On the morning of 11 March 2026, staff at medical equipment manufacturer Stryker arrived at work to find a message on their screens. They were told not to turn on company devices and to disconnect from all networks immediately. A cyber attack had hit the company's global systems overnight — and within days, its effects were being felt in NHS hospitals across the UK.
What actually happened
Stryker is one of the world's largest medical technology companies, manufacturing surgical equipment, orthopaedic implants, hospital beds, and life-saving devices. It employs around 56,000 people across 61 countries and supplies hospitals — including NHS trusts — with equipment used in everyday clinical care.
On 11 March, attackers gained access to Stryker's internal Microsoft environment and disrupted it on a large scale. Rather than the typical ransomware attack — where criminals encrypt files and demand payment — this appears to have been a wiper attack, where devices are remotely disabled or erased without any ransom demand. Stryker confirmed that the disruption affected its order processing, manufacturing coordination, and shipping systems globally.
A group called Handala claimed responsibility. Handala presents itself as a pro-Iranian hacktivist group, though cybersecurity researchers at Palo Alto Networks and Check Point Research believe it operates as a front for Iran's Ministry of Intelligence. The group stated the attack was in retaliation for the ongoing conflict involving Iran. That motivation has not been independently verified, and Handala's claims about the scale of the attack — including wiping over 200,000 devices — have not been confirmed by Stryker.
Who was affected, and for how long?
Stryker has confirmed that its products — including connected medical devices, surgical robots, and monitoring equipment — were not compromised. Patient data held on systems such as its Mako robotic surgical platform was not accessed. The attack was contained to Stryker's own internal business systems.
The knock-on effect on NHS supply chains, however, was real and significant. Because Stryker could not process or ship orders, NHS Supply Chain issued formal guidance to trusts telling them to order essential items only, consider alternative suppliers, and begin planning to reduce reliance on Stryker products over the following three to four weeks. Specific items — including defibrillator electrodes and oral care swabs — were placed under controlled ordering, meaning trusts had to submit escalation forms to obtain them.
NHS England wrote formally to all trusts and regions on 18 March. The British Orthopaedic Association issued its own guidance, recommending that trauma and elective orthopaedic procedures continue as planned while alternative supply arrangements were put in place. Stryker has said it believes the incident is contained and that restoration is progressing, but has not provided a timeline for full recovery.
Globally, the disruption has caused some procedures to be rescheduled. Stryker confirmed that delays to custom implant delivery had resulted in some patient-specific surgical cases being postponed.
What the headlines got wrong
Some coverage has described this as an attack on hospitals, or implied that patients were directly at risk from compromised medical devices. That is not accurate.
No hospital systems were breached. No medical devices were hacked or made unsafe to use. The British Orthopaedic Association confirmed that orthopaedic procedures could continue as planned. The disruption was real — but it was a supply and logistics problem, not a clinical safety emergency.
The distinction matters. Framing this as hospitals being "taken down" or patients being "put at risk by hackers" is not what the evidence shows. It also risks making people unnecessarily frightened of the technology keeping them well. Stryker's devices continued to work safely throughout.
Why does this kind of thing happen?
This incident is a textbook example of supply chain risk — and it is one of the most important and underappreciated concepts in cybersecurity.
Hospitals were not attacked directly. Instead, a supplier's internal systems were disrupted, and because hospitals depend on that supplier for equipment, they felt the effects almost immediately. The chain runs like this: a supplier's systems go down, orders cannot be placed or processed, deliveries stop, and clinical teams have to adapt.
The method of the attack also deserves attention. Wiper attacks — where the goal is destruction rather than financial gain — are less common in criminal cybercrime but more associated with nation-state or politically motivated actors. They are harder to recover from than ransomware, because there is no decryption key to negotiate for. Systems have to be rebuilt from scratch.
The root cause of how the attackers got in has not been confirmed by Stryker. In incidents of this type, the most common entry points are phishing — a well-crafted fake email that tricks an employee into entering their credentials — or weaknesses in how administrative access to systems is controlled. Neither has been confirmed here, and it would be wrong to speculate as fact.
Could there be fines or consequences?
Stryker is a US-headquartered company and has filed a regulatory disclosure with US financial authorities about the attack and its potential financial impact. The full scope of the financial effects has not yet been determined.
In the UK, the ICO (Information Commissioner's Office) would investigate if personal data belonging to UK individuals was confirmed to have been accessed or exfiltrated. Stryker has not indicated that personal data was compromised, but the investigation is ongoing. NHS England's involvement signals that this has been treated as a significant supply chain incident at a national level, not a local one.
What does this mean for me?
If you or someone you know has a procedure scheduled and uses Stryker equipment, don't panic. The British Orthopaedic Association has confirmed that procedures can continue. NHS trusts are working through NHS Supply Chain to find alternatives where needed. If your procedure has been affected, your hospital will contact you directly.
Stryker's medical devices — in hospitals and elsewhere — remain safe to use. The attack affected internal business systems, not the products themselves. If you or a family member has an implant, a pacemaker, or uses any Stryker equipment at home or in a care setting, it has not been compromised.
This story is a reminder that cybersecurity isn't just about computers. Modern healthcare, like most of daily life, depends on complex chains of suppliers, logistics systems, and digital infrastructure. When any part of that chain is disrupted — even one step removed from a hospital — the effects can be felt by real patients waiting for real procedures.
The broader lesson
You don't have to attack a hospital to disrupt one. That is the lesson this incident makes plain. An attacker who cannot easily breach a hospital's own well-defended systems can instead target a supplier, a logistics provider, or a software vendor — and achieve a similar impact without ever touching clinical infrastructure directly.
This is not a new idea in cybersecurity, but it is one that is becoming more urgent as healthcare becomes more digitally connected. The more hospitals rely on digital ordering, just-in-time delivery, and connected supply chains, the more points of vulnerability exist outside their own walls.
The human decisions that matter here are not just those of the attackers. They include the choices made by organisations about how much resilience to build into their supply chains, what fallback processes exist when digital systems fail, and how well prepared staff are to recognise the kinds of attacks — like phishing — that most commonly open the door.
🧠 The Human Factor
| Technology involved | Stryker's global Microsoft enterprise environment — order processing, manufacturing coordination, and shipping systems |
| Root cause | A targeted, destructive attack on a critical supplier's internal systems, exploiting access to corporate IT infrastructure. The precise entry point has not been confirmed; similar incidents most commonly begin with phishing or compromised administrative credentials |
| What was at risk | Medical equipment supply to NHS trusts; scheduled surgical procedures; defibrillator components and specialist consumables under controlled ordering |
| Prevention | Stronger supply chain resilience planning; robust fallback ordering processes; access controls on critical internal systems; staff training to recognise phishing attempts |
References and sources
- Stryker customer update statement (March 2026) — stryker.com
- NHS Supply Chain incident notice ICN 3261 — supplychain.nhs.uk
- NHS England letter to trusts and regions, published 20 March 2026 — england.nhs.uk
- British Orthopaedic Association statement on the Stryker cyber attack (14 March 2026) — boa.ac.uk
- MedTech Giant Stryker Crippled by Iran-Linked Hacker Attack — SecurityWeek (11 March 2026)
- Stryker Cyberattack Delays Surgeries for Some Patients — Bloomberg (18 March 2026)
- Iran-Backed Hackers Claim Wiper Attack on Medtech Firm Stryker — Krebs on Security (March 2026)
- Handala attribution: Check Point Research and Palo Alto Networks threat intelligence reporting
atozofcyber.co.uk contacted Stryker's UK press office for comment. No response had been received at the time of publication.
This is a developing story. Last updated: 22 March 2026 We update breaking stories as new information becomes available.