Data Breach Lawsuit Alleges Stryker Failed to Protect Private Info From March 2026 Cyberattack

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action lawsuit alleges that medical device giant Stryker failed to adequately safeguard sensitive consumer and employee information on its systems, leading to a sizeable data breach.

Get class action lawsuit and class action settlement news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter.

The 28-page data breach lawsuit asserts that Stryker, one of the largest medical device makers in the world, negligently failed to implement reasonable cybersecurity measures to protect consumers’ and current and former employees’ private information from a March 2026 data breach, despite having the resources to do so.

According to the suit, Stryker experienced a targeted cyberattack on March 11, 2026, during which Handala, a group of hackers linked to Iran, reportedly accessed the private information of consumers and current and former employees. Per the case, approximately 50 terabytes of data were extracted during the incident, including, but not limited to, names, dates of birth, addresses, Social Security numbers, employment information, and private health information.

Handala, which claimed responsibility for the cyberattack, said the attack was retaliation for recent U.S. military operations against Iran, according to media reports. 

The class action lawsuit says that although Stryker is a “technologically advanced” organization, it failed to comply with "basic” information security standards or implement reasonable cybersecurity measures that may have prevented the data breach. Stryker, the filing claims, has a “weighty” obligation to protect the sensitive and valuable private information it collects, but has not implemented “reasonable and appropriate” cybersecurity measures.

Despite the duty of care owed by Stryker to individuals whose information it collected, the filing says that the company failed to have in place cybersecurity measures “consistent with industry standards.” The suit charges that it was “foreseeable” that Stryker would be a high-value target for cybercriminals and that the defendant knew or should have known the risks inherent to storing private information.

The filing explains that the Federal Trade Commission has published numerous cybersecurity guidelines to protect confidential information, including properly disposing of personal information that is no longer needed, understanding network vulnerabilities, implementing policies to correct any security issues, and using intrusion detection systems. Stryker allegedly did not utilize any of these basic security measures, and the case says that the company was in “dire need” of cybersecurity updates at the time of the breach.

The case says the plaintiffs and class members now face “years” of a “substantial, increased, and immediate” risk of fraud, identity theft, and “disclosure of their most sensitive and deeply personal information” because of the Stryker data breach.  

Criminals sell the “spoils” of cyberattacks to individuals who want to “extort and harass” victims and use their identity for fraudulent financial transactions, the case says.  Information extracted during the Stryker data breach is highly valuable to cybercriminals and has already been “dumped” onto the dark web, where there is a thriving market for illegally obtained private information, the case shares.

The filing states that Stryker’s response to the data breach has been “woefully insufficient,”  adding that "to date, [Stryker] has yet to provide any notice to the individuals impacted."

The Stryker class action lawsuit seeks to cover all individuals whose private information was maintained by Stryker and was compromised in the data breach.

Looking for current class action lawsuits to join? Check out ClassAction.org’s class action lawsuit list.