What happened to Stryker in the cyber attack?: Iranian-linked group Handala Hack wiped up to 200,000 Stryker devices across 79 countries on 11 March 2026 using a stolen Microsoft Intune admin credential. No malware was involved.Source: Stryker 8-K/A / Krebs on Security
Did the Stryker hack affect NHS hospitals?: Yes. NHS Supply Chain issued a disruption alert on 18 March 2026 warning UK hospitals that Stryker ordering, manufacturing and invoicing systems were degraded until approximately 10 April.Source: NHS Supply Chain ICN
How did Stryker disclose the cyber attack to the SEC?: Stryker filed an 8-K/A amendment on 10 April 2026 disclosing the March 2026 incident as material, noting Q1 earnings impact while maintaining full-year guidance. It is the first MDM console wipe to trigger an SEC 8-K disclosure.Source: SEC EDGAR / Stryker 8-K/A
How do companies protect against MDM wipe attacks like Stryker's?: Key controls include: Conditional Access policies requiring step-up authentication for MDM admin roles; break-glass account monitoring; session-binding and IP restriction on privileged Identity Provider (IdP) roles; real-time access revocation (e.g. CrowdStrike SGNL).Source: NCSC / Obsidian Security
What security controls would have stopped the Stryker attack?: Key controls include Conditional Access policies requiring step-up MFA for MDM admin roles, break-glass account monitoring, session-binding on Identity Provider roles, and real-time access revocation. CISA also adds MDM zero-days like CVE-2026-6973 to KEV, making timely patching of MDM infrastructure a compliance obligation.Source: NCSC / Obsidian Security

Background

Stryker Corporation is a US medical technology manufacturer headquartered in Kalamazoo, Michigan, producing surgical equipment, orthopaedics, and medical devices for hospitals and healthcare systems worldwide.

Stryker became the most significant identity-plane attack victim of 2026 when Iranian-linked Handala Hack wiped between 80,000 and 200,000 devices across 79 countries on 11 March 2026 using a single stolen Microsoft Intune admin credential. No malware was deployed. Per Stryker's SEC 8-K/A filed on 10 April, the incident was material and would affect Q1 2026 earnings, though full-year guidance was maintained.

NHS Supply Chain, the NHS England centralised procurement body, issued a disruption alert on 18 March warning UK hospitals that Stryker ordering, manufacturing, and invoicing systems were degraded, with most product lines not projected to return to normal until 10 April. UK trusts running Stryker surgical equipment faced procedure delays and paper-based inventory workarounds for three weeks. The attack was described by Krebs on Security as credential-only, with the attackers operating the MDM console identically to the legitimate IT team.

The incident established two precedents that now define enterprise MDM security discourse. First, an SEC materiality precedent: a credential-only attack with no malware and no data encryption qualifies as a material cybersecurity event under SEC 8-K rules — Stryker's 8-K/A is the first MDM console wipe to trigger SEC disclosure. Second, the fourth Ivanti EPMM KEV (CVE-2026-6973) added in May 2026 confirms that MDM control-plane vulnerabilities remain the highest-priority attack surface for threat actors. Stryker's case is now the reference scenario for CISO conversations about MDM admin Conditional Access, break-glass account design, and session-binding controls.

How the World Sees Them

Iran

Handala framed the attack as retaliation for an Israeli strike on an Iranian school, embedding Stryker in Iran-Israel conflict dynamics despite its non-military role.

United States

The SEC 8-K/A set a materiality precedent for identity-only attacks. Cyber insurers and CISO peers are reviewing MDM admin Conditional Access posture in response.

United Kingdom

NHS Supply Chain disruption hit UK hospital supply for three weeks. NHS procurement is now reviewing MDM posture requirements for medical-device suppliers.