Stryker, the Michigan-based medical device manufacturer, said it suffered a cybersecurity attack on March 11 that disrupted its global Microsoft environment, affecting internal operations across a company that employs about 56,000 people in 61 countries. In public updates, the company said the incident interfered with order processing, manufacturing and shipping, and left electronic ordering systems offline, forcing customers to place orders manually through sales representatives while restoration work continued.
The company has tried to draw a sharp line between the systems that were hit and those that were not. Stryker said the attack was contained to its internal Microsoft corporate environment and that its connected products, digital tools and other life-saving technologies remained unaffected and safe to use. That distinction matters in healthcare, where a disruption to business systems is serious, but a disruption to clinical devices can quickly become something more dangerous.
FutureCrime Summit 2026: Registrations to Open Soon for India’s Biggest Cybercrime Conference
An Attack That Destroyed, Rather Than Extorted
In recent years, major corporate cyberattacks have often followed a familiar pattern: encrypt systems, steal data and demand payment. What appears to have happened at Stryker was different. The company has said there was no ransomware and no malware detected on its systems. Reporting by BleepingComputer, citing a source familiar with the investigation, said the attacker instead used Microsoft Intune’s remote wipe capability to erase data from nearly 80,000 devices over a three-hour span on March 11.
According to that report, the attackers first compromised an administrator account and then created a new Global Administrator account, giving them the authority needed to issue wipe commands across Stryker’s managed device fleet. Employees in multiple countries began reporting that their company laptops and phones had been erased overnight. Some also lost data on personal devices that had been enrolled in the company network, underscoring how a breach of centralized device management can spill beyond purely corporate hardware.
The effect was a kind of digital paralysis. Unlike ransomware, which can leave systems intact but inaccessible pending decryption, a remote wipe aims at destruction. In this case, the attack appears to have turned a trusted management function into the weapon itself. That helps explain why the disruption spread so quickly through employee infrastructure even though investigators found no evidence of conventional malicious software being deployed on endpoints.
Handala’s Claim and the Unverified Parts of the Story
Responsibility for the attack was claimed by Handala, a group widely described in recent reporting as Iran-linked. Reuters reported that the group said the attack was retaliation for a strike on a girls’ school in Minab, Iran, though Reuters said it had not independently verified the details of that claim. Handala also claimed to have wiped more than 200,000 systems and stolen 50 terabytes of data. But those assertions remain materially unconfirmed.
That distinction is important. Stryker has not endorsed those figures, and BleepingComputer reported that investigators had found no indication that data was exfiltrated. In cyber incidents tied to geopolitical actors, public claims often serve more than one purpose: they can signal capability, shape the narrative and amplify psychological impact. The challenge for companies and investigators is to separate what the attackers say happened from what forensic evidence can actually establish.
Recovery, Supply Chains and the New Shape of Corporate Risk
Stryker says its focus now is on restoring supply-chain and transactional systems, resuming shipping and honoring orders placed before the attack. The company told customers that orders placed during the disruption would be processed once systems return online, and said its core transactional systems were on a clear path to full recovery, though it has not yet offered a firm timeline for full restoration.
The investigation is being conducted by Microsoft’s Detection and Response Team, known as DART, together with Palo Alto Networks’ Unit 42, according to BleepingComputer. Reuters has also reported that Stryker is working with authorities and outside cybersecurity experts as it assesses the operational and financial implications of the breach.
For the healthcare and medtech sector, the incident is a reminder that cyber risk is no longer confined to stolen records or frozen desktops. A company can keep its patient-facing devices safe and still face global disruption if its internal control plane is compromised. In Stryker’s case, the attack appears to have struck at exactly that layer: the digital infrastructure that moves orders, manages employees’ devices and keeps the corporate machinery behind medical supply chains running.
About the author — Suvedita Nath is a science student with a growing interest in cybercrime and digital safety. She writes on online activity, cyber threats, and technology-driven risks. Her work focuses on clarity, accuracy, and public awareness.
