Abbott Laboratories Investigating Two Major Cybersecurity Incidents Amidst Data Breach Allegations

Abbott Laboratories is currently grappling with two distinct and potentially significant cybersecurity incidents, raising concerns about the security of its internal systems and customer data. The global healthcare giant confirmed that unauthorized access has occurred within its Cancer Diagnostics business, specifically impacting legacy Exact Sciences systems. In parallel, the company is investigating a separate claim alleging a breach of its LabCentral portal, with a threat actor asserting the theft of company data. These investigations come as the ShinyHunters extortion gang has publicly named Abbott on its data leak site, initially demanding a ransom under threat of data publication.
The confirmation of the Cancer Diagnostics incident by Abbott follows closely on the heels of the ShinyHunters group adding the company to its illicit online forum. The threat actors initially issued a deadline of July 18th for Abbott to engage in negotiations, threatening to release allegedly stolen data. This deadline was subsequently extended to July 21st, underscoring the urgency of the situation.
When approached for comment by BleepingComputer, Abbott Laboratories provided a statement that was also published on its official website. The statement reads, "Abbott is investigating a cyber incident in which there was unauthorized access to a limited number of internal systems in our Cancer Diagnostics business only. This does not impact any business operations, product or product availability, manufacturing or lab operations, or our ability to serve patients." The company further emphasized that the incident is confined to the legacy Exact Sciences systems and does not affect any other Abbott businesses or systems, asserting that these legacy systems operate separately from Abbott’s core infrastructure.
In response to the breach, Abbott stated that it has proactively initiated its incident response protocols. This includes the engagement of specialized cybersecurity experts and the notification of relevant law enforcement agencies. The company also indicated that it does not anticipate the incident will have a material impact on its business operations or financial performance.
Chronology of Events and Threat Actor Claims
The ShinyHunters group has provided details regarding their alleged infiltration method. They claim to have gained access to Abbott’s systems in mid-June through a vishing (voice phishing) attack targeting several employees. According to the threat actor, this attack successfully compromised a Microsoft Entra single sign-on (SSO) account, thereby granting them access to internal Abbott systems. This modus operandi aligns with ShinyHunters’ broader campaign strategy, which has been ongoing since last year. The group has been observed conducting extensive social engineering campaigns specifically aimed at compromising Microsoft Entra, Okta, and Google SSO accounts of employees within various organizations.
Once an SSO account is compromised, threat actors like ShinyHunters are known to exploit this access to exfiltrate data from a wide array of connected Software-as-a-Service (SaaS) applications. This typically includes popular platforms such as Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Adobe, Atlassian, Zendesk, and Dropbox, among others.

Targeting the MedTech Sector
The healthcare technology sector has become an increasingly attractive target for extortion gangs like ShinyHunters. Abbott is not the first prominent medtech company to fall victim to such attacks. In recent times, organizations such as Medtronic, OneMedical, and AdaptHealth have also been targeted. Furthermore, BleepingComputer has learned that ShinyHunters was also implicated in a significant data breach affecting iRhythm and subsequently targeted Stryker shortly after the latter company had recovered from a devastating data-wiping attack attributed to Iranian state-sponsored actors.
Scope of Alleged Data Theft by ShinyHunters
Regarding the specific data allegedly stolen by ShinyHunters from Abbott, the group claims to have exfiltrated information from Microsoft Entra, ServiceNow, SharePoint, Databricks, and Coupa. This includes internal company documents, contractual agreements, and customer information.
The threat actor’s claims are particularly alarming due to the sheer volume and sensitivity of the data they purport to possess. ShinyHunters asserts that they have stolen over 30 million rows of personally identifiable information (PII) belonging to customers. This allegedly includes names, email addresses, phone numbers, physical addresses, dates of birth, and, most concerningly, over one million Social Security numbers.
Beyond PII, the group also claims to have acquired more than 22 million client notes containing detailed doctor-patient conversations, over 20 million medical orders, and various customer agreements and non-disclosure agreements (NDAs). It is important to note that BleepingComputer has not independently verified the accuracy of these claims made by the threat actor.
The Second Incident: LabCentral Portal Breach
The second cybersecurity incident under investigation involves a different threat actor, operating under the alias ShadowByt3$. This individual or group contacted BleepingComputer with claims of breaching Abbott’s Core Laboratory diagnostics business through its LabCentral customer portal.

ShadowByt3$ alleges that the breach was achieved by exploiting compromised customer credentials after identifying what they described as a "weak point" within the LabCentral environment. The threat actor states that access was gained on July 4, 2026, and that data was exfiltrated incrementally by targeting API endpoints.
Nature of Data Allegedly Stolen from LabCentral
According to ShadowByt3$, the data obtained includes CE manufacturing certificates, operation manuals, technical specifications, regulatory documentation, product requirement archives, calibrator value assignments, assay files, and other product documentation pertinent to Abbott’s laboratory diagnostic systems. The threat actor explicitly states that no customer data was compromised, but claims to have obtained sensitive business documents and intellectual property. To substantiate their claims, ShadowByt3$ provided BleepingComputer with screenshots and a file listing as alleged proof of the intrusion.
Abbott has acknowledged awareness of this "potential" cyber incident but has contested the threat actor’s characterization of the stolen data. A spokesperson for Abbott clarified to BleepingComputer that the LabCentral portal is an externally facing, third-party hosted platform utilized by Abbott’s core laboratory diagnostics business. The company stated that the environment exclusively houses publicly available technical product reference documents, such as operating manuals, troubleshooting checklists, and product specifications. Abbott maintains that the portal does not contain any proprietary or sensitive customer or business information.
Broader Implications and Industry Context
The dual cybersecurity incidents at Abbott Laboratories highlight several critical issues facing the healthcare and technology sectors. Firstly, the reliance on legacy systems, even within a large corporation, can present significant vulnerabilities. The fact that the Cancer Diagnostics breach involved "legacy Exact Sciences systems" suggests that older, potentially less secure infrastructure can serve as an entry point for sophisticated attackers.
Secondly, the prevalence of social engineering tactics, particularly vishing and the targeting of SSO accounts, continues to be a potent threat vector. As demonstrated by ShinyHunters’ actions, compromising a single credential can unlock access to a vast network of sensitive information. This underscores the paramount importance of robust employee training on cybersecurity awareness and multi-factor authentication (MFA) implementation across all access points.
The targeting of medtech companies by cybercriminals is a growing trend, driven by the sensitive and valuable nature of the data they hold, including patient health information (PHI) and intellectual property related to medical devices and diagnostics. The potential for significant financial gain through ransomware attacks or data extortion, coupled with the reputational damage that can be inflicted, makes these companies prime targets.

The LabCentral incident, if the threat actor’s claims about the type of data stolen are accurate (even if not customer PII), still represents a serious breach of intellectual property and proprietary technical information. The compromise of manufacturing certificates, technical specifications, and regulatory documentation could have implications for product development, market entry, and competitive advantage.
Official Responses and Industry Preparedness
Abbott’s swift response in engaging incident response teams, cybersecurity experts, and law enforcement demonstrates a commitment to addressing the breaches. The company’s proactive communication, while reassuring, will likely be closely scrutinized by regulators, investors, and the public.
The healthcare industry, in particular, is under immense pressure to bolster its cybersecurity defenses. Regulatory bodies worldwide are increasingly mandating stringent data protection measures and imposing significant penalties for non-compliance. The implications of these breaches extend beyond financial penalties, potentially eroding patient trust and impacting the availability of critical medical diagnostics and treatments.
As of the time of reporting, neither ShinyHunters nor ShadowByt3$ has publicly released the data they claim to have stolen from Abbott. However, the threat of such a release remains a significant concern, as it could lead to widespread identity theft, fraudulent activities, and a further erosion of trust in healthcare data security. The ongoing investigations will be crucial in determining the full extent of the breaches and the appropriate measures to prevent future incidents. The cybersecurity landscape continues to evolve, and organizations like Abbott Laboratories must remain vigilant and adapt their defenses to counter the ever-present threat of cyberattacks.






