Medtronic breach exposes personal, medical data of 3.8M

Medtronic notified 3,834,294 people that names, contact details, dates of birth, Social Security numbers and health information were stolen in an April breach.

Medtronic is notifying 3,834,294 people that their personal and medical information was stolen after the extortion group ShinyHunters accessed the company’s corporate IT systems in April 2026, according to notification letters filed with state authorities.

The notices state the stolen information included names, contact details, dates of birth, Social Security numbers and health-related information. In a notification submitted to the California attorney general, Medtronic wrote, “We have no evidence that any of that information was posted publicly or exposed on the internet.” The company reported the total number of affected people as 3,834,294 to the Indiana attorney general.

ShinyHunters added Medtronic to a Tor-based leak site on April 17, claiming to have taken more than 9 million records of personal information and multiple terabytes of corporate data. The group later removed Medtronic from the site.

Medtronic confirmed the incident in late April and said its clinical products, manufacturing and distribution operations were not affected. The company is mailing written notices to affected individuals and is providing 24 months of free credit monitoring, dark web monitoring and identity theft restoration services.

Medtronic reported it has engaged third-party cybersecurity experts to investigate the intrusion, implemented additional safeguards to its systems, is cooperating with law enforcement and is notifying relevant regulatory authorities.

ShinyHunters is known for posting or selling stolen data through encrypted channels and Tor-based sites after exfiltrating information from corporate networks. The investigation into the intrusion and the full scope of the data taken are ongoing.

Articles by this author

No posts found.