Implantable orthopedic device maker TriMed discloses cyberattack 

TriMed's breach is the latest in a series of attacks against medical device manufacturers, with experts warning that disruptions to these companies can ripple directly into hospital supply chains and surgical scheduling.

What happened

TriMed, a California-based manufacturer of surgically implanted orthopedic hardware used to repair or replace damaged joints, has disclosed a cybersecurity incident in which certain files were potentially accessed or acquired without authorization. According to BankInfoSecurity, TriMed detected suspicious activity on certain IT systems and launched an investigation that determined unauthorized access occurred during an eight-day window between September 13 and September 21, 2025. The compromised files consisted of order forms and invoices that may have contained information related to medical device hardware and the individuals who received the products. In some cases, the documents included personal information such as names, dates of birth, medical record numbers, and details about the implant parts ordered, including device type, associated installation components, and the ordering surgeon's name. Social Security numbers, bank account data, and credit card information were not involved. The total number of affected individuals has not yet been publicly disclosed.

Going deeper

TriMed said it has reported the incident to law enforcement and is taking steps to enhance its data security posture, including strengthening existing security controls and threat detection practices and integrating a global security operations center. The nature of TriMed's business adds an additional dimension to the breach risk. Companies that manufacture implantable devices handle data that links specific patients to specific implanted hardware, including precise information about device type and surgical components. That information, combined with names and dates of birth, can be used for targeted fraud, insurance manipulation, or medical identity theft. IT systems disruptions at device manufacturers also carry downstream consequences for hospitals and surgical teams that depend on the timely delivery of patient-specific implants.

What was said

TriMed said in its breach disclosure that the steps it is taking include "strengthening existing security controls and threat detection practices, as well as integrating a global security operations center, all designed to help prevent this type of incident from recurring in the future." The disclosure was published in March 2026 following the completion of the company's internal investigation.

In the know

The TriMed breach follows a larger and more destructive incident at Stryker, a Michigan-based medical technology company with over 53,000 employees and $22.6 billion in global sales in 2024. According to BleepingComputer, on March 11, 2026, an Iranian-linked hacktivist group known as Handala compromised a Windows domain administrator account at Stryker, created a new Global Administrator account, and used Microsoft Intune, a cloud-based endpoint management tool, to remotely wipe approximately 80,000 devices across the company's global network. The attack forced some Stryker locations to revert to pen-and-paper workflows and disrupted order processing, manufacturing, and shipping, resulting in the rescheduling of some surgical procedures at hospitals, including CommonSpirit Health. CISA subsequently urged all U.S. organizations to harden their Intune environments against similar attacks, and the FBI seized four web domains linked to Handala's operations.

The big picture

Cyberattacks on medical device manufacturers represent a category of healthcare supply chain risk that is structurally different from breaches at hospitals or health plans. When a device maker's operations are disrupted, the consequences extend beyond data exposure to physical supply chain interruption, potentially affecting the availability of implants, surgical instruments, and other patient-specific products that hospitals cannot easily substitute on short notice. Scott Gee, deputy national cyber risk adviser at the American Hospital Association, said in comments cited by BankInfoSecurity that "third-party risk is arguably the biggest risk that hospitals and health systems face," adding that it is "critical that third-party providers work with hospitals to develop contingency plans to minimize the impact to healthcare delivery if a third-party supplier is unable to deliver much-needed supplies." According to Paubox's Top 3 Healthcare Email Attacks report, vendor and business associate exposure was the most common email breach pattern in 2025, responsible for 28 percent of all email incidents reported to HHS, with the report noting that "healthcare organizations report limited visibility into third-party cybersecurity controls, despite increasing reliance on vendors for core operations."

FAQs

What type of data is typically held by implantable medical device manufacturers, and why does it carry increased risk?

Device manufacturers handle records linking specific patients to specific implanted hardware, including device type, surgical components, surgeon identity, and patient identifiers. Exposure of this data can enable medical identity theft, insurance fraud, and targeted exploitation of individuals with known health vulnerabilities.

What is Microsoft Intune, and how was it abused in the Stryker attack?

Microsoft Intune is a cloud-based endpoint management platform used by organizations to remotely manage and configure devices across their network. In the Stryker attack, the threat actor compromised an administrator account, created a new Global Administrator account, and used Intune's built-in wipe command to erase data from approximately 80,000 devices simultaneously across the company's global operations.

How can cyberattacks on device manufacturers affect patient care at hospitals?

When a device manufacturer's ordering, manufacturing, or shipping systems are disrupted, hospitals may be unable to receive patient-specific implants or surgical components on schedule, potentially forcing procedures to be rescheduled or delayed. It’s particularly important for time-sensitive surgeries where the required hardware must be ordered and prepared in advance.

What is the Handala hacktivist group, and how is it connected to Iran?

Handala is an Iran-linked, pro-Palestinian hacktivist group first documented in December 2023 and assessed by cybersecurity researchers to be connected to Iran's Ministry of Intelligence and Security. The group has conducted destructive wiper attacks primarily targeting organizations linked to Israel and its allies, and has been known to steal and publish data from compromised organizations alongside its destructive activity.

What steps should healthcare supply chain organizations take to reduce their exposure to similar attacks?

Organizations should implement network segmentation to prevent compromise of one system from spreading to others, enforce multi-factor authentication on all administrative accounts, restrict and monitor the use of endpoint management tools such as Intune, develop contingency plans for manual operations in the event of system disruption, and establish clear communication protocols with downstream hospital customers for managing supply chain interruptions.