What Happened: The March 11 Cyberattack
Medical technology firm Stryker confirmed that a March 2026 cyberattack is now contained. The company also confirmed there is no impact on customers, partners, suppliers, or vendors. Stryker filed an 8-K report with the Securities and Exchange Commission, disclosing that the incident affected its internal Microsoft environment.
The hack is considered the first major cyberattack in the United States in response to the Trump administration’s war with Iran. Consequently, it has drawn widespread attention from both cybersecurity experts and government agencies. Stryker operates in more than 60 countries and serves roughly 150 million patients globally, which made the attack especially significant.
How Handala Weaponized Microsoft Intune
An Iran-linked threat group tracked as Handala claimed credit for the attack. The hackers weaponized Stryker’s Microsoft Intune device-management platform to wipe data from thousands of devices.
Working alongside Palo Alto Networks Unit 42 and other experts, Stryker identified that the threat actor used a malicious file to run commands, allowing them to hide their activity while inside the company’s systems.Furthermore, security researchers at Palo Alto Networks suggested that Handala may have relied on phishing to first compromise Stryker’s network. IBM noted that the Iran-aligned group is known for phishing techniques and destructive attacks, particularly targeting healthcare and energy sectors.
Notably, infostealer malware — which steals passwords and credentials — may also have played a role in the initial breach.
Stryker’s Immediate Response
Upon detecting the incident, Stryker moved quickly. The company activated its incident response plan and launched an investigation with the support of external advisors and cybersecurity experts.
Stryker’s internal teams have been working around the clock with external partners to make meaningful progress on restoration efforts. The company has also been in close contact with the White House National Cyber Director, FBI, CISA, DHA, HHS, and H-ISAC.
Additionally, the federal Cybersecurity and Infrastructure Security Agency issued a March 18 alert urging U.S. organizations to harden their endpoint management systems in direct response to the Stryker attack. The government’s involvement reflects how serious the incident was treated at the national level.
Products Remain Safe
Importantly, Stryker was clear about one thing: its medical devices remained unaffected. The incident did not affect any of Stryker’s products — connected or otherwise. All Stryker products across its global portfolio, including connected, digital, and life-saving technologies, remain safe to use.
Palo Alto Networks Confirms Containment
Cybersecurity firm Palo Alto Networks Unit 42 wrote in a March 20 letter that all known indicators of compromise associated with the incident have been successfully identified and addressed. The firm found no current evidence of active, uncontained, persistent unauthorized access within the Stryker environment.
The General Assurance Letter from Palo Alto Networks reaffirmed Stryker’s belief that the incident is contained, and confirmed that analysis has not identified any evidence of the threat actor accessing customer, supplier, vendor, or partner systems.
As a result, Stryker filed this letter with federal securities regulators, offering added transparency to investors and stakeholders alike.
Operational Impact and Supply Chain Disruption
The attack temporarily disrupted ordering, manufacturing, and shipping. The company began to restore normal operations late last week.
Some patients experienced delays in surgeries or had procedures rescheduled due to shipping issues. This placed hospitals in a difficult position, particularly those relying on Stryker for surgical components. Cybersecurity experts warned that the downstream effects can extend beyond IT systems to affect device availability and patient care.
Manufacturing capability is now ramping up quickly as critical lines and plants return online, with patient needs given top priority. Stryker described this as a 24/7 effort across its entire organization.
Recovery Costs and What Comes Next
The financial toll of the attack could be substantial. Experts estimate the cost to reprovision each wiped device at between $300 and $500. With 80,000 devices affected, that alone comes to $24 million to $40 million just to restore endpoints to working order.
Incident response costs from Microsoft DART and Palo Alto Unit 42 could easily run several million more. Those costs do not include lost productivity, temporary equipment, or internal IT overtime.
Beyond the numbers, the attack carries a broader warning. Cybersecurity experts stressed that this attack should not be viewed in isolation — it is direct retaliation tied to the broader geopolitical conflict with Iran. Therefore, healthcare organizations must now prepare for a new wave of state-sponsored, destructive cyberattacks — not just ransomware.
Stryker has not yet determined whether the attack will have a material impact on operations, but the company continues to work toward full restoration while keeping transparency at the center of its public communications.
