Medtronic Sent a Perjury-Backed Takedown to Bury Our Breach Warning. Today They Are Mailing 9 Million People to Confirm It Was Right. The Trademark They Cited Covers Renting Out Surgical Equipment.
- Patrick Duggan
- 1 hour ago
- 7 min read
We are going to tell this one in full, in order, with every load-bearing claim tied to a document you can pull yourself. That matters more than usual here, because the last time we published about this company, their response was not to dispute a fact. It was to send a lawyer. So this is the version with the receipts stapled to it — and the receipts include Medtronic's own words, filed with the United States Securities and Exchange Commission under penalty of federal securities law. You cannot send a takedown against your own 8-K.
The Short Version
On March 19, 2026, we warned Medtronic's Product Security team, in writing, about the exact attack chain that was about to be used against them. They did not engage. In April, they were breached in precisely that way. On May 3, Microsoft published the same attack chain we had sent them. On May 6, Medtronic's answer to being proven right arrived: a trademark takedown demand, sworn under penalty of perjury, citing a Medtronic trademark that covers the temporary rental of surgical equipment. And now, in July, Medtronic is mailing millions of Americans to tell them their Social Security numbers and health records were stolen — while the one SEC filing that would have said "this is material," the mandatory one, was never filed at all. Here is each piece.
March 19: We Warned Them, With a Delivery Receipt
On March 19, we emailed [email protected] and described the specific chain we believed was coming: a voice call into a corporate helpdesk impersonating an internal employee, a request to reset that employee's multi-factor authentication, a login, a walk straight into Salesforce, and an export of the customer file as a CSV. We received an autoresponder from [email protected] confirming the message was delivered. We kept the timestamp. The warning was not engaged.
That chain is not exotic. It is the signature playbook of ShinyHunters — the group Mandiant tracks as UNC6040 — and it is the same method they had already run against a long line of Salesforce-connected victims. We did not need a crystal ball. We needed to read the pattern and send an email. We sent the email.
April: The Breach Happened Exactly As Described
Medtronic later confirmed the timeline itself: suspicious activity identified on April 15, and unauthorized access to certain corporate IT systems confirmed for the window of April 13 to April 19. On April 17, ShinyHunters listed Medtronic on their extortion portal and claimed more than nine million records, with a payment deadline days later. The listing was subsequently pulled, and the data was not published to the public forum — which some will read as good news. It is not. A listing that vanishes and data that never surfaces publicly is the signature of a transaction that closed, not a threat that evaporated.
May 3: Microsoft Published Our Warning, Word for Word
On May 3, Microsoft Security published a report titled "Cross-tenant helpdesk impersonation to data exfiltration: A human-operated intrusion playbook." It describes, step for step, the chain we had sent Medtronic six weeks earlier: helpdesk impersonation, MFA reset, login, Salesforce, CSV export. When the largest security organization on earth publishes your March warning in May, the warning was not a guess. It was intelligence, and it was early.
May 6, 05:16 UTC: Their Answer Was a Lawyer
At 5:16 in the morning UTC on May 6, a trademark takedown demand landed in our inbox. It came through Doppel — an AI-powered "brand protection" company — attested to under penalty of perjury, with Medtronic's enforcement team copied on it. The post they wanted deleted was the one noting that Microsoft had just published the chain we warned Medtronic about. They disputed none of the facts in it. They asserted a trademark instead.
Read that sequence slowly, because it is the whole story in miniature: a company received a specific, timestamped warning about how it would be breached, ignored it, got breached exactly that way, watched Microsoft confirm the method, and then spent legal money trying to erase the public record that the warning had ever existed.
The Trademark They Swore To Covers Renting Out Surgical Equipment
Here is where it collapses into farce, because we did the one piece of homework their takedown bot did not: we looked up the trademark they cited under penalty of perjury. It is USPTO Registration 5055675, owned by Medtronic, Inc., in International Class 044. We are quoting the government record: the mark covers "providing temporary rental of surgical and medical equipment."
We do not rent surgical equipment. We have never rented surgical equipment. We publish threat intelligence and operate a STIX 2.1 feed. A perjury-backed legal instrument was fired at a security-research blog on the theory that our warning about a breach infringed a trademark for the temporary rental of scalpels and monitors. Nobody at Doppel, and nobody on Medtronic's enforcement team who was copied on it, looked up the registration number in their own filing before swearing to it. We did. It took ninety seconds.
The 8-K They Filed — and the One They Never Did
This is the part that is new since we last wrote, and it is the part with regulatory teeth, so we pulled it straight from EDGAR.
On April 27, Medtronic filed an 8-K with the SEC attaching a statement dated April 24. In their own words: "an unauthorized party accessed data in certain Medtronic corporate IT systems." So far, so honest. But look at how they filed it and what they said. The filing went in under Item 7.01 — Regulation FD Disclosure, the voluntary channel a company uses to share information it has decided is not material. It did not go in under Item 1.05 — Material Cybersecurity Incident, the mandatory channel the SEC created in 2023, which requires disclosure within four business days of determining an incident is material. And the statement contained this sentence: "We currently do not expect a material impact on our business or financial results."
Across every 8-K Medtronic filed from March through July 2026 — earnings, an executive change, the breach statement — Item 1.05 never appears once. They disclosed the breach through the door marked "not material," and they said so in writing.
Now hold that against what is in the mail. Medtronic is notifying roughly 3.8 million individuals that their names, dates of birth, Social Security numbers, and health information were exposed, with 24 months of credit monitoring attached. Three point eight million Social Security numbers is the definition many people would reach for when they hear the word "material." The company that told the SEC it did not expect a material impact is simultaneously mailing millions of Americans to tell them their most sensitive identifiers are gone.
To be scrupulously fair, because that is the entire point of this post: a company is allowed to determine that an incident is not material and disclose it voluntarily under 7.01. That determination is theirs to make, and whether it survives SEC scrutiny is the SEC's to decide, not ours. What is not a matter of opinion is the public record: they chose the voluntary door, they asserted non-materiality in writing, they never filed Item 1.05, and the notification volume is 3.8 million people with SSNs and health data. We are not rendering the verdict. We are handing you the filing.
A Note On Our Own Number, Because Precision Is the Whole Game
The headline on this post says nine million. That is ShinyHunters' claim — more than nine million records — and it is the figure that was circulating when we first published. Medtronic has not confirmed it. The confirmed human figure, from Medtronic's own notifications, is roughly 3.8 million individuals. Records are not people; one person can sit in many records. Claimed is not confirmed. We are telling you both numbers and which is which — because that distinction, the one between what was alleged and what is established, is exactly the discipline the party sending perjury-backed takedowns over surgical-equipment trademarks could not be bothered to observe. We hold ourselves to it even when it makes our own headline number smaller. That is the difference, in one paragraph.
The Brand-Protection Math Is Inverted
Doppel's entire pitch is that it protects a brand's reputation from harm on the internet. So let us be precise about what actually harmed Medtronic's reputation. It was not our blog post. It was the breach, the ignored March warning, the millions of exposed Social Security numbers, the "not material" filed with the SEC, and the decision to spend legal money attacking the messenger instead of fixing the message.
We did not damage Medtronic's brand. We tried to protect it, for free, on March 19 — and the enforcement machinery that is supposed to defend the brand was pointed instead at the one party that told the truth early. If you are a CISO whose "brand protection" vendor is generating perjury-backed takedowns against researchers who name your exposure, understand what you are buying: a service that suppresses the warning and does nothing about the wound. The warning was cheap. The suppression contract was not. The disclosure exposure is in a different order of magnitude entirely. That math inverted years ago, and the brand-protection industry has not told its customers.
Why We Are Enjoying This — And Where We Are Not
We are going to enjoy this one, and we have earned the right to. Not because a company got breached: 3.8 million people having their Social Security numbers and health records stolen is not funny, and those 3.8 million did nothing wrong. We are enjoying it because an institution that was handed the answer in March, ignored it, got hit exactly as described, watched Microsoft confirm the method, and then tried to legally erase the person who warned them, is today mailing millions of individually stamped confessions that the warning was right and their response to it was wrong.
Every one of those envelopes is a receipt. We kept ours too: the March 19 delivery confirmation, the Microsoft report that matched it line for line, the takedown timestamped 5:16 UTC, the trademark registration for renting surgical equipment that somebody swore to without reading, and the SEC filings that say "not material" over a breach that is now 3.8 million notification letters. Ninety-five percent confidence, as always, that we have this right. The remaining five percent is reserved for the possibility that somewhere in those envelopes is a coupon for temporary surgical-equipment rental. We would not want to infringe.
Every indicator in this post is in the feed. Free.
1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.




Comments