The legal fallout from the Stryker cyberattack continues to unfold, as the medical technology manufacturer has asked a federal court to dismiss a proposed class action lawsuit brought by current and former employees. The plaintiffs allege that their personal information was compromised during the cyberattack on Stryker, but the company argues that its investigation found no evidence supporting those claims.
Employee Data Was Not Accessed During the Stryker Cyberattack
In a court filing submitted Monday, Michigan-based Stryker said an internal review conducted with independent experts found that none of the eight named plaintiffs had personally identifiable information (PII) accessed during the incident. According to a statement from Chief Information Security Officer Juan Pablo Calderon, investigators examined files and data that the threat actor may have accessed during the attack.
“Those files and data were searched for plaintiffs’ PII, and Stryker determined as a purely factual matter that none of the plaintiffs’ PII exists in those files and data,” Calderon stated. He added that business email addresses belonging to two plaintiffs were found, but no sensitive personal information was identified.
Iranian Hacktivists Claimed Massive Data Theft and Destruction
The Stryker cyberattack was claimed by Handala, a group widely suspected of acting as a front for Iran’s Ministry of Intelligence. The Iranian hacktivists alleged in March that they had stolen 50 terabytes of critical company data. They further claimed to have erased 200,000 devices and 12 petabytes of data “in just a few hours,” describing the information as assets that had taken years to collect and billions of dollars to protect.
The cyberattack on Stryker occurred nearly two weeks after the United States and Israel launched major military operations against Iran on February 28. While Stryker maintained that customer-connected devices and systems were not affected, the incident disrupted electronic ordering and related services used by clients. Those systems remained unavailable for several weeks before being fully restored in early April.
Legal Experts Weigh In on the Cyberattack on Stryker
Stryker also argued that the plaintiffs rushed to court, filing lawsuits “merely 48 hours” after the company disclosed the cyberattack on March 11. According to the company, the lawsuits relied on speculation that names, Social Security numbers, and other personal information had been exposed.
The company further contends that each plaintiff’s PII had already been exposed in previous breaches involving other organizations, making it difficult to connect any alleged harm, including identity theft, directly to the cyberattack on Stryker. None of the named plaintiffs received breach notifications from the company, yet they seek to represent all U.S. individuals whose information was allegedly compromised.
Legal experts say the case highlights broader questions surrounding data breach litigation. Steven Teppler of Mandelbaum Barrett noted that “the complaint may outrun the facts” when lawsuits are filed immediately after a cyberattack. He added that courts increasingly require plaintiffs to show “more than speculation” that their information was affected.
