There’s an update to the Medtronic breach first disclosed in April, when the ShinyHunters group listed the medical device company as a victim and claimed to have stolen roughly 9 million records. Medtronic has now notified affected customers directly, confirming that attackers accessed sensitive customer data, including both personal and medical information.
Separately, ShinyHunters has removed its Medtronic listing from its leak site, and the claimed stolen data was never publicly published. In ransomware and extortion operations, a listing being taken down without the data surfacing publicly is typically read as a signal that the victim paid a ransom to prevent disclosure — groups generally don’t remove listings out of goodwill.
It’s worth noting that a payment, if one occurred, only secures a promise not to publish or further distribute the data — it doesn’t undo the fact that the data was accessed and copied, nor does it guarantee the attacker (or anyone they may have already shared or sold data to) won’t misuse it later. Organizations and affected individuals should treat the exposure as real regardless of the payment outcome.
For any organization holding personal or medical data, this incident is a reminder that breach notification obligations and customer protection measures (credit monitoring, fraud alerts) shouldn’t be delayed or scaled back based on assumptions about whether a ransom was paid or whether stolen data appears publicly. Once data has left your environment, treat it as exposed.