Medtronic tells customers their personal data was stolen in ShinyHunters raid
The medical device giant confirms hackers rifled through its corporate systems for nearly a week in April, exposing names, Social Security numbers and health details.

Key points
- Medtronic says an unauthorised intruder was inside its corporate IT systems from April 13 to April 19, 2026.
- The extortion crew ShinyHunters claimed to hold 9 million Medtronic records and demanded payment by April 21.
- Stolen data may include names, contact details, dates of birth, Social Security numbers and health information.
- Medtronic insists its medical devices are unaffected and safe to use.
- Affected customers are being offered 24 months of free credit monitoring and identity theft protection.
Medtronic, one of the world's biggest makers of pacemakers, insulin pumps and surgical kit, has started writing to customers to tell them their personal information was stolen in a data breach earlier this year.
The company first spotted something odd on its internal computer systems on April 15, 2026. It called in outside cybersecurity investigators, who worked out that an intruder had been quietly rummaging through those systems for almost a week, from April 13 to April 19.
What the intruder took is the sort of data identity thieves love. Full names. Contact details. Dates of birth. Social Security numbers. Health-related information.
No one is claiming a pacemaker got hacked. Medtronic is very clear that its medical devices themselves were not touched and remain safe to use. The break-in was on the corporate side of the house — the office network, not the hospital equipment.
Who stole the data?
A well-known extortion group calling itself ShinyHunters claimed the attack. This is a crew that specialises in stealing large databases from big companies and then demanding a ransom, meaning a payment to keep the files from being dumped online.
ShinyHunters listed Medtronic on its dark web leak site — a hidden webpage the group uses to name and shame victims — on April 18, and said it was sitting on more than 9 million records. It set a deadline of April 21 to pay up.
Then the listing quietly vanished from the leak site later that month, as first reported by BleepingComputer. Medtronic will not say whether it paid, but tells customers the stolen data was not exposed online. Whether that means the ransom was paid, negotiated down, or the crooks simply moved on is anyone's guess.
ShinyHunters has been busy for years. The group is best known for scraping data out of poorly-locked cloud storage accounts, particularly Salesforce environments, and then squeezing the owners for cash. It is less a shadowy hacker collective than a repeat shoplifter with a very large getaway van.
What should Medtronic customers do?
Take the free protection and use it. Medtronic is offering 24 months of credit monitoring and identity theft protection, which watches for someone trying to open loans or accounts in your name. Sign up.
Beyond that, the usual sensible steps apply. Be wary of phone calls, texts or emails that seem to know a suspicious amount about you — that's called social engineering, where scammers use real personal details to sound convincing before asking for money or passwords. Medtronic will not ring you out of the blue asking for your Social Security number.
Check your bank and health insurance statements more often than usual for the next year or so. If something looks wrong, flag it early.
For context on the scale here: Medtronic operates in 150 countries, employs 95,000 people and reported annual revenue of $33.5 billion. A breach at a company that size, holding health data on millions, is not a footnote. It is exactly the kind of target ShinyHunters and its imitators will keep hunting until the economics change.



