In March We Named Medical Device Makers 'The Ones Getting Breached.' Then Medtronic, Stryker, Intuitive Surgical and UFP Proved It. We Caught Two and Missed Two — Here's the Honest Sector Map.
- Patrick Duggan
- 1 hour ago
- 4 min read
On March 15 we published a post with a thesis in the title: the medical device companies invisible to AI are the ones getting breached. Four months later that thesis has been proven four times over, and we owe you an honest accounting — because on two of those four we were early with receipts, and on the other two we went quiet at exactly the moment we should have been loudest. A threat-intel shop that only maps its wins is selling a brochure. This is the sector map with the misses in it.
Why medical is back on our board
The numbers moved from bad to structural. As of mid-2026, 99% of hospitals operate devices carrying known, exploited vulnerabilities. Medical devices average 6.2 vulnerabilities each, and 60% of them are end-of-life with no patch coming — not unpatched, unpatchable. Healthcare now absorbs 17% of all ransomware across every industry, hospital ransomware attacks rose about 30% in 2025 to 293 recorded incidents, and the average US healthcare breach reached $10.22 million, up roughly 9% in a year. This is no longer a vertical that gets hit occasionally. It is the single most-targeted soft surface in the economy, and the attackers have shifted to dual extortion: steal the patient data first, encrypt second, and threaten release either way.
What we caught — the receipts
Medtronic. On April 17, ShinyHunters posted that they had breached Medtronic and taken records on roughly nine million people. We had flagged Medtronic's exposure 39 days before that disclosure through our brand-attack methodology. When they confirmed it, we published the receipt rather than the reaction. That is the whole game: the comparator timestamp beside our own, not a victory lap after the fact.
Stryker. On March 11 we tied Stryker's exposure to Iran's cyber operations and named the vulnerability class, and days later CISA's deadline landed on the exact class that hit them. We published the block list the same week.
Those two are the model. Now the harder half.
What we missed — named flat
Intuitive Surgical. On March 13 — two days after our Stryker post — Intuitive Surgical, the maker of the da Vinci robotic surgery platform, had an unidentified third party get into its internal IT business applications through phishing, exposing customer and employee data. It happened inside the same wave we were actively writing about. We did not cover it. That is a miss, and it is our wheelhouse: a device maker, a phishing door, a third-party pivot — the exact shape we had just described.
UFP Technologies. On February 14, UFP Technologies — a manufacturer for the medical device industry — took a classic ransomware hit that disrupted billing and customer delivery-label systems, with company data either stolen or destroyed. The "or destroyed" is the part that should have pulled us in, because destruction rather than pure encryption points toward a wiper, and a wiper against a device-supply-chain manufacturer is a different threat than a payday. We did not write it up. Second miss.
Two caught, two missed, out of four device-industry breaches in a single 2026 wave. We are not going to round that up. The methodology that flagged Medtronic 39 days early is real; the discipline of keeping the sector map current is what slipped, and the misses are the proof of the slip.
The freshest one, with the timing told straight
This month TriWest Healthcare Alliance — the administrator that runs TRICARE West for the Department of Defense — notified 11,844 beneficiaries of a breach. The exposed data includes names, DoD Benefits Numbers, and ZIP codes, with Social Security numbers, dates of birth, and addresses in fewer than five cases. Here is the timing detail the headlines blur: the intrusion happened on April 16, and the notification letters went out in early July. That is not a fresh July attack. It is an April breach that took two and a half months to surface, and the lag is the story — because military beneficiaries had their DoD Benefits Numbers in an attacker's hands for a full quarter before anyone told them. Attack vector: undisclosed as of writing, which we will note rather than guess at.
The pattern the four share
Across Medtronic, Stryker, Intuitive Surgical, UFP, and now TriWest, the target is not the hospital bedside. It is the manufacturer, the administrator, the third party that sits upstream of the bedside and holds either the data or the trust that reaches it. The device is the brand; the breach is in the business IT and the supply chain behind it. That is why perimeter-and-endpoint thinking keeps missing it — the exposure is the corporate attack surface of a company whose logo happens to be on a medical device, and the blast radius is every patient and provider downstream.
What we're doing about the mess
This vertical earned a maintained map and stopped getting one after May. So this post re-establishes the spine, and it is honest about why it was needed: we let coverage lapse while the thesis kept getting proven. Our Minnesota healthcare block list and the Stryker and Medtronic IOC work remain live on the feed, and the brand-attack methodology that called Medtronic early is running. What changes is cadence — medical is back on the standing board, and the next device-industry breach gets threaded the day it surfaces, not a quarter later. If you run security for a hospital system, a device manufacturer, or a benefits administrator, the takeaway is not a product pitch. It is that your corporate IT and your third parties are the medical attack surface now, the sector is the most-targeted one there is, and the honest number of breaches nobody caught in time is not zero — ours included.
Every indicator in this post is in the feed. Free.
1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.
