LI Healthcare Brief — April 6, 2026

Executive Summary What You Need To Know This Week

For Decision Makers — Plain Language

The Stryker story now has a full picture — and it is worse than initially reported. As Stryker announced full operational restoration on April 2, new forensic details emerged: Handala stole 50 terabytes of data before wiping nearly 80,000 devices across the company’s global network. The attackers compromised a Windows domain administrator account, created a new Global Administrator account, and used Microsoft Intune — the company’s own device management tool — to remotely wipe employee laptops, phones, and servers. In some departments, up to 95% of devices were erased before defenders could react. Investigators also discovered a malicious file the attackers used to hide their activity inside the network. Employee lawsuits have been filed alleging Social Security numbers and financial data may be exposed. The FBI seized two Handala websites and CISA released joint guidance with Microsoft on hardening Intune and Windows domains.

CareCloud, a healthcare technology company that stores electronic health records for medical practices, filed an SEC disclosure on March 31 confirming unauthorized access to one of its patient records environments on March 16. Hackers had access for over 8 hours. Whether patient data was exfiltrated is still unknown. Separately, Nacogdoches Memorial Hospital in Texas began notifying 257,073 individuals about a January breach where hackers had network access for two weeks before detection. And the Medusa ransomware gang — believed to operate out of Russia — claimed responsibility for the devastating attack on the University of Mississippi Medical Center that shut down the state’s only Level I trauma center and only children’s hospital for nine days.

Cross-sector: the North Korean Axios npm supply chain attack (detailed in the Defense brief) affects any healthcare organization running JavaScript-based applications — patient portals, telehealth platforms, internal dashboards, EHR integrations. An estimated 600,000 installs occurred during the 3-hour exposure window. Healthcare IT teams must audit their npm dependencies immediately.

The bottom line: Stryker’s recovery proves that even a Fortune 500 company with resources takes three weeks to come back from a destructive attack. Most healthcare organizations don’t have Stryker’s resources. The question is no longer whether you will be attacked — 93% of healthcare organizations already have been — but whether you can survive three weeks without your systems. If the answer is no, your preparedness gap is the threat.

Cyber Threats 80% Active Campaigns Targeting Healthcare Sector CISA · FBI · HHS OCR · BleepingComputer · TechCrunch · SANS

Stryker Recovery Complete — Full Scope of Handala Attack Revealed

Critical

Sources: BleepingComputer · SC Media · TechCrunch · SecurityWeek · ProArch · Stryker.com · April 2, 2026

Stryker confirmed full operational restoration on April 2, three weeks after the March 11 Handala attack. New forensic details paint a significantly more severe picture than initial reporting. Attack chain: Handala compromised a Windows domain administrator account, likely via phishing or infostealer malware. They created a new Global Administrator account using the stolen credentials. They then accessed Microsoft Intune — Stryker’s own mobile device management platform — and used it to remotely wipe employee devices across the global network. Impact: Handala claims 50TB of data stolen and nearly 80,000 devices wiped. In some departments, up to 95% of devices were erased before defenders reacted. Employees watched login screens replaced with Handala’s logo in real time. 56,000 employees globally were told to disable company-issued devices. Manufacturing, ordering, and shipping were disrupted for three weeks. New findings: Investigators found a malicious file that allowed attackers to hide activity inside the network. Multiple employee lawsuits filed alleging SSNs and financial data exposed. FBI seized two Handala websites. CISA and Microsoft released joint Intune hardening guidance. An expert from Lowenstein Sandler stated the attack “could happen to any critical company in the US.”

Action Required: Implement CISA/Microsoft Intune hardening guidance immediately. Require dual-admin approval for any mass device wipe operation. Audit all Global Administrator and domain admin accounts for unauthorized creation. Deploy conditional access policies restricting admin account creation to verified endpoints. Review Intune configurations for least-privilege access. If using Microsoft endpoint management, conduct a tabletop exercise simulating an Intune-based wiper attack this month.

CareCloud EHR Breach — Patient Medical Records Accessed

Critical

Sources: TechCrunch · SEC Filing · March 31, 2026

Healthcare technology company CareCloud filed an SEC disclosure confirming unauthorized access to one of six environments where it stores patients’ electronic health records. The breach was detected on March 16 and hackers had access for more than 8 hours. CareCloud determined on March 24 that the incident was material enough to require investor notification. It is not yet known whether the hackers exfiltrated any data or what types of data may have been stolen. CareCloud stores EHR data for medical practices across the country — a single breach at the technology vendor level can affect hundreds of healthcare providers and their patients simultaneously. This is the exact third-party supply chain pattern that security experts have been warning about: attackers are not hacking individual hospitals, they are targeting the technology vendors that hospitals depend on.

Action Required: Healthcare organizations using CareCloud should contact CareCloud directly for breach impact assessment. Audit all third-party EHR vendor access agreements for breach notification requirements. Review business associate agreements (BAAs) with all technology vendors for HIPAA compliance. Implement monitoring for anomalous access patterns in EHR environments. Prepare patient notification procedures in case CareCloud confirms data exfiltration.

Medusa Ransomware — Mississippi’s Only Level I Trauma Center Shut Down 9 Days

Critical

Sources: The Record from Recorded Future News · Medusa Leak Site · March 17, 2026

The Medusa ransomware operation, believed to operate out of Russia, claimed responsibility for a devastating attack on the University of Mississippi Medical Center (UMMC). UMMC employs 10,000 people and houses Mississippi’s only children’s hospital, only Level I trauma center, only Level IV neonatal intensive care unit, and the state’s only organ transplant programs. The entire organization went dark for nine days in late February, forcing nurses and doctors to operate sophisticated systems with analog tools. The cancer infusion center had to reschedule patients. Staff created a fully functional offline infusion clinic from scratch. When the state’s only trauma center goes down, there is nowhere else for critical patients to go. This attack demonstrates how ransomware in healthcare is not a cybersecurity incident — it is a patient safety emergency with potential for loss of life.

Action Required: Conduct a ransomware readiness assessment specifically for clinical operations — not just IT. Develop analog care delivery procedures for every critical department. Run tabletop exercises that include frontline clinical staff, not just IT. Pre-position paper-based backup processes for medication administration, patient identification, and lab ordering. Coordinate with regional hospitals on mutual aid agreements for patient diversion during cyber incidents.

Nacogdoches Memorial Hospital — 257,073 Individuals Affected

High

Sources: HIPAA Journal · Maine Attorney General Filing · March 31, 2026

Nacogdoches Memorial Hospital, a 226-bed hospital in Nacogdoches, Texas, began notifying 257,073 individuals about a hacking incident discovered on January 31, 2026. The forensic investigation determined hackers first gained access on January 15 — two weeks before detection. The attacker accessed files containing personal and protected health information. The 16-day dwell time before detection is consistent with the broader industry average — healthcare organizations often lack the continuous monitoring capability to detect intrusions in real time. No threat group has claimed responsibility as of April 1.

Action Required: Review your organization’s mean time to detect (MTTD) intrusions. If you cannot detect an attacker within 48 hours, invest in continuous network monitoring or managed detection and response (MDR). Audit network segmentation to limit lateral movement if an attacker does gain access. Ensure breach notification procedures are pre-documented so that legal timelines under HIPAA can be met without delay.

Axios npm Supply Chain Attack — Healthcare Software Impact

High

Sources: Google GTIG · Microsoft · Palo Alto Unit 42 · SANS · March 31, 2026

North Korean state-sponsored hackers (UNC1069 / Sapphire Sleet) hijacked the Axios npm package — a JavaScript library with over 100 million weekly downloads present in approximately 80% of cloud and code environments. The backdoored versions deployed a cross-platform Remote Access Trojan that harvested credentials, SSH keys, and authentication tokens. Healthcare organizations are affected because Axios is widely used in patient portals, telehealth platforms, internal dashboards, scheduling systems, and EHR integrations. Any JavaScript-based healthcare application that ran npm install during the 3-hour exposure window on March 31 is potentially compromised. The supply chain is the new perimeter — this attack demonstrates that even organizations with strong internal security can be compromised through a trusted third-party dependency they did not know they were using.

Action Required: Healthcare IT teams must audit all npm dependencies for axios@1.14.1, axios@0.30.4, or plain-crypto-js. If found, treat the affected system as fully compromised. Rotate all credentials and tokens on affected hosts. Pin axios to version 1.14.0 or earlier. Coordinate with EHR vendors and third-party application providers to confirm they have audited their own dependencies. Block traffic to sfrclak[.]com and 142.11.206.73.

Cisco IMC Authentication Bypass — Healthcare Infrastructure at Risk

High

Sources: Cisco Advisory · The Hacker News · April 2, 2026

Cisco disclosed a critical authentication bypass vulnerability in the Integrated Management Controller (CVE-2026-20093, CVSS 9.8). An unauthenticated remote attacker can send a crafted HTTP request to alter any user’s password, including administrator accounts, gaining full system access. Cisco IMC is used for out-of-band server management in hospital data centers and healthcare IT infrastructure. A compromised IMC gives an attacker persistent access below the operating system — invisible to most endpoint detection tools. Healthcare organizations running Cisco server infrastructure should treat this as an immediate patching priority.

Action Required: Patch all Cisco IMC instances immediately. Restrict IMC management interfaces to dedicated management VLANs. Audit IMC access logs for unauthorized password change requests. Do not expose IMC to the internet under any circumstances.

Physical & Proximity 10% Physical Security & Operational Impact Indicators Stryker · RSAC 2026 · UMMC · OSINT

RSAC 2026 — Hospital CMIO Shares Real Ransomware Response Lessons

Awareness

Sources: Dark Reading · RSAC 2026 Conference · April 2, 2026

At RSAC 2026, Joseph Izzo, Chief Medical Information Officer at San Joaquin General Hospital, shared firsthand lessons from experiencing a real ransomware attack after having practiced in tabletop exercises. Key insight: operating under real pressure is fundamentally different from training. When systems shut down, hospitals lose patient identity verification (barcode wristbands), electronic medical records (allergies, drug interactions, history), communications with pharmacies and other hospitals, and supply management systems. Staff must be prepared to operate with pen and paper in a digital world. Izzo emphasized that preparation “makes the difference” but organizations must run exercises that include frontline clinical staff, not just IT. He also warned that shadow AI — staff using unapproved AI tools — represents an additional attack vector during and after incidents.

Action Required: Schedule a ransomware tabletop exercise within 30 days that includes frontline nurses, physicians, and pharmacy staff — not just IT. Develop pre-validated paper-based processes for medication administration, patient identification, and lab ordering. Implement two-person verification workflows for high-risk clinical decisions during system outages. Audit for shadow AI tool usage across clinical departments.

Stryker Employee Lawsuits — Workforce Impact and Physical Security

Elevated

Sources: WZZM13 · BleepingComputer · April 2026

At least two lawsuits have been filed against Stryker following the Handala attack, including one from a current employee alleging the company failed to properly protect sensitive personal information. The complaint claims Social Security numbers and financial institution information may have been exposed and could already be circulating among cybercriminals. With 56,000 global employees told to disable their devices, the workforce disruption extended well beyond IT — manufacturing, logistics, customer support, and clinical support operations were all affected. For healthcare organizations that depend on Stryker products for surgical procedures, the supply chain disruption is a physical security concern: delayed equipment deliveries can directly impact patient care timelines.

Action Required: Healthcare organizations dependent on Stryker products should confirm supply chain restoration with their Stryker representatives. Review contingency plans for medical device supply chain disruptions. Brief employees on the risks of personal data exposure following vendor breaches. Ensure cyber insurance policies cover third-party vendor breach impacts on operations.

Known Actors 10% Active Threat Actor Profiles — Healthcare Sector MITRE ATT&CK · IBM X-Force · CISA · FBI · Google GTIG

Handala Hack Team (MOIS)

Formally attributed to: Iran’s Ministry of Intelligence and Security (MOIS) by DOJ · Also known as: Hatef, Hamsa

Updated profile following Stryker restoration. Handala’s attack on Stryker is now confirmed as the first destructive wiper operation against a U.S. Fortune 500 company in the current conflict. The full attack chain is documented: domain admin compromise → Global Admin account creation → Intune MDM weaponization → mass device wipe. No ransomware, no negotiation, no financial motive. The objective was pure destruction. Handala has conducted at least 131 documented attacks since December 2023 with an accelerating pace in 2026. The group uses a documented two-actor handoff: Scarred Manticore (Storm-0861) provides initial access via long-dwell operations, then Void Manticore (Storm-0842 / Handala) deploys destructive wiper malware. IBM X-Force describes the group as employing “phishing, custom wiper malware, ransomware-style extortion, data theft, and hack-and-leak activity.” Healthcare remains explicitly in Handala’s targeting aperture.

Primary TTPs

Domain Admin Compromise, MDM Weaponization, Destructive Wipes, Data Exfiltration

Target Sectors

Healthcare/MedTech, Defense, Energy, Intelligence Community

Activity Level

Critical · 131+ attacks · Stryker fully resolved

Medusa Ransomware

Believed to operate from Russia · Active since 2021 · Ransomware-as-a-Service model

Medusa claimed the devastating UMMC attack that shut down Mississippi’s only Level I trauma center for nine days. The group operates a Ransomware-as-a-Service (RaaS) model with double extortion — stealing data before encrypting systems, then threatening to leak it. Medusa has consistently targeted healthcare as a high-pressure sector where downtime creates maximum leverage for ransom payment. The group is known for targeting institutions that cannot afford extended outages — trauma centers, children’s hospitals, and organ transplant programs represent the highest-pressure targets in healthcare. CISA issued a Medusa advisory (AA25-071A) in March 2025 warning of increasing activity.

Primary TTPs

Double Extortion, Data Theft, System Encryption, Leak Site Pressure

Target Sectors

Healthcare, Education, Government, Critical Infrastructure

Activity Level

Active · High-pressure targeting · UMMC claimed

UNC1069 / Sapphire Sleet (DPRK)

Also tracked as: CryptoCore · CageyChameleon · BlueNoroff offshoot · Active since 2018

Cross-sector threat: responsible for the Axios npm supply chain compromise that affects healthcare software dependencies. While UNC1069 is primarily financially motivated and historically focused on cryptocurrency, the Axios attack represents an evolution in targeting scope. Any healthcare organization using JavaScript-based applications that depend on Axios — including patient portals, telehealth platforms, scheduling systems, and EHR integrations — is within the blast radius. The stolen credentials and tokens from this attack will enable follow-on operations across sectors for weeks to months. Healthcare IT teams should not assume this is only a technology sector problem — the supply chain extends into every sector that uses modern web applications.

Primary TTPs

Supply Chain Compromise, Social Engineering, npm Hijacking, RAT Deployment

Target Sectors

Software Supply Chain, Cryptocurrency, All Sectors (indirect via dependencies)

Activity Level

Critical · Active · Follow-on attacks expected

HIPAA & Regulatory Compliance & Enforcement Updates

OCR Risk Analysis Enforcement Expanding in 2026

Compliance

Sources: HIPAA Journal · HHS OCR · 2026

OCR Director Paula M. Stannard confirmed that the risk analysis enforcement initiative will continue and expand in 2026 to also cover risk management. The HIPAA Right of Access enforcement initiative continues as well. OCR’s proposed HIPAA Security Rule update would require mandatory multifactor authentication for all HIPAA-regulated entities — a direct response to the Change Healthcare breach which occurred through a Citrix portal without MFA. Since 2018, OCR has documented a 100% increase in large data breaches and a 264% increase in large breaches involving ransomware. Healthcare organizations that have not conducted a risk analysis in the past 12 months are at heightened enforcement risk. The proposed MFA mandate, if finalized, will require significant infrastructure investment for organizations still relying on single-factor authentication.

Action Required: Conduct or update your HIPAA Security Rule risk analysis within 30 days if not completed in the past 12 months. Document risk management decisions and remediation timelines. Deploy MFA on all systems accessing PHI — do not wait for the rule to be finalized. Review HIPAA Right of Access policies for compliance with current enforcement priorities. Budget for MFA infrastructure investment as a near-term operational cost.

Priority Actions This Week’s Non-Negotiables

Immediate — This Week

1. Implement CISA/Microsoft Intune hardening guidance — require dual-admin approval for mass wipe operations
2. Audit npm dependencies for axios@1.14.1, axios@0.30.4, plain-crypto-js
3. Patch Cisco IMC against CVE-2026-20093 (CVSS 9.8)
4. Contact CareCloud for breach impact assessment if applicable
5. Confirm Stryker product supply chain restoration with representatives
6. Audit all Global Administrator and domain admin accounts for unauthorized creation

Near-Term — 30 Days

1. Schedule ransomware tabletop exercise including frontline clinical staff
2. Develop paper-based backup processes for medication admin and patient ID
3. Conduct or update HIPAA risk analysis if not done in past 12 months
4. Deploy MFA on all systems accessing PHI
5. Review all third-party EHR vendor BAAs for breach notification requirements
6. Establish regional mutual aid agreements for patient diversion during cyber incidents