Healthcare Sector Threat Intelligence, Indexed. Sixteen Posts, Five Operators, Every Brand In Your May 8 Watch List Found. The Zero-Result Bridge.

# Healthcare Sector Threat Intelligence, Indexed. Sixteen Posts, Five Operators, Every Brand In Your May 8 Watch List Found. The Zero-Result Bridge.

On May 8 a single IP hit our IOC search endpoint with fifty queries against named healthcare and education brands. Medtronic, Stryker, Kaiser Permanente, Optum, CVS Health, Express Scripts, Accredo, ESI/Rx, Moderna, GE Healthcare. Plus the education adjacency: PowerSchool, Schoology, Anthology, Blackboard, Nike. Each query returned zero results.

The reason every query missed is the same one that produced our Iran-ICS index post earlier tonight. They used brand name as the search token. Our IOCs are tagged with malware family, operator handle, infrastructure domain. The vocabulary did not match. The coverage exists.

This is the bridge. Sixteen posts on healthcare-sector threat intelligence over the last six months, mapped to the brands and the operators behind the breaches.

The named operators

Handala wiper crew (Iran MOIS-aligned). Three-sector targeting cadence: medical devices first, government second, defense third. April 27 post — "Handala Hit Medical Devices, Then Government, Then Defense. Here Are the Three Sectors Iran's MOIS Is Hunting." Same crew that hit Stryker on Pi Day weekend (March 11). The pattern recurred across weeks.

ShinyHunters extortion group. May 8 post — "Warning: Eight Names On Our ShinyHunters Watch List. GE Healthcare Has 2,124 Pre-Staged IOCs. Moderna and Nike Already in the Phishing Infrastructure." We named eight environments with pre-staged ShinyHunters infrastructure correlated to the same operator cluster. Five days later, ShinyHunters reset the Canvas/Instructure ransom deadline and started individual negotiations with Penn and Duke — confirming the watch list cadence was right.

Iran's two cyber wings (MOIS and IRGC, separately). May 9 post — "Iran's Two Cyber Wings Are Running ICS Campaigns at the Same Time. CISA Just Confirmed It." Two distinct operational tempos against ICS and OT targets. The May 11 CISA AA26-097A advisory named three additional Iranian operators under the Kitten convention — covered in "Twenty-Eight Kittens."

Storm-2561 (Microsoft-tracked). May 7 post — "9 New Ivanti CVEs Across 4 Products On May 6. Storm-2561 Has the Pattern. The Clock Started Yesterday." Healthcare-adjacent because Ivanti EPMM is mobile device management used widely in hospital systems.

The vish chain (Microsoft-confirmed May 3). Our March 19 warning to Medtronic's security mailbox documented an in-progress voice-phishing campaign chained through helpdesk cross-tenant impersonation. Microsoft published the same playbook on May 3 under the title "Cross-tenant helpdesk impersonation to data exfiltration: A human-operated intrusion playbook." Forty-three day lead time. Receipts in "We Predicted Medtronic. The Receipts" (May 2) and "Microsoft Just Published the Vish Chain We Warned Medtronic About" (May 3).

The brand-to-post map

For practitioners who searched a brand name on May 8 and got zero results:

Medtronic — March 19 warning sent; April 19 public post; April 24 Medtronic confirmed unauthorized access; April 27 Item 7.01 filed (not Item 1.05); May 2 "We Predicted Medtronic. The Receipts"; May 3 Microsoft confirmed; May 6 Doppel sent us a trademark takedown demand for the warning post.

Stryker — March 11 "Stryker Got Hit. Iran's Cyber War Just Found Your Hospital. Block Who We Say." Direct call-out, full IOC list. We had indexed 1,014 Stryker subdomains and the Handala infrastructure cluster days before the breach.

Datavant — March 25 "We Scored 8 Medical Device Companies on Pi Day. Two Got Hit." Datavant got hit via Langflow CVE chain documented in our April 9 post "Three Langflow CVEs in Two Weeks. CISA Says Active Exploitation. We Have the IPs."

Baxter — March 15 "The Medical Device Companies Invisible to AI Are the Ones Getting Breached" identified Baxter's DoseIQ and Claria patient-infrastructure exposure during the Pi Day medical-device scoring exercise.

GE Healthcare, Moderna, Optum, Kaiser Permanente, CVS, Express Scripts, Accredo, Anthology, Blackboard, PowerSchool — all named in the May 8 ShinyHunters watch list post. Pre-staged infrastructure correlations live in our iocs index under malware_family attribution. Three of the eight watch-list names had IOCs before the May 7 Canvas disclosure.

The cross-cutting themes

Item 1.05 disclosure exposure. The Medtronic case is the precedent for what happens when a regulated issuer skips SEC Item 1.05 in favor of Item 7.01. The cost-anti-alignment with brand-protection vendors that suppress security warnings is documented in our May 6 Doppel post.

Pre-breach IOC indexing. Across every named healthcare victim in the last sixty days — Stryker, Medtronic, Datavant, Baxter — the IOCs were in our index days to weeks before the breach landed in mainstream coverage. The lead-time receipts are the quantified-ledger entries (seven entries as of May 12).

The medical-device-first sequence. Handala's documented targeting cadence puts medical devices and healthcare infrastructure first in the operator's queue, not last. Hospital systems, device manufacturers, and pharmacy benefit managers are the leading-edge targets in the Iranian cyber war, not the trailing-edge ones.

HIPAA OCR + state breach notification timelines. Every healthcare incident this quarter has triggered both federal (HIPAA OCR 60-day window from discovery) and state breach-notification timelines. The Doppel/Medtronic post lays out the regulatory exposure math.

How to consume this

If you defend a healthcare network and you came here from a search engine query that returned zero: pull the IOCs from our STIX feed at analytics.dugganusa.com/api/v1/stix-feed. Filter on malware_family tags for Handala, ShinyHunters, TeamPCP-Cipherforce, and Storm-2561. Run them against your DNS logs, your EDR, and your firewall blocklist. The feed is free, unauthenticated, STIX 2.1, and updates daily.

If you want the long-form context, the sixteen posts above are on www.dugganusa.com searchable by title. The search endpoint that returned zero for "medtronic" or "kp.org" returns everything for "Handala" or "MOIS" or "ShinyHunters" or "Storm-2561." We will fix the vocabulary bridge in our search relevance separately; this post is the bridge tonight.

If you came here from somewhere else: this is the operational primer on the healthcare-sector cyber threat landscape we've been mapping since November. Read the named-operator posts first, then the brand-specific call-outs. The receipts are timestamped.

— Patrick Duggan, May 12, 2026

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.