Medtronic faces class action over alleged data security failure

On April 24, 2026, Medtronic disclosed unauthorized access involving certain corporate information technology systems.

What happened

According to Medtronic, an unauthorized party accessed data in their systems, prompting the company to contain the incident, activate its incident response protocols, and bring in cybersecurity experts to support investigation and remediation. Medtronic found no impact on its products, patient safety, customer connections, manufacturing and distribution operations, financial reporting systems, or ability to meet patient needs.

Medtronic is still working to identify whether anyone accessed any personal information and plans to provide notifications and support services as needed. The Justia docket identifies the matter as Marquardt v. Medtronic, Inc., and lists a complaint filed against the defendant.

Going deeper

Marquardt v. Medtronic, Inc. turns Medtronic’s unauthorized system access disclosure into a court-tested privacy and cybersecurity dispute. The company maintained it had found no impact on products, patient safety, customer connections, manufacturing and distribution, financial reporting systems, or its ability to meet patient needs, while noting work remained underway to determine whether personal information may have been accessed.

Six days later, Sabrina Marquardt filed a federal complaint against Medtronic in the U.S. District Court for the District of Minnesota, with the docket listing diversity personal injury jurisdiction, a jury demand, and a complaint filed against the defendant. The legislative angle centers on breach notification and data protection duties.

Moving forward, the case is a matter of interpretation. HIPAA requires covered entities and business associates to notify affected individuals after a breach of unsecured protected health information, while state breach laws may apply if personal information was acquired without authorization.

What was said

According to Medtronic's press release, “We have not identified any impact to our products, patient safety, connections to our customers, our manufacturing and distribution operations, our financial reporting systems or our ability to meet patient needs.

The networks that support our corporate IT systems, our products and our manufacturing and distribution operations are separate. Hospital customer networks remain separate from Medtronic IT networks and are secured and managed by customers’ IT teams.”

Why it matters

Healthcare entities must be able to show which systems were touched in a cyber incident, which systems were isolated, what data was exposed, who may have been affected, and why care delivery remained protected.

An article on hospital cybersecurity from the Journal of Medical Internet Research supports this broader approach, finding, “The variable that most influences the risk of cyberattack in a hospital is endpoint complexity, followed by internal stakeholder alignment.” Large systems create risk, while aligned governance helps contain it.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQs

What does class certification mean?

Class certification is the court’s decision to let a case proceed as a class action. Under Federal Rule of Civil Procedure 23, the court must decide certification at an early practicable time and must define the class, claims, issues, or defenses if certification is granted.

Are business associates directly responsible for HIPAA data security?

Yes. Business associates must comply with the applicable HIPAA Security Rule requirements for electronic protected health information.

Who is responsible when a business associate has a data breach?

The business associate has direct responsibility for its own HIPAA compliance and security failures.