Stryker Operations Fully Restored After the March Cyberattack

Posted By: Elizabeth Hernandez April 5, 2026

Stryker has recovered the systems affected by the cyberattack last March 11 and its manufacturing network is now fully operational.

Incident Overview

When Stryker reported the recovery of its systems, it also meant that the company’s systems can already do its functions, including, ordering, and distribution.

An Iran linked hacking group identified as Handala claimed responsibility for the attack. The attackers stole 50 terabytes of data and published portions of it online. The Federal Bureau of Investigation seized the two domains used to leak the data.

Operational Status and Supply Chain

Stryker stated that it is once again fully operational across its manufacturing network and is working hard to achieve peak production capacity. The company reported a good overall product supply with the capacity to deliver most product lines. It remains able to meet customer demand and provide patient care.

Stryker acknowledged that the attack temporarily disrupted its global business operations, including  parts of its supply lines. Some covered health systems suffered disruptions, including delays to some surgical procedures because of issues on Stryker’s ability to provide patient specific products.

Technical Details of the Attack

The attack involved the wiping of almost 80,000 Windows devices. The attackers accessed a Windows domain administrator account, then created a new Global Administrator account. The breached accounts were used to remotely wipe devices by using Microsoft Intune. Microsoft instructed its customers to harden its security on Windows domains and Intune.

Threat Actor Tactics and Malware Findings

Stryker engaged Palo Alto Networks to assist with threat identification, forensic analysis, control, eradication, and infrastructure audit. Palo Alto Networks reported that there was no evidence of any unauthorized activity since March 11, 2026, and that the immediate risk to Stryker’s operational environment has been mitigated.

Investigators found no evidence indicating that malware or ransomware was used in the attack. The hacking group used a malicious file to execute commands that concealed their activity from Stryker’s threat detection application. Stryker confirmed that the malicious file lacked the capability to propagate inside or outside its environment.

Response Coordination and Ongoing Investigation

Stryker reported it is working with third party cybersecurity professionals, government institutions, and industry partners to look into the cyberattack.

Stryker is facing legal action as a result of the theft of sensitive employee data. At least six lawsuits have been filed by employees claiming that the HIPAA-covered business associate failed to protect their personal data.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone