Stryker says cyberattack impacted Q1 earnings, brought lawsuits

Stryker has disclosed in an amended SEC filing that the March 11 attack will affect its first-quarter financial results, while at least six employee lawsuits have been filed over the theft of personal data.

What happened

Stryker Corporation has confirmed in an amended Form 8-K/A filed with the US Securities and Exchange Commission on April 9, 2026, that the March 11 cyberattack carried out by Handala, an Iran-linked hacktivist group, had a material impact on the company's operations and first-quarter financial results. According to Cybersecurity Dive, the company has not yet quantified the financial effect and will provide details when it reports Q1 earnings on April 30, 2026. Stryker said it does not expect the incident to have a material impact on its full-year 2026 guidance, which projects organic net sales growth of 8 to 9.5 percent and adjusted earnings per share of $14.90 to $15.10. The company is now fully operational across its global manufacturing network, with commercial ordering and distribution systems restored as of the filing date. At least six employee lawsuits have been filed against Stryker, with plaintiffs claiming the company failed to protect their personal data.

Going deeper

The investigation confirmed that the attackers gained access by compromising a Windows domain administrator account, creating a new Global Administrator account, and using Microsoft Intune's built-in wipe command to remotely erase approximately 80,000 devices. Investigators found that the attackers inserted a malicious, non-malware file to run commands that concealed their activity from threat detection tools, and confirmed the file could not spread inside or outside the environment. According to BleepingComputer, no evidence of unauthorized activity has been found since March 11, and the immediate risk to Stryker's operational environment has been mitigated. Handala claimed to have exfiltrated 50 terabytes of data before wiping devices, though investigators found no indication that data was actually exfiltrated. The SEC filing identified multiple ongoing risks, including revenue, operating income, and cash flow effects, litigation exposure, regulatory scrutiny, and reputational damage.

What was said

In its amended SEC filing, Stryker stated that it "determined that the cyberattack had a material impact on its operations, with resulting impact to its financial results for the first quarter of 2026," while adding that it "believes the incident has not had, and is not reasonably likely to have, a material impact on its 2026 full-year guidance." Stryker confirmed in an April 1 update cited by Becker's Hospital Review that "production is moving rapidly toward peak capacity with discipline and stability, supported by restored commercial, ordering and distribution systems," and that "overall product supply remains healthy, with strong availability across most product lines."

In the know

The attack forced several health systems to restrict connectivity with Stryker and led to the rescheduling of some surgical procedures, including cases at CommonSpirit Health, due to Stryker's temporary inability to deliver patient-specific implants and surgical components. Following the attack, CISA issued guidance urging all US organizations to harden their Microsoft Intune environments, and the FBI seized two web domains operated by Handala. According to Becker's Hospital Review, hospital security leaders responding to the incident described it as a reminder of "the importance of third-party risk management, resiliency, and identity management," with Loma Linda University Health using the incident as a prompt to change how it manages access to its own Microsoft 365 and Intune platforms.

The big picture

A geopolitically motivated attack on a Fortune 500 medical device manufacturer translating into material financial impact within a single quarter sets a clear precedent for how state-linked cyber operations now carry direct commercial consequences for the healthcare supply chain. Stryker's exposure to Q1 earnings impact came not from ransomware but from the abuse of a legitimate endpoint management tool that wiped devices across 61 countries in a matter of hours. Healthcare organizations that depend on medical device suppliers as extensions of their own clinical operations now face the same supply chain disruption risk that hospital IT teams have traditionally associated with ransomware attacks on their own systems. According to Paubox's Top 3 Healthcare Email Attacks report, vendor and business associate exposure accounted for 28% of all email-related healthcare breaches in 2025, with organizations reporting limited visibility into third-party cybersecurity controls despite heavy reliance on vendors for core operations.

FAQs

What does a material impact on quarterly earnings mean in SEC disclosure terms?

A material impact is a financial effect important enough that a reasonable investor would consider it relevant to their decision-making. Stryker's characterization of the attack as material in its 8-K/A filing obligates the company to disclose specific financial figures when it reports Q1 results on April 30.

Why did Stryker's investigation find no malware despite devices being wiped?

The attackers used a malicious file to run commands through Microsoft Intune's legitimate wipe function rather than deploying self-propagating malware. No malware was needed because the attackers had administrator-level access to a legitimate enterprise management platform capable of erasing devices remotely at scale.

What legal exposure does Stryker face from the employee lawsuits?

At least six lawsuits have been filed by employees claiming Stryker failed to protect their personal data from the Handala attack. The lawsuits represent a growing pattern in which data theft incidents trigger civil litigation alongside regulatory scrutiny, compounding the direct operational costs of a breach.

How does an attack like this affect hospital operations even when their own systems are not compromised?

Hospitals depend on medical device manufacturers for patient-specific products such as implants and surgical components that must be ordered and delivered on tight timelines. When a manufacturer's ordering, manufacturing, or shipping systems are disrupted, hospitals may have no substitute available, forcing them to reschedule procedures that cannot proceed without the required hardware.

What controls would have reduced the risk of this specific attack?

Restricting Global Administrator account creation to require multi-party approval, implementing Conditional Access policies that limit which accounts can issue Intune wipe commands, and monitoring for anomalous administrative activity in Entra ID would each have raised the barrier to executing this type of attack.