ShinyHunters Breach Hits Medtronic: 3.8 Million Patients' Medical Records Stolen
The extortion group ShinyHunters broke into the medical device maker's systems in April 2026, walking away with names, Social Security numbers, and sensitive health details belonging to nearly four million people.

Key points
- ShinyHunters broke into Medtronic's corporate systems in April 2026, stealing data on 3,834,294 individuals.
- Stolen records include names, dates of birth, Social Security numbers, and health-related details.
- ShinyHunters initially claimed theft of more than 9 million records before quietly removing Medtronic from its leak site — a common sign a ransom was paid.
- Medtronic told California regulators it has "no evidence" the stolen data was posted publicly.
- Affected individuals are being offered 24 months of free credit monitoring and identity theft support.
Medtronic, the Minnesota-based company that makes pacemakers, insulin pumps, and dozens of other medical devices, is now notifying nearly 3.8 million people that criminals stole their personal and medical information in a breach that happened this past April.
The group responsible is ShinyHunters — a well-known extortion crew tracked by security vendors under that same name, with a long history of large-scale data theft going back to at least 2020. They don't plant ransomware — malicious software that locks a company's files until a payment is made — in the traditional sense. Their model is simpler and arguably nastier: steal sensitive data, post it to a hidden website on the Tor network (a part of the internet designed to hide identities), and threaten to release it publicly unless the victim pays.
On April 17, ShinyHunters listed Medtronic on that leak site, claiming to hold more than nine million records and terabytes of internal corporate data. The listing has since disappeared.
When extortion groups quietly pull a victim off their leak site, it almost always means one thing.
Medtronic has not confirmed or denied paying. The company told the Indiana Attorney General's Office that exactly 3,834,294 people were affected. It confirmed to regulators that the stolen records include names, contact information, dates of birth, Social Security numbers, and health-related details — the kind of information that makes identity theft straightforward and medical fraud genuinely dangerous.
What should affected patients do right now?
Medtronic is mailing written notification letters to everyone affected, and it is offering two years of free credit monitoring and dark web monitoring — services that watch for your personal information appearing in criminal marketplaces — along with identity theft restoration help if something goes wrong. Accept that offer. If you receive a letter, enroll promptly; the window to sign up is typically limited.
Beyond that, consider placing a free credit freeze with the three major bureaus — Equifax, Experian, and TransUnion — which stops anyone from opening new credit accounts in your name. A freeze costs nothing and can be lifted any time you need it.
Medtronic says its medical devices and manufacturing operations were not affected. Your pacemaker or insulin pump is fine.
From an attribution standpoint, ShinyHunters' TTPs — tactics, techniques, and procedures, meaning the specific methods a criminal group habitually uses — overlap with several prior large-scale database theft operations. Medium confidence only: the group has historically used stolen credentials obtained through phishing, where criminals send fake emails to trick employees into handing over passwords, to access cloud-stored corporate databases. Whether that was the entry point here, Medtronic has not said.
The company says it is working with law enforcement and has brought in outside cybersecurity experts to review its defences.



