We Scored 8 Medical Device Companies on Pi Day. Two Got Hit.

# We Scored 8 Medical Device Companies on Pi Day. Two Got Hit.

*March 25, 2026 — DugganUSA*

On March 14th — Pi Day — we published an attack surface analysis of eight medical device companies. We enumerated subdomains, cross-referenced against CISA's Known Exploited Vulnerabilities catalog, checked our STIX feed for matching IOCs, and scored each company's exposure.

Stryker had 1,014 subdomains and documented ties to Iranian threat actor Handala. We wrote: "Stryker is exposed."

Three days earlier, Handala had already wiped 200,000 of their devices.

The Timeline

**February (late)**: Pay2Key, an Iran-linked ransomware gang operating since 2020, compromises a U.S. medical institution through a stolen administrator account. They wait days, deploy ransomware in three hours. No data exfiltrated. No ransom demanded. This wasn't about money. This was a dry run.

**March 11**: Handala compromises Stryker's Microsoft Intune administrator account and pushes a coordinated factory reset to every enrolled device. 200,000 servers, laptops, and phones across 79 countries go dark simultaneously. The DOJ later confirms Handala is Iran's Ministry of Intelligence and Security.

**March 14 (Pi Day)**: We publish our medical device vertical analysis. Eight companies scored:

| Company | Subdomains | KEV Matches | IOCs in Feed | Assessment |

|---------|:---:|:---:|:---:|---|

| Stryker | 1,014 | Yes | 233 | **Hit by Handala March 11** |

| Baxter | 470 | Yes | 2,620 | DoseIQ/Claria patient infra exposed |

| Datavant | — | n8n CVE active | 0 | Healthcare data company |

| Medtronic | — | — | 43 | Surgical robotics |

| Intuitive Surgical | 13 | Clean | 0 | Scored clean in 13 seconds |

| + 3 others | Various | Various | Various | Scored and documented |

**March 20**: FBI seizes four Handala domains. DOJ formally attributes attacks to Iran MOIS.

**March 24**: Axios reports Iran-linked hackers hit a **second U.S. medical institution**. Victim unnamed. Pay2Key identified as the threat actor.

**March 25**: You're reading this.

Two Groups, One Vertical, One Window

This isn't coincidence. Two different Iranian threat groups — Handala (MOIS) and Pay2Key — targeted U.S. healthcare within the same three-week window. The Stryker attack was explicitly claimed as retaliation for a U.S. airstrike on an Iranian school. The second attack used a different group but identical targeting logic: healthcare, U.S.-based, high-value disruption.

Iran doesn't have one cyber operation. They have several, operating under different names with different tools, coordinated at the strategic level even if the tactical execution differs. Handala used a wiper through Intune. Pay2Key used ransomware through a compromised admin account. Both chose healthcare.

What The Data Told Us

When we scored the medical device vertical on Pi Day, the IOC data was already screaming:

- **233 Handala-linked IOCs** including wiper hashes and C2 infrastructure — indexed by March 16, five days after the attack

- **2,620 Baxter IOCs** — the highest in the vertical, with exposed patient-facing infrastructure (DoseIQ, Claria)

- **85 Handala IOCs** in our STIX feed, cross-referenced against Iranian military intelligence operations

- **Unit 42 published** a threat brief specifically about March 2026 Iran cyber escalation

The data was public. The IOCs were in feeds. The pattern was documented. Stryker still lost 200,000 devices.

What Medical Device Companies Should Do Right Now

1. **Audit your MDM**. Stryker was wiped through Intune — their own device management tool. If you use Intune, JAMF, or any MDM, audit admin access immediately. MFA on every admin account. Alert on mass device actions.

2. **Check our STIX feed**. We have 85 Handala IOCs and 233 Stryker-specific indicators. The feed is free: analytics.dugganusa.com/stix

3. **Assume you're targeted**. If you make medical devices and sell to U.S. healthcare, you're on the list. Iran is targeting the vertical systematically, not opportunistically.

4. **The unnamed second victim** could be announced any day. If you haven't checked your exposure, check it now. We scored eight companies in one afternoon. You can score yours in minutes.

5. **PreCog is watching**. Our precursor detection system flagged 5 of 8 signals elevated yesterday, including adversary infrastructure reboot. The system that called the Christmas Eve DDoS three hours early is watching this vertical in real time.

The Point

We scored eight companies. Two got hit. The data was there before both attacks. The IOCs were indexed. The pattern was documented.

The gap between having the data and acting on it is where 200,000 devices get wiped.

*Patrick Duggan is the founder of DugganUSA LLC. The medical device vertical analysis, STIX feed, and PreCog precursor detection system are available at analytics.dugganusa.com. The DugganUSA STIX feed is free and consumed by 275+ organizations in 46 countries.*

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →