putilov_denis - stock.adobe.com
Medtronic notifies impacted patients of data breach tied to April hack
While the total number of impacted individuals has not yet appeared on OCR's breach portal, Medtronic issued a notice to patients, and state attorney general breach reports have been trickling in.
Medtronic is notifying an undisclosed number of patients about a data breach that may have affected their personal information. The medtech company suffered a cybersecurity incident in April, when an unauthorized party accessed data stored in certain corporate IT systems.
Although the breach has not yet been displayed on the Office for Civil Rights' data breach portal, several state authorities have posted it on their own portals. In Texas, more than 297,000 individuals were impacted, along with 63,500 individuals in Massachusetts and 8,700 in Vermont.
The breach notices provided to the state attorneys general say that the unauthorized party maintained access to Medtronic's systems from April 13 to April 19, 2026.
"As a patient with a Medtronic medical device, our company collects data related to you in order to provide important product-related updates and to meet our legal obligations," Medtronic explained to impacted individuals.
The types of information impacted varied, but could have included names, Social Security numbers, contact information, birthdates and health-related information.
"At this time, we have no evidence that impacted information has been publicly posted or exposed on the Internet," Medtronic stated. "We have not identified any impact to product security or patient safety, including the ability of any Medtronic device to operate safely and deliver intended therapy. Additionally, we have not identified any impacts to our manufacturing and distribution operations or our ability to meet patient and customer needs."
The company offered impacted individuals 24 months of complimentary credit monitoring, identity theft restoration and dark web monitoring services.
Shortly after the incident occurred, prolific threat group ShinyHunters posted the Medtronic hack on its leak site, claiming to have stolen 9 million records. Later in April, the dark web listing was removed. Medtronic has not validated these claims.
ShinyHunters recently claimed responsibility for a cyberattack against Amazon's One Medical Senior Health, threatening to publish sensitive data unless it received payment.
Jill Hughes has covered health tech news since 2021. Her coverage areas include cybersecurity, HIPAA compliance, interoperability, AI and EHRs.