Cybersecurity & Privacy

Abbott Laboratories Investigates Two Major Cybersecurity Incidents Following Data Breach Claims

Abbott Laboratories, a global healthcare giant, is currently embroiled in investigations into two separate, significant cybersecurity incidents. The company has confirmed unauthorized access to internal legacy systems within its Cancer Diagnostics business, specifically those inherited from Exact Sciences. Simultaneously, Abbott is probing allegations that attackers breached its LabCentral portal and exfiltrated company data. These revelations have triggered alarm bells within the cybersecurity community and raise critical questions about the security posture of major healthcare technology providers.

The first incident, concerning the Cancer Diagnostics business, came to light after the notorious extortion group ShinyHunters added Abbott to its data leak site. Initially, ShinyHunters issued an ultimatum, threatening to release allegedly stolen data by July 18 unless Abbott entered into negotiations. This deadline was subsequently extended to July 21, indicating a prolonged period of potential data exposure and intense pressure on the healthcare conglomerate.

The ShinyHunters Threat: A Closer Look

When approached by BleepingComputer for comment regarding the ShinyHunters allegations, Abbott provided a statement that was published on its official website. The company acknowledged the incident, stating, "Abbott is investigating a cyber incident in which there was unauthorized access to a limited number of internal systems in our Cancer Diagnostics business only." Crucially, Abbott emphasized that this breach "does not impact any business operations, product or product availability, manufacturing or lab operations, or our ability to serve patients." Furthermore, the company asserted that the affected legacy Exact Sciences systems are distinct from Abbott’s primary infrastructure and that no other Abbott businesses or systems have been compromised.

Abbott confirmed that it has activated its established incident response protocols, enlisted the services of cybersecurity experts, and has informed law enforcement agencies about the breach. The company has also proactively stated that it does not anticipate a material impact on its business operations or financial performance as a result of this incident.

Abbott Laboratories probes two cyber incidents amid extortion claims

According to ShinyHunters, the initial compromise occurred in mid-June through a sophisticated vishing (voice phishing) attack targeting several Abbott employees. The threat actor claims this attack enabled them to compromise a Microsoft Entra single sign-on (SSO) account, which subsequently provided access to internal Abbott systems. This method aligns with ShinyHunters’ broader modus operandi, which has increasingly focused on social engineering campaigns targeting employees’ cloud-based authentication credentials, including those for Microsoft Entra, Okta, and Google SSO, since last year.

Once access to a corporate SSO account is gained, threat actors like ShinyHunters typically exploit this gateway to pilfer data from connected Software-as-a-Service (SaaS) applications. These can include widely used platforms such as Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Adobe, Atlassian, Zendesk, and Dropbox, among others. The healthcare sector, with its vast repositories of sensitive patient and operational data, represents a particularly attractive target for such criminal enterprises.

A Pattern of MedTech Targeting

The targeting of Abbott is not an isolated event. ShinyHunters has demonstrated a growing inclination to target companies within the medical technology (medtech) sector. Previous high-profile victims include Medtronic, OneMedical, and AdaptHealth. BleepingComputer has also independently learned that ShinyHunters was responsible for the data breach affecting iRhythm and had also targeted Stryker shortly after the latter had recovered from a destructive data-wiping attack originating from Iran. This pattern suggests a strategic focus on the healthcare ecosystem by these cybercriminal groups.

Regarding the specific data allegedly exfiltrated by ShinyHunters from Abbott, the threat actor claimed to have accessed and stolen information from Microsoft Entra, ServiceNow, SharePoint, Databricks, and Coupa. This reportedly includes internal documents, contractual agreements, and customer information. More alarmingly, ShinyHunters asserted the theft of over 30 million rows of personally identifiable information (PII) belonging to customers. This alleged PII includes names, email addresses, phone numbers, physical addresses, dates of birth, and, most disturbingly, over one million Social Security numbers. The group also claimed to have obtained more than 22 million client notes containing detailed doctor-patient conversations, over 20 million medical orders, and various customer agreements and non-disclosure agreements (NDAs). It is important to note that BleepingComputer has not independently verified the accuracy of ShinyHunters’ claims regarding the volume and nature of the stolen data.

The LabCentral Portal Breach: A Separate Threat Actor

The second cybersecurity incident under investigation involves a different threat actor, identified as ShadowByt3$. This group contacted BleepingComputer with claims of breaching Abbott’s Core Laboratory diagnostics business through its LabCentral customer portal. ShadowByt3$ alleges that the breach was facilitated by compromised customer credentials, exploiting what they described as a "weak point" within the LabCentral environment.

Abbott Laboratories probes two cyber incidents amid extortion claims

According to ShadowByt3$, their intrusion occurred on July 4, 2026. The threat actor claims to have then systematically exfiltrated files by targeting API endpoints. The stolen data, as asserted by ShadowByt3$, includes CE manufacturing certificates, operation manuals, technical specifications, regulatory documentation, product requirement archives, calibrator value assignments, assay files, and other product documentation pertinent to Abbott’s laboratory diagnostic systems.

Crucially, ShadowByt3$ stated that no customer data was stolen in this incident. However, they claim to have obtained sensitive business documents and intellectual property. To substantiate their claims, the group provided BleepingComputer with screenshots and a file listing as purported evidence of their intrusion.

Abbott has acknowledged awareness of this "potential" cyber incident. However, the company has contested the threat actor’s characterization of the stolen data, asserting that all information stored within the affected environment is publicly accessible and not considered sensitive.

An Abbott spokesperson clarified to BleepingComputer, "LabCentral is an externally facing third-party hosted portal used by Abbott’s core laboratory diagnostics business. It houses publicly available technical product reference documents, including operating manuals, troubleshooting checklists and product specifications, and does not contain proprietary/sensitive customer or business information." This statement suggests a significant difference in the perceived value and sensitivity of the data, with the threat actor claiming valuable intellectual property and Abbott characterizing it as publicly available technical documentation.

As of the latest reports, neither ShinyHunters nor ShadowByt3$ has publicly released any of the data they claim to have exfiltrated from Abbott. The situation remains fluid, with ongoing investigations and the potential for future data dumps by the threat actors.

Abbott Laboratories probes two cyber incidents amid extortion claims

Broader Implications for Healthcare Cybersecurity

These dual incidents underscore the persistent and evolving threat landscape facing the healthcare industry. The reliance on interconnected systems, legacy infrastructure, and extensive third-party vendor relationships creates numerous potential entry points for cybercriminals. The sophisticated nature of attacks, including social engineering and the exploitation of SSO vulnerabilities, highlights the need for multi-layered security strategies that go beyond traditional perimeter defenses.

The fact that ShinyHunters specifically targets medtech companies suggests a strategic approach to identifying and exploiting vulnerabilities within this critical sector. The potential compromise of sensitive patient data, financial information, and intellectual property can have far-reaching consequences, including regulatory penalties, reputational damage, and erosion of patient trust.

For organizations like Abbott, maintaining robust cybersecurity requires continuous vigilance, regular security audits, employee training on threat awareness, and a proactive incident response plan. The incident involving the LabCentral portal also brings to light the importance of understanding the nature and sensitivity of data stored on third-party hosted platforms, even those intended for public access.

The ongoing investigations by Abbott, in collaboration with cybersecurity experts and law enforcement, will be critical in determining the full scope of these breaches and implementing necessary remediation measures. The industry will be closely watching to see how Abbott navigates these challenges and what lessons can be learned to bolster the security of the broader healthcare ecosystem. The potential for widespread data breaches in the healthcare sector remains a significant concern, demanding constant innovation and adaptation in cybersecurity defenses.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
Snapost
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.