Medtronic has begun to notify people who may have been affected by a cyberattack that was disclosed more than two months ago.
Medtronic provided the update in a statement posted to its website on Monday. At this time, Medtronic has no evidence the data that was accessed has been publicly posted or exposed to the internet, according to the statement.
The company is providing 24 months of complimentary credit monitoring, dark web monitoring and identity theft restoration services. It is also setting up a dedicated call center to address questions for those affected.
“We have not identified any impact to product security or patient safety, including the ability of any Medtronic device to operate safely and deliver intended therapy,” Medtronic said in the statement. “Additionally, we have not identified any impacts to our manufacturing and distribution operations or our ability to meet patient and customer needs.”
In April, Medtronic disclosed that an unauthorized third party accessed data held in certain corporate IT systems. Medtronic has not said what kind of data was accessed.
When the cyberattack was disclosed, Medtronic said it did not expect the incident to have a material impact on its business or financial results, according to a filing with the Securities and Exchange Commission.
String of cyberattacks
Medtronic is one of several medtech companies to be hit by a cyberattack this year.
Stryker disclosed an attack in March that shut down manufacturing and shipping operations for weeks. CEO Kevin Lobo told investors on a May earnings call that the cyberattack had a “big impact on our results and affected each of our businesses differently given their varied go-to-market models and processes to record revenue.”
Stryker did not provide a figure for how much it cost the company in the first quarter. Despite the impact, the company maintained its full-year outlook.
The same week as the Stryker attack, Intuitive Surgical said it had been hit by a phishing incident that compromised customer and employee data. In a June update, the surgical robotics company said no reports of fraud or identity theft arose from the incident, and there was no indication the accessed data was misused.
In addition, iRhythm said last month that certain data was stolen from third party-hosted business applications. The cardiac monitor maker received a message from a threat actor claiming to have stolen sensitive information, including proprietary data, patient protected health information and other personal information.
The threat actor demanded payment in exchange for not publicly disclosing the information, according to an SEC filing. The company has not posted an update to the attack on its website.