An SEC filing disclosed on March 11, 2026, that Stryker had identified a cybersecurity incident affecting certain information technology systems. The incident caused a global disruption to its Microsoft environment and prompting the company to activate its cyber response plan, bring in outside advisors, and investigate the scope of the attack. Ultimately, however, the lawsuit against Stryker was dismissed.

 

What happened

Stryker is a global medical technology company that makes products and services for MedSurg, Neurotechnology, and Orthopedics to support patient and healthcare outcomes. In customer updates and later SEC filings, the incident was noted to have disrupted business operations but did not indicate that patient-related services or connected medical products were affected. By April 9, it reported that manufacturing, commercial, ordering, and distribution systems had been restored. Soon after the disclosure, current and former employees sued Stryker, alleging that the attack likely compromised their protected identifiable information (PII).

Stryker moved to dismiss the consolidated litigation on June 22, arguing the plaintiffs lacked standing because its investigation found no evidence that their PII was accessed and because none had received breach notices from Stryker. The plaintiffs then voluntarily withdrew their claims, and Judge Hala Jarbou dismissed the case without prejudice, leaving open the possibility that claims could be refiled if later facts support them.

 

The backstory

According to the SEC filing, “On March 11, 2026, Stryker Corporation (“we” or the “Company”) identified a cybersecurity incident affecting certain information technology systems of the Company that has resulted in a global disruption to the Company’s Microsoft environment.” Stryker later said the disruption affected core business operations, including order processing, manufacturing, and shipping, though it said it did not indicate that patient-related services or connected medical products were affected.

A report from Reuters said the Iran-linked group Handala claimed responsibility for the attack, framing it as retaliation connected to military action involving Iran; however, Stryker’s own public filings focused on operational disruption rather than confirming the attackers’ claimed data-theft and device-wiping figures.

 

In the know

Handala is described by the U.S. Department of Justice as part of an Iranian cyber-enabled influence and harassment ecosystem that uses destructive or disruptive cyberattacks, stolen-data leaks, doxing, and messaging to pressure perceived enemies of Iran. The group’s targets have included Iranian dissidents, journalists, people associated with Israeli government or military entities, and Jewish community targets, while Rapid Response Mechanism Canada separately documented Handala’s 2025 hack-and-leak campaign against Iran International journalists, where stolen personal material was published and amplified across websites, social media, Telegram, Iranian news sites, and AI chatbots.

According to the Department of Justice's press release, Handala claimed responsibility on March 11, 2026, for a destructive malware attack against a U.S.-based multinational medical technologies firm and framed it as retaliation for cyber activity against the Axis of Resistance. It should be noted that the report from Reuters cautiously linked the incident to Handala through the group’s claim of responsibility rather than through confirmation from Stryker.

 

Why it matters

A similar outcome occurred in In re A-Line Staffing Solutions Data Security Incident Litigation, where former employees sued after a ransomware attack allegedly compromised employee PII. The court found that the plaintiffs had standing to bring the case but still dismissed their claims because they had not plausibly connected their alleged injuries to the breach itself.

As one Digital Health indexed study put it, “Hacking/IT incidents are the most prevalent forms of attack behind healthcare data breaches,” and those incidents continue to drive exposure, notification, and litigation risk. Paubox’s 2026 Healthcare Email Security Report adds useful industry context, finding that 74% of breached domains had ineffective Domain-based Message Authentication, Reporting, and Conformance (DMARC) protection. DMARC is an email security control that helps stop attackers from spoofing a trusted organization’s domain.

Although DMARC was not the cause of the Stryker breach, weak email authentication can make phishing and impersonation easier, increasing the risk that attackers gain access to employee or patient data through trusted-looking messages. The Stryker dismissal, therefore, shows that operational disruption and legal standing are separate issues, and plaintiffs generally need facts tying the incident to their own compromised data.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

 

FAQs

What is the difference between operational disruption and a data breach?

Operational disruption means systems, workflows, ordering, manufacturing, shipping, or internal tools were affected. A data breach means someone accessed, acquired, or disclosed information without authorization.

 

Can employees sue after a cyberattack on their employer?

Yes, but a lawsuit still has to meet legal requirements. A simple summary of these can be condensed to:

  • Their data was exposed or misused.
  • The employer had a duty to protect that data.
  • The employer failed to use reasonable security.
  • The failure resulted in exposure or harm.
  • They suffered concrete damages, such as identity theft, fraud, costs, or lost time.
  • If filed as a class action, the case must also meet class action rules.

 

What does ‘dismissed without prejudice’ mean?

A dismissal without prejudice means the case is closed for now, but the plaintiffs may be able to bring the claims again if new facts support them.