Stryker Cyberattack: Exposing Healthcare Vulnerabilities

A cyberattack on medical device manufacturer Stryker has exposed critical vulnerabilities in healthcare supply chains, demonstrating how digital threats can rapidly cascade into physical disruptions affecting product manufacturing, order fulfilment and patient care delivery.

The incident reveals how modern cyber intrusions targeting identity access and administrative control planes can paralyse global operations, creating ripples throughout interconnected medical supply networks.

The healthcare and medical device sector faces mounting supply chain risks as cybercriminals increasingly focus on identity access and administrative control planes rather than relying on sophisticated exploits.

Common tactics against the sector include phishing – where criminals impersonate organisations and people via email, text or voice to deceive victims – the use of compromised credentials and the exploitation of weak remote access controls.

These methods enable lateral movement within environments, often leading to disruptive attacks which aim to upset operations and sever supply chain continuity rather than primarily steal data.

Manufacturing and distribution disruption

Stryker lost the ability to process orders, manufacture products and ship them to customers following a cyberattack in March 2026, creating immediate supply chain bottlenecks. The company says it experienced a global disruption to its Microsoft environment, affecting its capacity to fulfil orders across its international distribution network.

Upon detection, the company activated its cybersecurity response plan and launched an investigation internally with the support of external advisors and cyber experts to assess and contain the threat.

"Investigations suggest the attackers may have abused Microsoft Intune to issue remote wipe commands to managed devices, causing factory resets on corporate laptops and mobile devices," says Lucie Cardiet, Cyber Threat Research Manager at Vectra, a cybersecurity company that specialises in AI-driven threat, detect and response.

This type of attack could disrupt inventory management systems, production scheduling platforms and logistics coordination tools essential for maintaining supply chain operations. The widespread device resets forced employees to reconfigure systems, delaying critical manufacturing processes and preventing timely order processing across multiple facilities.

Sustainability, procurement and supply chain leaders won’t want to miss Procurement & Supply Chain LIVE, taking place at Navy Pier, Chicago, on April 21–22.
Co-located with Sustainability LIVE: The US Summit, the event unites senior decision-makers at a time when supply chains, sustainability and business performance are more interdependent than ever.
Secure your place now for The US Summit – group booking discounts available

Supply chain targeting patterns

A hacking group called Handala, also known by some researchers as Void Manticore, has claimed responsibility for the attack, stating that more than 200,000 devices were impacted and large volumes of data were exfiltrated. The volume of data has not been verified. The group has targeted other organisations to date including IT providers, infrastructure operators and companies tied to sensitive supply chains, suggesting a deliberate focus on creating cascading disruptions.

"Unlike many financially motivated groups, Handala campaigns often emphasize operational disruption and psychological impact," Lucie says.

"The group frequently publishes screenshots of compromised systems, exaggerates claims of stolen data and defaces systems with propaganda imagery such as the Handala logo. The device wipes and defaced login screens reported in the Stryker incident align with this pattern."

In its public statements, Stryker says the hackers were only able to access its Microsoft accounts, specifically Microsoft Intune, which is used to remotely manage corporate phones and laptops.

The company says: "This incident did not affect the security or safety of our products or devices. All Stryker products across our global portfolio, including connected, digital and life-saving technologies remain safe to use."

The targeting of cloud-based management platforms represents an evolution in supply chain attacks, where adversaries exploit centralised control systems to amplify disruption across geographically dispersed operations.

Impact on healthcare delivery

However, the supply chain implications have been significant.

"Some of our customers that utilise our personalised implants are experiencing some disruptions," the company says.

"We understand that some patient-specific cases scheduled for the week of 16 March 2026 have been rescheduled due to shipping delays we are experiencing."

Stryker provides products and services for surgery, neurotechnology and orthopaedics, meaning disruptions affect time-sensitive surgical procedures requiring customised implants.

"There is nothing more important to us than the customers and patients we serve, and we recognise the criticality of every procedure to every patient," the company says.

"We are working as quickly and safely as possible to reconcile orders, manufacture products and deliver to our customers so they can continue to provide seamless patient care."

The incident highlights how cyberattacks on manufacturers can directly impact patient outcomes, particularly when involving specialised medical devices that cannot be easily substituted.

Protecting supply chain infrastructure

Since the incident, the Cybersecurity & Infrastructure Security Agency (CISA) has urged companies to take care to secure access to their Microsoft Intune accounts. This includes implementing Microsoft's latest best practices for securing Microsoft Intune including use principles of least privilege when designing administrative roles, enforce phishing-resistant multi-factor authentication (MFA) and configure access policies to require multi-admin approval in Intune.

CISA is working with federal partners, including the FBI, to identify additional threats and determine mitigation actions to protect critical supply chain infrastructure. The agency recommends organisations review their cloud management platform configurations and implement additional monitoring for suspicious administrative activities.

Healthcare supply chain organisations should conduct regular security assessments of their identity and access management systems, ensuring that administrative privileges are restricted and monitored. Companies must also establish incident response procedures that account for supply chain dependencies, enabling rapid communication with customers and partners when disruptions occur.