Medtronic removed from ShinyHunters site amid mass data dump

The world's largest medical device manufacturer filed an SEC disclosure on April 24 after its listing vanished from the extortion group's site ahead of an April 21 ransom deadline, with ShinyHunters claiming 9 million records of personally identifiable information and terabytes of internal corporate data.

What happened

Medtronic, the world's largest medical device manufacturer by revenue, has confirmed a data breach of its corporate IT systems following claims by extortion group ShinyHunters that it stole more than 9 million records containing personally identifiable information (PII) and terabytes of internal corporate data. Medtronic was added to the ShinyHunters Tor-hosted leak site on April 17 and 18, 2026, with an April 21 deadline to open ransom negotiations. The listing disappeared from the site ahead of the deadline, a pattern typically associated with ongoing negotiations or ransom payment, and ShinyHunters did not include Medtronic in the mass data release it published from its other listed victims on April 22. Medtronic confirmed the breach publicly on April 24, 2026, alongside a Form 8-K filing with the U.S. Securities and Exchange Commission, stating that an unauthorized party had accessed data in certain corporate IT systems. The company has not verified the 9 million record figure and has not confirmed whether any ransom was paid. MiniMed Group, the diabetes technology subsidiary spun out of Medtronic, filed its own 8-K outlining the incident's potential impact on its operations.

Going deeper

ShinyHunters has been running a sustained campaign since mid-2025 targeting companies through compromised Salesforce instances, stolen OAuth tokens, and vishing attacks against single sign-on (SSO) accounts at Okta, Microsoft Entra, and Google. According to BleepingComputer, the group claims to have stolen over 1.5 billion Salesforce records from 760 companies by exploiting compromised Salesloft Drift OAuth tokens, using those tokens to access and download data from connected Salesforce instances. Medtronic has not publicly described the attack vector used against its systems, and it remains unclear whether the intrusion fits the broader Salesforce-focused pattern or originated through a different route. The April 21 deadline that ShinyHunters set for Medtronic was part of the group's standard extortion model: set a deadline, publish data when it passes, and keep the data online to maximise pressure on victims who have still not paid. The fact that Medtronic was excluded from the April 22 mass dump, despite the deadline having passed the day before, suggests behind-the-scenes engagement between the company and the threat actor.

What was said

ShinyHunters told BleepingComputer that "Salesforce remains our primary interest and target, the rest are benefactors," and confirmed responsibility for vishing attacks against Okta, Microsoft, and Google SSO accounts. Medtronic stated in its disclosure that "an unauthorized party accessed data in certain Medtronic corporate IT systems" and that it had "not identified any impact to our products, patient safety, connections to our customers, our manufacturing and distribution operations, our financial reporting systems, or our ability to meet patient needs." The company added that if personal data exposure is confirmed through the investigation, affected individuals will be notified and offered support services.

In the know

Medtronic reiterated in its disclosure that the networks supporting its corporate IT systems are separate from those running its medical device products and manufacturing operations. The company has said it will notify affected individuals and offer support services if personal data exposure is confirmed through its investigation. The Medtronic incident is the latest in a series of cyber events affecting medical device and healthcare technology manufacturers in 2026. In January, Massachusetts-based UFP Technologies notified the SEC of a cyberattack and data breach. In March, California implantable orthopedic device manufacturer TriMed announced a cyberattack, and medtech company Stryker experienced a wiper attack against its Microsoft environment that disrupted ordering, shipping, and manufacturing for several weeks.

The big picture

The Medtronic claim is directly relevant to healthcare organizations. Medtronic is one of the world's largest medical device manufacturers, supplying cardiac rhythm devices, insulin delivery systems, surgical tools, and a wide range of implantable and connected devices to hospitals globally. A breach of 9 million Medtronic records, if confirmed, would represent one of the most significant medical technology data exposures in recent memory. According to Paubox's Top 3 Healthcare Email Attacks report, 28 percent of all email-related healthcare breaches in 2025 involved a business associate or vendor, with breach sizes from third-party incidents typically larger and more expensive than direct organizational breaches. A compromised medical device manufacturer holds records that span patient data, device configurations, clinical trial information, and supply chain details, making the downstream exposure risk for connected health systems substantially wider than a standard corporate data theft.

FAQs

What does it mean when a victim disappears from the ShinyHunters leak site?

Removal typically signals that negotiations are underway or that a ransom has been paid. In documented cases, threat actors confirm deletion of stolen data only after reaching an agreement with the victim, though independent verification of actual data deletion is impossible.

How does ShinyHunters access Salesforce data without exploiting a Salesforce vulnerability?

The group uses stolen or socially engineered OAuth tokens to connect malicious third-party applications to a victim's Salesforce instance, then uses those connections to download data through Salesforce's own APIs. Salesforce's platform itself is not compromised; the attack exploits misconfigured integrations and stolen authentication credentials.

Why is Medtronic's potential breach particularly relevant to healthcare organizations?

Medtronic supplies medical devices and connected health technology to hospitals and health systems globally. A breach exposing 9 million records could include patient identifiers tied to device registrations, warranty data, and clinical information, creating downstream exposure risk for every health system that uses Medtronic products and shares patient data through that relationship.

What is the vishing method ShinyHunters uses against SSO accounts?

Attackers call employees posing as IT support staff and direct them to enter credentials and MFA codes on phishing pages that replicate the company's real login portal. Once captured, those credentials give attackers access to the victim's SSO account, which is then used to access connected SaaS platforms and download data.

What should healthcare organizations do if a vendor appears on an extortion group's leak site?

Immediately assess whether your organization shares PHI or operational data with that vendor, review your business associate agreement and the vendor's breach notification obligations, and request written confirmation from the vendor of whether the claim is under investigation. Do not wait for the vendor to proactively disclose the notification timeline under HIPAA, which runs from when the covered entity discovers or should have discovered the breach.