Medtronic says ShinyHunters hackers stole around 9 million medical records in latest attack

In a security notification published on its website, Medtronic said the attack does not affect its customers or products, and also stressed it will continue operating as usual, without any disruptions:

“We have not identified any impact to our products, patient safety, connections to our customers, our manufacturing and distribution operations, our financial reporting systems, or our ability to meet patient needs,” Medtronic said in its announcement. “The networks that support our corporate IT systems, our products and our manufacturing and distribution operations are separate.”

Were subsidiaries affected, too?

It said that its hospital customer networks are separate from Medtronic IT networks and are “secured and managed by customers’ IT teams.”

Besides the data breach notification, the company also filed a new 8-K report with the US Securities and Exchange Commission (SEC). Some sources have found that a Medtronic subsidiary called MiniMed Group also submitted a regulatory filing, stating that the attack most likely did not spill into its IT system and that it does not expect any material impact.

Medtronic is widely recognized as the largest pure-play medical device manufacturer in the world by revenue. It operates in more than 150 countries and employs just under 100,000 people.

Last week, the infamous ShinyHunters ransomware group added Medtronic to its website, saying they stole more than nine million records. The records allegedly included personally identifiable information (PII) and internal corporate data. Since then, the Medtronic entry was removed from the leak site, suggesting that the company either paid the ransom or is, at least, negotiating the release of the files.

Medtronic has not yet commented on being removed from the data leak website.

Via BleepingComputer