Stryker Seeks to Dismiss Class Action Lawsuit in Cyberattack
Data Breach TodayArchived Jun 24, 2026✓ Full text saved
Medtech Firm Argues PII of Employees Filing Lawsuit Was Not Compromised Stryker is asking a court to dismiss proposed class action litigation filed by current and former employees who allege their personal information was compromised in a March cyberattack by Iranian hacktivists. The medtech manufacturer denies the workers' information was accessed in the incident.
Full text archived locally
✦ AI Summary· Claude Sonnet
Cyberwarfare / Nation-State Attacks , Data Privacy , Data Security
Stryker Seeks to Dismiss Class Action Lawsuit in Cyberattack
Medtech Firm Argues PII of Employees Filing Lawsuit Was Not Compromised
Marianne Kolbasuk McGee (HealthInfoSec) • June 24, 2026
Credit Eligible
Get Permission
Medtech maker Stryker is seeking to dismiss class action litigation filed by current and former employees in the wake of the company's March cyberattack by Iranian hacktivists. (Image: Stryker)
Stryker, the medical tech manufacturer targeted by Iranian hacktivists in March, is asking a federal court to dismiss proposed class action litigation filed by current and former employees who allege their personal information was compromised. Stryker says the workers' information wasn't accessed in the incident.
See Also: OnDemand | Transform API Security with Unmatched Discovery and Defense
Michigan-based Stryker in court documents filed Monday claims the company's investigation into the incident has not uncovered evidence that cyber attackers accessed the personally identifiable information of any of the eight former and current employee's named as plaintiffs in their consolidated amended complaint.
Hacktivist group Handala, widely suspected of being a front for Iran's Ministry of Intelligence, boasted in March of stealing 50 terabytes of "critical data" from Stryker. The group also said it permanently erased "in just a few hours" 200,000 devices and 12 petabytes of Stryker data "that took years to collect and billions of dollars to protect" (See: Medtech Firm Stryker Disrupted by Pro-Iran Hackers).
The cyberattack on Stryker came nearly two weeks after the U.S. and Israel launched major military actions against Iran on Feb. 28 (see: US, Israel Launch Major Combat Operations Against Iran).
Stryker has contended the cyber incident did not impact devices and systems connected to customers, but said the IT outage disrupted the company's electronic ordering and related systems used by clients. The systems were down for several weeks until being fully restored in early April.
The plaintiffs, Stryker argued, began filing lawsuits "merely 48 hours" after the company announced on March 11 that it had experienced a cyberattack, each speculating that their PII, including names and Social Security numbers, were accessed, Stryker said in its motion to dismiss (see: Stryker Wiper Attack: Hackers Boast As Lawsuits Pile Up).
"Stryker, with the help of their independent experts, reviewed files and data that were identified as potentially being accessed by the threat actor during the cyberattack," said the company's CISO, Juan Pablo Calderon, in a declaration filed with Stryker's motion.
"Those files and data were searched for plaintiffs' PII and Stryker determined as a purely factual matter that none of the plaintiffs' PII exists in those files and data," Calderon said. The files and data did contain the business email addresses of two plaintiffs, but not their PII, he said.
Stryker also argued in court documents that the each of the plaintiffs' PII was exposed in previous data breaches involving other organizations, so none of their alleged injuries - such as identity theft - are traceable to Stryker.
Furthermore, Stryker also asserts that that while none of the plaintiffs - all current or former employees - received notifications from the company that their PII was accessed in the attack, "they seek to represent 'all individuals residing in the United States whose PII was compromised … including all those individuals who received notice of the data breach.'"
All of these factors show the plaintiffs' lack of legal standing for their claims; therefore, the case against the company should be dismissed, Stryker contends.
Beyond disclosure reports filed to the U.S. Securities and Exchange Commission in the early days of the cyberattack, as of Wednesday, Stryker did not yet appear to have publicly filed data breach reports about the security incident to state attorneys general or to federal regulators.
Stryker did not immediately respond to ISMG's request for comment on the class action litigation and for details about the incident, including whether the company was reporting the incident to regulators as a data breach or notifying affected individuals about a potential compromise to their PII or protected health information.
Attorneys representing the plaintiffs in the class action litigation against Stryker also did not immediately respond to ISMG's request for comment.
Some legal experts said plaintiffs and their attorneys sometimes rush to file class action litigation following a major data breach before knowing key details about the incident.
"The principal risk of filing a breach lawsuit immediately after a cyberattack is that the complaint may outrun the facts," said attorney Steven Teppler, partner and chief cybersecurity legal officer at law firm Mandelbaum Barrett.
"I also think this is more a case of a race to file, with the potential for leadership appointment if and when the cases are consolidated into multi-district litigation status," he said regarding the Stryker class action litigation.
Courts also appear to be increasingly requiring plaintiffs in data breach lawsuits to show "more than speculation" that their information was affected, he said.
"At the same time, a finding that these particular plaintiffs were not impacted might doom those plaintiffs' case, but would not necessarily foreclose claims by others if forensic evidence later establishes that different individuals' information was actually compromised," he said.
Attorney Jordan Cohen, a partner at law firm Akerman LLP, offered a similar assessment.
"The CISO declaration implicitly acknowledges that certain files and data were potentially accessed by the threat actor," he said. "If other individuals' PII was in those files, and if Stryker ultimately sends breach notifications, those people would be in a fundamentally different position vis-à-vis their success in litigation."
In general, racing to file a lawsuit before receiving notification of a breach also comes with risks, Cohen said.
"Bottom line is that breach notification letters are foundational for standing in these cases. Without one, plaintiffs must rely on vague allegations of fear, anxiety and darkweb alerts - which a court is unlikely to find sufficient for standing," he said.
Also, with so many data breaches occurring across various industries, "it will be interesting to see whether courts buy into the defendant's argument" - as in Stryker's motion to dismiss - that it is difficult and perhaps impossible to trace any particular instance of identity fraud to a single defendant's incident, Cohen said.
"I would expect to see this argument in many data breach motions to dismiss going forward."
In any case, the Stryker cyberattack legal drama could prove important in other similar data breach lawsuits, Teppler said.
"The Stryker litigation may become an important test of how courts evaluate standing in destructive cyberattacks where operational disruption is clear but data theft remains disputed," he said.