Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: healthcare (10 articles)Clear

Medtronic notifies customers after ShinyHunters breach of corporate systems

Medical device maker Medtronic has begun notifying customers that their personal data was exposed in a breach of its corporate IT systems earlier this year, an attack claimed by the extortion group ShinyHunters. Medtronic noticed unusual activity in mid-April and its investigation found that an unauthorized actor had access between April 13 and 19. ShinyHunters claimed to hold roughly nine million records containing personal and internal corporate data, and Medtronic did not pay, with its listing later removed from the group's leak site. The company says its products, patient safety, and the networks running its medical devices were not affected, crediting separation between corporate and clinical systems.

Check
People who have dealt with Medtronic as customers, patients, providers, or partners should watch for their notification and stay alert to phishing or fraud that references Medtronic or medical accounts.
Affected
Individuals whose personal data sat in Medtronic's corporate IT systems, accessed between April 13 and 19; ShinyHunters claimed about nine million records, though device networks and patient safety were not affected.
Fix
Affected people should monitor for targeted phishing and identity fraud. Organizations should segment corporate IT from operational and clinical systems, harden SaaS and identity against social engineering, and enforce phishing-resistant MFA.

Healthcare AI vendor Xsolis breach exposes data on 1.4 million people

Xsolis, a US healthcare technology company whose AI software is used by more than 600 hospitals and insurers for utilization management and reimbursement decisions, has disclosed a breach affecting 1,396,519 people. Attackers got in through a targeted phishing attack on an employee in January, accessing files containing patient data Xsolis handles for its clients. The exposed information includes names, dates of birth, addresses, Social Security numbers, health insurance details, and medical treatment information. Because Xsolis is a vendor, affected individuals may never have dealt with it directly; downstream health systems including Mayo Clinic are among those whose patients are impacted.

Check
Healthcare organizations should check whether they share data with Xsolis and confirm their breach-notification obligations; affected individuals should watch for medical, insurance, and identity fraud and any Xsolis-related notice.
Affected
Patients and health-plan members whose data Xsolis processed for hospitals and insurers (1,396,519 affected); exposed Social Security numbers and medical information carry lasting identity-theft and medical-fraud risk.
Fix
Affected people should enroll in the offered monitoring, freeze credit, and watch insurance statements. Healthcare organizations should strengthen phishing-resistant MFA, map which vendors hold patient data, and tighten access to health-data repositories.

Cardiac monitoring firm iRhythm says patient health data stolen in attack

iRhythm, the US digital-health company behind the Zio wearable heart monitor, has told regulators that attackers stole patient data in a breach it considers material. In an SEC filing, the company said it detected unauthorized activity on June 8 in third-party-hosted business applications, accessed through a social-engineering attack, and received an extortion demand the next day from a threat actor claiming to hold proprietary data, protected health information, and other personal data. iRhythm says its clinical systems, medical devices, patient safety, and operations were not affected, with no payment-card or financial data involved. No ransomware group has publicly claimed the attack, and the number of affected people is not yet known.

Check
Healthcare and other organizations should review how third-party-hosted business applications are secured and monitored, and confirm that help desks and staff can resist social-engineering attempts to grant access.
Affected
iRhythm patients and others whose protected health information and personal data sat in the affected third-party business applications; clinical systems, devices, and financial data were reportedly not involved.
Fix
Enforce phishing-resistant MFA and strong identity verification on third-party SaaS, limit and log access to systems holding health data, and rehearse social-engineering scenarios with staff and help-desk teams.

Novo Nordisk says clinical trial patient data stolen in breach

Novo Nordisk, the pharmaceutical giant behind Wegovy and Ozempic, has disclosed that attackers copied data from its internal IT systems, including information on patients in some of its clinical trials. The company stressed the patient data was de-identified, containing fields like patient ID, year of birth, sex, biomarkers, and lifestyle factors rather than names or direct identifiers. Novo has not said how many people are affected or named the attacker, and is not offering credit monitoring, instead advising patients and healthcare professionals to stay alert for unexpected messages or calls. Pharma firms are increasingly targeted for their valuable research and patient data.

Check
Patients in Novo Nordisk trials and contacted healthcare professionals should watch for unexpected calls or messages referencing the company or a trial, and verify any such contact through official channels.
Affected
Patients in some Novo Nordisk clinical trials whose de-identified data (patient ID, year of birth, sex, biomarkers, lifestyle factors) was copied, plus healthcare professionals the company has contacted.
Fix
There is no direct user fix; stay alert for targeted phishing referencing the breach. Pharma and research organizations should tighten access controls, monitoring, and segmentation around trial and research data stores.

Dental-benefits provider DentaQuest added to Have I Been Pwned with 2,553,599 breached accounts; healthcare-themed phishing risk

Have I Been Pwned has added US dental-benefits provider DentaQuest to its breach corpus with 2,553,599 unique email addresses. DentaQuest is one of the largest dental and vision benefits administrators in the United States, serving Medicaid, Medicare, and commercial members. As is typical for HIBP additions, the underlying breach source and disclosure details are not published alongside the entry, but the listing lets individuals and organizations check whether their accounts appear in the leaked dataset. Healthcare and insurance data carries elevated risk: affected members should anticipate benefits-themed phishing, claim-status lures, and identity-theft attempts, and should rotate any reused passwords. It is among the larger US healthcare-adjacent breaches surfacing recently.

Check
Check whether your @company emails appear in HIBP's DentaQuest corpus. Warn affected staff about dental/medical-benefits-themed phishing - claim status, coverage updates, refund lures - over the next 60-90 days.
Affected
2,553,599 unique email addresses tied to DentaQuest dental and vision benefits members (Medicaid, Medicare, commercial). Healthcare data elevates identity-theft and benefits-phishing risk.
Fix
Affected individuals: rotate DentaQuest passwords and any reused elsewhere, enable MFA, monitor benefits statements. Organizations: add DentaQuest to breach-monitoring watchlists and brief staff on healthcare-themed social engineering.

Oncology Institute confirms patient data exposure via third-party breach; reports point to Cognizant-owned TriZetto (3.4M+ patients in original incident)

The Oncology Institute, a US outpatient cancer-care network, has filed an SEC 8-K confirming that patient information was exposed in a third-party vendor breach. Kroll, acting as the vendor's third-party administrator, notified the company on May 20 that unauthorized access had been detected. The vendor is not officially named, but multiple reports point to Cognizant-owned TriZetto Provider Solutions, which previously disclosed a breach in March 2026 affecting more than 3.4 million patients via its provider-portal infrastructure. The Oncology Institute first flagged the incident in a November 2025 8-K. The vendor has set up a patient portal for inquiries.

Check
If your organization uses TriZetto Provider Solutions or other Cognizant healthcare-data services, request a fresh breach assessment from your account team. Audit shared-data agreements for blast-radius.
Affected
Patients of The Oncology Institute and the wider TriZetto Provider Solutions ecosystem (3.4M+ patients in the original March 2026 disclosure). Healthcare providers using TriZetto for eligibility verification are exposed.
Fix
Notify affected patients per HIPAA. Tighten third-party risk reviews for healthcare-data processors. Implement strict data-handling SLAs in vendor contracts with breach notification deadlines.

Telehealth aggregator OpenLoop Health confirms 716,000 patient records stolen in a 24-hour intrusion in January - downstream consumer brands still unnamed

OpenLoop Health, an Iowa-based telehealth infrastructure company that supplies clinicians and prescription processing to dozens of consumer telehealth platforms, has confirmed via the HHS breach portal that a January 2026 incident affected 716,000 individuals. Attackers were inside its systems for only one day - January 7 to 8 - but exfiltrated names, addresses, email addresses, dates of birth, and medical information. Social Security numbers and electronic health records were not accessed. A threat actor called Stuckin2019 claimed responsibility and put samples on a hacking forum; OpenLoop reportedly paid them and the listing was taken down. Because OpenLoop is white-label, affected patients enrolled through many different consumer telehealth brands.

Check
Search HR and benefits records for employee enrollments in telehealth programs (weight loss, men's health, hormone therapy) that may run on OpenLoop's backend, and review supplier security questionnaires for any telehealth vendor.
Affected
Patients of any consumer telehealth platform that uses OpenLoop Health as its clinical infrastructure provider. 716,000 individuals confirmed via HHS OCR; threat actor Stuckin2019 claimed 1.6 million.
Fix
Affected individuals should enroll in the free IDX credit and identity monitoring OpenLoop is offering, and watch for medical-themed phishing for at least 12 months. Treat unexpected appointment reminders or prescription notices as suspect until verified.

AI security tool finds 38 previously unknown bugs in OpenEMR, the open-source health records system used by 100,000 healthcare providers - two of them rated maximum severity

Aisle, an AI-driven application security firm, ran its analyzer over OpenEMR's source code and found 38 previously unknown vulnerabilities, including two with maximum severity (CVSS 10.0). OpenEMR is the open-source electronic health records system used by 100,000 healthcare providers serving 200 million patients. The two critical bugs let attackers reach into patient databases without logging in: CVE-2026-24898 lets any unauthenticated visitor receive the medical practice's API tokens by sending a single POST request, and CVE-2026-24908 is a SQL injection in the patient REST API. OpenEMR has now patched all 38.

Check
If your organization runs OpenEMR, upgrade to the latest patched build today and audit access logs for unauthenticated POST requests to MedEx recall/reminder endpoints.
Affected
OpenEMR deployments before the April 2026 security update. Particularly acute for any internet-reachable instance because CVE-2026-24898 is unauthenticated. The 100,000 OpenEMR healthcare providers are typically smaller US clinics and under-resourced settings worldwide - the segments least likely to have a fast patching process.
Fix
Upgrade OpenEMR to the latest 8.x patched release. Audit application logs for any POST to the MedEx recall/reminder endpoint and for unusual _sort parameter values in the patient REST API - those are the exploit signatures. Restrict OpenEMR's admin and API endpoints to internal management networks. Rotate API tokens issued before the patch was applied since they may have been exposed via CVE-2026-24898.

Microsoft exposes Storm-1175 - China-based ransomware group deploying Medusa with zero-day exploits in under 24 hours

Microsoft Threat Intelligence published a detailed report on Storm-1175, a China-based financially motivated group that deploys Medusa ransomware at extreme speed - sometimes moving from initial access to full ransomware deployment within 24 hours. The group exploits internet-facing systems using a mix of zero-day and recently disclosed (n-day) vulnerabilities, having weaponized over 16 flaws across 10 products since 2023. Two vulnerabilities were exploited as zero-days a full week before public disclosure. Recent targets include healthcare, education, finance, and professional services organizations in the US, UK, and Australia. Their playbook: exploit a web-facing flaw, create persistence via new accounts and web shells, steal credentials with Mimikatz, disable Defender via registry modifications, exfiltrate data with Rclone, then deploy Medusa across the network.

Check
Review your internet-facing asset inventory. Storm-1175 specifically scans for exposed web applications running Exchange, Ivanti, ConnectWise, JetBrains TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail, and BeyondTrust.
Affected
Organizations running any of: Microsoft Exchange, Ivanti Connect Secure/Policy Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail, BeyondTrust, Oracle WebLogic - especially if internet-facing and not fully patched.
Fix
Patch all internet-facing systems immediately - Storm-1175 weaponizes new CVEs within days. Enable tamper protection on Microsoft Defender and set DisableLocalAdminMerge to prevent attackers from adding antivirus exclusions. Monitor for credential theft indicators (LSASS access, WDigest caching). Block Rclone and unauthorized RMM tools at the perimeter. Prioritize alerts for new account creation and web shell deployment.

CareCloud confirms hackers accessed patient health records in 8-hour breach

Healthcare software company CareCloud disclosed to the SEC that hackers breached one of its six electronic health record environments on March 16, gaining access to patient medical data for approximately eight hours. The company serves over 40,000 healthcare providers. It's still investigating whether data was exfiltrated, but classified the incident as material on March 24 due to the sensitivity of the records. No ransomware group has claimed the attack.

Check
If your organization uses CareCloud Health for EHR, contact CareCloud for specifics on whether your environment was affected.
Affected
CareCloud Health EHR platform users. One of six EHR environments was compromised.
Fix
Monitor for CareCloud's breach notification updates. Review access logs for unusual activity around March 16. Ensure MFA is enforced on all EHR system access. Prepare for potential patient notification requirements.