Without encryption, healthcare organizations are at risk of man-in-the-middle (MITM) attacks.

Microsoft 365 is extensively used in healthcare for email, and while the platform includes multiple security tools, they do not necessarily equate to better security and fewer data breaches. The analysis revealed that 53% of email-related healthcare data breaches occurred in Microsoft 365 environments. What is clear is that healthcare organizations are exposing themselves to email-based attacks due to incomplete and poorly implemented configurations, and the security measures they have deployed have failed to keep pace with modern email threats.

As has long been the case, most email-related incidents are the result of phishing, spoofing, improper handling of emails, and credential compromise, and in the large part, email incidents from these causes are mostly preventable. Unless healthcare organizations address their foundational weaknesses in email security, email will remain a leading cause of cyberattacks and data breaches.

Paubox’s analysis of email security configurations found that 41% of breached organizations fell into a high-risk category. While that percentage should have reduced year-over year, it actually increased from 31% of breached organizations in 2024. There were even cases in 2025 where the same organization experienced multiple email-related data breaches, showing they failed to understand and address the foundational email security weaknesses that were exploited.

It is foundational weaknesses in email security that create the biggest email security risk for healthcare organizations. While there is always a threat of novel and increasingly sophisticated attacks, in reality, there is no driving force compelling threat actors to seek new and more sophisticated attack methods, as the same tried and tested techniques exploiting common security weaknesses are still proving successful.

Looking forward to the rest of 2026 and beyond, healthcare organizations need to consider the foundational security weaknesses that are routinely being exploited, as this is where the bulk of the risk exists. “Future breaches are more likely to occur in environments where the same misconfigurations and security gaps have existed for years, rather than as the result of new attack techniques,” explained Paubox.

Addressing these risks is naturally important for preventing costly operational disruptions and data breaches, but it is also essential for HIPAA compliance. OCR has imposed several penalties for email-related data breaches – not for an individual being duped by a phishing email, but for basic security failures that made such an attack possible.

A comprehensive and accurate risk analysis to assess reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI is vital for HIPAA compliance, and even more important for avoiding penalties under OCR’s current HIPAA enforcement drive. OCR has also stated that it will be expanding this initiative to cover risk management, to ensure that identified risks are reduced to a low and acceptable level.

According to KnowBe4 research, phishing attacks increased by 17% year-over-year. Given the high risk of email-based attacks, the risk analysis must naturally cover email security and risks related to spoofing and phishing; however, Paubox warns that the risk analysis must also cover emerging risks. They include how emerging tools interact with existing infrastructure, AI tools processing PHI outside of sanctioned systems, whether DMARC and SPF are protecting against AI-generated outbound communications, if encryption is being routinely applied or is reliant on user decisions, and if logging and monitoring controls are capturing AI-assisted communications to the same extent as traditional email workflows.

One of the ways that risk can be managed is by reducing human decision points as far as possible, as human error and poor end user security decisions are inevitable. Previous Paubox research found that 86% of healthcare IT leaders admitted awareness that users were bypassing security controls to reduce workflow friction. When encryption was left to the discretion of employees, emails that should have been encrypted were not, either through employee error or the avoidance of workflow disruption. The simple solution for HIPAA compliance is to take the decision away from employees and enforce encryption for all emails in transit. That ensures HIPAA-compliant message delivery regardless of the sender, recipient, or message content. With Paubox, that can be achieved without portals, passwords, or additional steps that impact workflows.

The high number of security incidents in Microsoft 365 environments and the regularity with which threats are bypassing security controls show a clear need for augmented security. Paubox’s email security suite adds additional layers of security on top of Microsoft 365, Google Workspace, and Exchange security measures, without the need for plug-ins, additional staff training, or new workflows.

Through enhanced threat protection and the elimination of the workflow friction that leads employees to bypass security controls, healthcare organizations can make significant email security improvements, prevent email data breaches, and clearly demonstrate HIPAA email compliance in the event of a compliance audit or OCR investigation.

The post Paubox Research on Email Security Identifies Top Security Risks in 2026 appeared first on The HIPAA Journal.