Medtronic Exposed 9 Million Patient Records… Then Said Almost Nothing

EvilCorporations.com • Case No. 0:26-cv-02418-ECT-DTS • District of Minnesota • Estimated Reading Time: 12 minutes

The Non-Financial Ledger

Sabrina Marquardt received an implanted Medtronic heart monitor in early 2026. She didn’t choose to give Medtronic her Social Security number, her diagnoses, her insurance records. She had to. You don’t negotiate data terms with the company that makes the device keeping your heart in rhythm. You trust them. You have no other option.

That trust was not returned.

When the hackers posted their announcement on the dark web’s Tor network on April 17, 2026, Ms. Marquardt did not know. Medtronic knew — or would know within days. But for a week, she went about her life while criminals catalogued her medical history. By the time Medtronic issued a press release confirming the breach on April 24, those 9 million records were already circulating.

Think about what that actually means. Your cardiologist diagnosis. The name of every medication you take. Your insurance policy number. The address where you sleep. Your date of birth. Your Social Security number. All of it, in the hands of people who sell this information on forums most of us will never see. PHI — protected health information — sells for as much as $363 per record on the dark web. Your most vulnerable, most private details have a price tag.

The cruelest part is the waiting. Medical identity theft victims often don’t find out for more than two years. You won’t necessarily know when someone files a fraudulent insurance claim in your name, or applies for credit lines using your Social Security number, or seeks prescriptions they then sell. You will find out when a debt collector calls. When your tax return is rejected because someone already filed one under your name. When a doctor’s office tells you your records show treatments you never received — treatments that could now confuse or endanger your future care.

Forty percent of victims find out they were robbed only when collection agencies come after them for someone else’s bills. Almost half lose their healthcare coverage entirely as a result. Nearly thirty percent see their insurance premiums go up. Forty percent are never able to fully fix what was done to them. These are not statistics about careless strangers. These are the futures now facing nine million people who trusted a $33.5 billion corporation with their most sensitive information and got a press release in return.

Ms. Marquardt is already receiving frequent spam calls and text messages. She doesn’t know yet whether her identity has been used. She will be watching for years. That watchfulness — the anxiety, the hours spent monitoring accounts, the cost of credit freezes and identity protection services, the loss of the simple assumption that your information is yours — is not compensated in any settlement. It is a permanent tax on every person whose data Medtronic failed to protect.

Straight From the Court Filing: What Medtronic Said and What the Lawsuit Proves

The following are direct quotes from the source documents. They are not paraphrased. Each one is followed by a breakdown of what it proves.

“Protecting patients and the trust placed in Medtronic is our highest priority. The privacy and security of all data with which we are entrusted is a vital part of that.”

• This is Medtronic’s own statement from its April 24, 2026 press release confirming the breach. The same press release in which the company admitted hackers had already accessed its systems. Medtronic used the word “highest priority” while simultaneously disclosing it didn’t yet know which patients were affected, hadn’t explained why sensitive data lacked adequate security, and hadn’t announced a single specific change to its systems.
• The complaint argues this language was not merely hollow corporate comfort. The lawsuit treats it as evidence that Medtronic’s public representations about security were material misrepresentations that patients and regulators relied upon.

“We obtain the patient information on which our business depends in accordance with applicable laws for assuring notice and choice to our customer regarding our data collection, whether our customer is the patient or a hospital, physician or other healthcare provider. Preservation of, and respect for, our customers’ trust is critical to our continued success.”

• This quote, pulled directly from Medtronic’s published U.S. patient privacy principles, frames patient data as something “our business depends on.” The complaint uses this framing to establish that Medtronic derived direct commercial benefit from collecting and storing this information. That benefit, without adequate protection, is the basis for the unjust enrichment claim.
• The phrase “continued success” links patient trust to revenue. That link is precisely what the lawsuit argues Medtronic exploited without fulfilling its end of the bargain.

“[Medtronic promises to] always treat such patient information: Confidentially, according to applicable laws. Appropriately, according to the promises we make to our customers. Respectfully, in honor of our patients’ willingness to trust us to use sensitive information to oversee the quality, safety and effectiveness of the devices that they make part of their daily lives.”

• This is the most direct statement in the complaint linking Medtronic’s public promises to its legal obligations. The word “always” is not hedged or conditional. It is an absolute commitment. The complaint argues Medtronic violated every one of these three stated principles through its security failures.
• “In honor of our patients’ willingness to trust us” is the key phrase. Patients of implanted medical devices have no choice but to trust the manufacturer. This language acknowledges that dependency and converts it into a promise. The lawsuit argues that promise was broken.

“We maintain appropriate physical, technical and administrative security standards and procedures to safeguard our patient data and systems. Our employees are educated on the importance of our privacy and security policies and must comply with them.”

• The complaint identifies this claim as a direct contradiction of the breach. If Medtronic maintained appropriate security standards, the complaint argues, 9 million records would not have been exfiltrated. The reference to employee education is particularly significant: the complaint’s HIPAA count specifically alleges Medtronic failed to “train all members of its workforce effectively on the policies and procedures with respect to PHI,” citing 45 C.F.R. § 164.530(b).

“Since the Data Breach, Medtronic has announced no specific changes to its data-security infrastructure, processes, or procedures to fix the vulnerabilities in its computer systems and/or security practices which permitted the Data Breach to occur and, thereby, prevent similar incidents from occurring in the future.”

• This is the complaint’s most damning factual allegation about Medtronic’s post-breach conduct. As of April 30, 2026, six days after Medtronic confirmed the breach, the company had made zero public commitments to fix the systems that failed. The injunctive relief count of the lawsuit is built on this fact: without court-ordered changes, Medtronic may continue to hold patient data in inadequately secured systems.
• This allegation directly supports the plaintiff’s argument that the ongoing risk is not theoretical. The same vulnerabilities that allowed the April 2026 breach exist today.

What You Were Told vs. What Was Actually Happening

The complaint documents a specific and material gap between what Medtronic told patients about data security and what its actual practices amounted to. Every item below is drawn directly from the source filing.

• Medtronic claimed it “maintain[s] appropriate physical, technical and administrative security standards and procedures.” The complaint alleges Medtronic failed to implement technical policies for access controls (violating 45 C.F.R. § 164.312(a)(1)), failed to implement adequate procedures to prevent, detect, contain, and correct security violations (violating 45 C.F.R. § 164.308(a)(1)(i)), and failed to conduct adequate audit log reviews (violating 45 C.F.R. § 164.308(a)(1)(ii)(D)).
• Medtronic claimed its employees “are educated on the importance of our privacy and security policies and must comply with them.” The complaint alleges Medtronic failed to train its workforce on PHI security requirements as required by 45 C.F.R. § 164.530(b).
• Medtronic stated in its breach press release that “protecting patients and the trust placed in Medtronic is our highest priority.” The complaint notes that as of the filing date, Medtronic had announced no specific changes to its data security infrastructure. The company confirmed the breach but provided no explanation of why the data lacked adequate protection, whether it was encrypted, or what the actual security deficiencies were.
• Medtronic promised to treat patient information “confidentially, according to applicable laws.” The complaint alleges violations of HIPAA, the FTC Act, and California’s Consumer Records Act, arguing that Medtronic’s actual security practices fell below every applicable legal standard.

Profit-Maximization at All Costs

Medtronic’s own published materials frame patient data as a commercial asset essential to the company’s business model. The complaint documents how the company derived significant revenue from collecting this data while allocating insufficient resources to protecting it.

• Medtronic reported total annual revenue of approximately $33.5 billion. The company employs over 13,600 scientists and engineers and holds over 41,000 active patents. Despite this scale, the complaint alleges it failed to implement basic access controls, audit logging, and breach detection procedures that are standard legal requirements under HIPAA.
• The complaint’s unjust enrichment count establishes the commercial dynamic directly: Medtronic collected patient data as a condition of doing business, used that data to derive benefit, and promised to secure it. The complaint argues that “if Medtronic had disclosed that its data-security measures were inadequate, Medtronic would not have been permitted to continue in operation by regulators and the healthcare marketplace.” The inadequacy was concealed because disclosure would have cost the company business.
• Healthcare-related PHI sells for as much as $363 per record on the dark web, according to the Infosec Institute cited in the complaint. With 9 million records stolen, the potential criminal market value of the data Medtronic failed to protect reaches into the hundreds of millions of dollars. Medtronic’s financial exposure from failing to secure data it profited from collecting is now being tested in court.
• The complaint notes that the FBI’s Cyber Division issued a specific warning to the healthcare industry on April 8, 2014, noting that healthcare organizations were primary targets for cybercriminals seeking PHI. Medtronic had over twelve years of notice that its sector was under active attack. The complaint argues the decision not to invest in adequate security despite that notice reflects a deliberate allocation of resources away from patient protection.

What This Actually Costs the People It Happened To

What a 9-Million-Record Healthcare Breach Actually Does to Society

Public Health

Medical identity theft does not stay in the financial system. It enters the medical record, and the consequences can be life-threatening.

• If a victim’s PHI is mixed with a thief’s medical records, it can result in misdiagnosis or mistreatment. A patient seeking emergency care may have incorrect blood type, allergy, or medication history on file as a result of someone else’s fraudulent use of their identity. The complaint cites Pam Dixon of the World Privacy Forum: “Victims often experience financial repercussions and worse yet, they frequently discover erroneous information has been added to their personal medical files due to the thief’s activities.”
• Stolen PHI can be used to create fraudulent insurance claims for medical equipment or to gain access to prescriptions for illegal resale. This corrupts the integrity of the healthcare supply chain and potentially diverts controlled medications into illegal markets.
• The class includes patients of implanted medical devices — people with serious chronic conditions who depend on ongoing, accurate medical care. The contamination of their medical records carries elevated risk because their treatments are complex, ongoing, and potentially life-sustaining.
• As the American Medical Association warned in materials cited by the complaint: “Cyberattacks not only threaten the privacy and security of patients’ health and financial information, but also patient access to care.”

Economic Inequality

The financial aftermath of medical identity theft falls hardest on people who can least afford it, and the complaint’s data shows that recovery is neither quick nor guaranteed.

• The average cost to resolve a medical identity theft incident is approximately $20,000. For patients who received implanted medical devices — patients with serious health conditions, many of whom may face ongoing medical costs — this is an extraordinary additional financial burden delivered through no fault of their own.
• Almost 50% of medical identity theft victims lose their healthcare coverage as a result of the incident. Nearly 30% see their insurance premiums increase. These are people who likely needed that coverage for ongoing treatment of the conditions that required the Medtronic device in the first place.
• Victims are required to pay out-of-pocket costs for healthcare they never received in order to restore their coverage. The complaint makes clear: patients are forced to spend money cleaning up a mess Medtronic created.
• Approximately 21% of victims do not realize their identity has been compromised for more than two years. During that window, the harm compounds unchecked. By the time it surfaces, the financial damage is often extensive and the trail is cold.
• Changing a stolen Social Security number is extremely difficult. The Social Security Administration requires evidence of actual, ongoing fraudulent activity before issuing a new number. Even then, credit bureaus and banks can quickly link the new number to the compromised old one, inheriting the fraudulent history. Victims are effectively trapped.
• The complaint notes that stolen SSNs can be used to file fraudulent tax returns, claim unemployment benefits, and apply for jobs under a false identity. Fraudulent tax returns are typically discovered only when the victim’s legitimate return is rejected. Each of these outcomes disproportionately affects lower-income people who depend on tax refunds and government benefits to meet basic expenses.

This Is the System Working as Intended

The facts of this case form a pattern that is not accidental. It is the predictable result of a system that allows a corporation to profit from collecting sensitive data, promise to protect it, and face consequences only after the damage is irreversible.

• Patients with implanted Medtronic devices have no choice but to provide their data to Medtronic. The power imbalance is absolute. You cannot negotiate your privacy terms with the manufacturer of the device keeping your heart in rhythm. This captive relationship enabled Medtronic to collect 9 million records without any meaningful accountability for how those records were protected — until a breach occurred.
• The FBI issued a direct warning to the healthcare industry about cybersecurity vulnerabilities in April 2014. The healthcare sector ranked second in data breach volume by end of 2018. North American data breaches increased by over 50% between 2020 and 2021. Every one of these data points was publicly available. None of it was sufficient to compel Medtronic to meet basic HIPAA security standards before 9 million records were stolen.
• HIPAA’s Security Rule specifies exactly what safeguards are required. The complaint alleges Medtronic violated at least nine specific regulatory provisions. These were not ambiguous obligations. They were codified requirements with specific CFR citations. The system allowed a company to publicly claim compliance while allegedly operating in violation of those requirements for years.
• As of six days after confirming the breach, Medtronic had announced zero specific changes to its security systems. The only consequence visible to the public was a press release. The only mechanism forcing the company to act is a class action lawsuit. That is the system working: harm first, accountability later, remediation only if a court orders it.
• The class action structure itself illustrates the power asymmetry. The complaint notes explicitly that individual class members could not practically sue Medtronic alone. Medtronic would “be able to exploit and overwhelm the limited resources of each individual Class Member with superior financial and legal resources.” A $33.5 billion company versus a patient from Catheys Valley, California. The only viable path to accountability is collective action.

What a Legitimate Fix Looks Like

The core structural failure this case exposes: a corporation can collect the most sensitive data that exists (health records, Social Security numbers, medical diagnoses) promise to protect it, profit from holding it, fail to protect it, and face consequences only after millions of people have been permanently harmed. The fix must close that gap before the breach, not just litigate it after.

Regulatory Track

• HHS’s Office for Civil Rights (which be the HIPAA enforcement arm) must treat documented failures of the specific technical safeguards alleged in this case (access controls under § 164.312(a)(1), audit logs under § 164.308(a)(1)(ii)(D), breach prevention under § 164.308(a)(1)(i)) as presumptive violations triggering mandatory civil money penalties, not just corrective action plans that allow companies to self-remediate in private.
• The FTC should exercise its Section 5 authority to require pre-breach security attestations from medical device manufacturers who collect patient PII and PHI as a condition of their commercial operations. Current practice allows companies to make public security promises with no independent verification until after a breach occurs.
• Federal regulators should require that any entity collecting PHI at the scale alleged in this case (millions of records) submit to mandatory third-party security audits on a regular cycle, with audit results disclosed to HHS. The complaint’s injunctive relief request already names this as a minimum fix; regulators should not wait for courts to order it case by case.
• Post-breach disclosure standards must require companies to specify: what data was compromised, whether it was encrypted, what the specific security failure was, and what structural changes are being implemented. Medtronic’s press release answered none of these questions. Vague acknowledgment of “unauthorized access” leaves patients unable to assess their own risk.