Sources: CISA Alert March 18, 2026 · AHA · Industrial Cyber · HIPAA Journal · Computer Weekly
CISA issued a specific alert on March 18 urging all U.S. organizations to harden endpoint management system configurations following the Stryker attack. The attack has been fully attributed to Handala — Iran’s Ministry of Intelligence and Security (MOIS). Stryker confirmed there was no ransomware or malware involved. Instead, Handala used the built-in wipe command in Microsoft Intune to remotely destroy devices across Stryker’s global network. Handala claims 12 petabytes destroyed across 200,000 devices including laptops and mobile phones. The attack was purely destructive — no ransom demand, no negotiation possible. CISA specifically recommends hardening Microsoft Intune with least-privilege admin roles, role-based access control (RBAC), and privileged identity management (PIM) with time-bound access. This applies to any organization using Intune or similar endpoint management tools — which includes the vast majority of healthcare systems.
Action Required: Implement Microsoft’s Intune security best practices immediately. Apply least-privilege to all admin roles. Enable PIM for time-bound admin access. Separate admin accounts from standard credentials. Audit who has wipe/retire permissions on your endpoint management platform. If a threat actor can access your Intune console, they can wipe every device your organization manages. This is not theoretical — it happened to Stryker.
Sources: HIPAA Journal · SecurityWeek · CPO Magazine · HackerOne Notification · March 2026
Navia Benefit Solutions disclosed a breach affecting 2,697,540 individuals. An attacker exploited a Broken Object Level Authorization (BOLA) vulnerability to gain silent, read-only access to Navia’s database for 24 days between December 22, 2025 and January 15, 2026. No malware, no ransomware, no network compromise — just an API flaw that let someone sit at the database undetected. Exposed data includes Social Security numbers, names, phone numbers, email addresses, dates of birth, and health plan enrollment information. Navia administers FSA, HRA, COBRA, and dependent care benefits for over 10,000 employers. The Washington State Health Care Authority confirmed 27,000 PEBB members and 5,600 SEBB members were affected. HackerOne — a cybersecurity company — had 287 employees exposed through Navia as a third-party vendor, highlighting that even security companies are vulnerable through their supply chain.
Action Required: Audit all third-party benefits administrators and vendors that handle employee or patient data. Verify API authorization controls — BOLA vulnerabilities are among the most common and most dangerous API flaws. If your organization uses Navia, contact them for specific impact assessment. Review business associate agreements for security requirements and breach notification timelines. Monitor for phishing attempts referencing this breach by name.
Sources: FBI/CISA/HHS/MS-ISAC Joint Advisory AA25-163A · BleepingComputer · TechNadu · March 2026
Interlock ransomware group hit Goodwill on March 27 and has been exploiting a critical Cisco firewall vulnerability (CVE-2026-20131) as a zero-day for 36 days before a patch existed. Interlock specifically targets healthcare facilities where operational disruption creates maximum pressure to pay. The group uses double extortion — encrypting systems and threatening to publish stolen data. Earlier joint advisories from FBI, CISA, HHS, and MS-ISAC identified Interlock’s exploitation of SimpleHelp RMM software as a primary attack vector in healthcare environments. Any healthcare organization running Cisco firewalls or SimpleHelp RMM should treat this as an immediate priority.
Action Required: Patch Cisco firewalls against CVE-2026-20131 immediately. Audit all SimpleHelp RMM installations — ensure they are patched and MFA-protected. Review CISA Advisory AA25-163A for Interlock-specific IOCs and detection signatures. Verify backups are air-gapped and tested. Ensure incident response plans account for double extortion scenarios where data is both encrypted and exfiltrated.
Sources: IBM X-Force 2026 · SiliconANGLE · SecurityWeek · PwC Annual Threat Dynamics 2026
Identity-based attacks are now the dominant threat vector across all sectors, and healthcare is uniquely exposed. Infostealer malware — particularly LummaC2 — surged 72% in underground marketplace listings, harvesting browser-stored passwords, session cookies, and authentication tokens. Healthcare’s reliance on shared credentials, legacy authentication systems, and third-party vendor access creates a massive identity attack surface. ShinyHunters is conducting voice phishing campaigns targeting Okta and Microsoft SSO environments — tools widely deployed in healthcare. The Crunchyroll breach came through an Okta SSO account. The Infinite Campus breach came through Salesforce. MFA bypass techniques including MFA fatigue, SIM swapping, and adversary-in-the-middle attacks continue to evolve faster than most healthcare organizations can adapt.
Action Required: Deploy phishing-resistant MFA (FIDO2/WebAuthn) on all clinical and administrative systems. Audit all SSO and OAuth configurations. Implement session monitoring for anomalous access patterns. Train all staff — clinical and administrative — on voice phishing tactics. Review vendor access controls and ensure third-party accounts follow least-privilege principles.
Sources: FBI/CISA/MS-ISAC Joint Advisory · FBI/CISA/DC3/HHS Joint Advisory · HIPAA Journal
Medusa and Akira ransomware groups continue actively targeting healthcare. Medusa has compromised over 300 victims using double and triple extortion — encrypting data, threatening publication, and demanding additional payment. Akira primarily targets small and mid-size healthcare organizations exploiting unpatched VPNs and remote access tools. The University of Mississippi Medical Center had 35 clinics closed following a February 2026 ransomware attack that took its Epic EHR offline for over a week. Covenant Health had 478,188 patients exposed by the Qilin ransomware group. In January 2026 alone, 46 large healthcare data breaches affected over 1.4 million patients. Healthcare organizations must be prepared to deliver safe care for 30 days or longer without connected technology during a ransomware incident.
Action Required: Verify all backups are air-gapped, encrypted, and regularly tested for restoration. Patch all VPN and remote access infrastructure. Develop and test a 30-day clinical continuity plan for operating without connected technology. Review Medusa and Akira IOCs from the latest joint advisories. Ensure cyber insurance coverage reflects current ransomware costs — average healthcare breach now exceeds $10 million.
Sources: HHS Office for Civil Rights · HIPAA Journal · Nebraska AG Lawsuit
HHS Office for Civil Rights continues pursuing a major update to the HIPAA Security Rule requiring mandatory multifactor authentication across all regulated entities. The Change Healthcare breach — which compromised 190 million Americans through a Citrix portal without MFA — remains the direct catalyst. OCR enforcement focus is intensifying in 2026. The Nebraska AG lawsuit against Change Healthcare is proceeding, alleging failures including legacy systems and poor network segmentation. Since 2018, OCR has documented a 100% increase in large data breaches and a 264% increase in ransomware-related breaches. The Navia breach this week adds further urgency — third-party vendor vulnerabilities are now a central enforcement concern.
Action Required: Implement MFA on all systems now — do not wait for the final rule. Audit network segmentation between clinical and administrative environments. Update your HIPAA risk assessment to reflect the current threat landscape including third-party vendor risk. Engage legal counsel on potential Change Healthcare breach exposure. Document all security improvements for future compliance defense.
Sources: Stryker Corporate Updates · AHA · CISA Alert March 18 · Computer Weekly
The Stryker attack caused severe global disruptions to order processing, product manufacturing, and customer shipments. Stryker produces surgical equipment, medical devices, and hospital infrastructure used across thousands of healthcare facilities. While Stryker has confirmed no ransomware was involved, the destructive wipe of 200,000 devices has cascading supply chain effects that healthcare organizations should plan for. Equipment orders may be delayed. Software updates for Stryker devices may be disrupted. Any hospital relying on Stryker for critical surgical or operational equipment should have contingency plans in place. The American Hospital Association is actively monitoring for downstream effects.
Action Required: Audit your Stryker equipment and software dependencies. Contact your Stryker representatives for updated delivery and support timelines. Identify critical procedures that rely on Stryker equipment and establish alternate supplier contingency plans. Brief clinical operations leadership on potential continued supply chain disruption.
Sources: Flashpoint 2026 GTIR · IBM X-Force 2026 · AHA · HIPAA Journal
Over 80% of stolen healthcare records in recent years were not stolen from hospitals — they were stolen from third-party vendors, business associates, and non-hospital providers. The Navia breach (2.7M), the TriZetto/Cognizant breach (3.4M), and the Conduent breach (25M Americans) all came through third-party service providers that healthcare organizations trusted with sensitive data. The insider threat dimension is also growing — Flashpoint documented 91,321 instances of insider recruiting activity in 2025, with ransomware groups specifically targeting healthcare employees via Telegram and Signal. The human entry point — whether through a vendor, a contractor, or a recruited insider — is often cheaper and more reliable than technical exploitation.
Action Required: Conduct a comprehensive third-party vendor risk assessment. Verify all business associate agreements include specific security requirements and breach notification timelines. Audit API access controls for all vendor integrations. Brief all staff on insider recruitment tactics — especially employees with EHR, billing, and administrative access. Establish a confidential insider threat reporting mechanism.
The most dangerous actor currently targeting healthcare supply chains. Conducted the destructive Stryker attack on March 11, wiping 200,000 devices using the company’s own Intune endpoint management tool. Claims 12 petabytes of data destroyed and 50TB exfiltrated. This week also breached FBI Director Kash Patel’s personal email and claimed Lockheed Martin. Not financially motivated — operations are explicitly retaliatory for the U.S.-Israel war against Iran. Negotiation and ransom payment are not response options. The State Department is offering $10 million for identification of group members. Healthcare is a proven target for Handala — medical technology and supply chain disruption serves their strategic objective of inflicting maximum harm.
Primary TTPs
Destructive Wipes, Endpoint Management Abuse, Data Exfil
Target Sectors
Medical Technology, Healthcare Supply Chain, Defense
Activity Level
Critical · Rapidly Escalating
Aggressively targeting healthcare facilities using double extortion. FBI, CISA, HHS, and MS-ISAC issued a joint advisory (AA25-163A) disseminating Interlock IOCs and TTPs. The group exploits unpatched remote monitoring and management software — particularly SimpleHelp RMM — widely deployed in healthcare IT. Now confirmed exploiting a Cisco firewall zero-day (CVE-2026-20131) for 36 days before a patch existed. Hit Goodwill on March 27. Interlock targets healthcare specifically because operational disruption creates maximum pressure to pay and patient data has premium dark market value.
Primary TTPs
Cisco Zero-Day, SimpleHelp RMM, Double Extortion
Target Sectors
Healthcare, Critical Infrastructure, Nonprofits
Activity Level
Active · Escalating · Zero-Day Use
Active since 2021. Operates as ransomware-as-a-service with centralized ransom negotiation. Over 300 confirmed victims across critical infrastructure including healthcare. Uses double and triple extortion — encrypt, threaten to publish, demand additional ransom. Specifically targets unpatched internet-facing systems. Healthcare’s legacy infrastructure and low MFA adoption make it a priority target. FBI/CISA joint advisory issued in 2026.
Primary TTPs
Unpatched CVE Exploitation, Triple Extortion
Target Sectors
Healthcare, Finance, Critical Infrastructure
Activity Level
Active · Expanding
One of 2026’s most prolific actors. This week breached the European Commission via AWS. Conducts voice phishing campaigns targeting Okta and Microsoft SSO environments used across healthcare. Also responsible for TELUS Digital breach (1PB including FBI background checks), Crunchyroll (6.8M users via Okta SSO), and Infinite Campus (11M student records via Salesforce). Healthcare organizations using cloud-based SSO and SaaS platforms are directly within ShinyHunters’ operational scope.
Primary TTPs
Voice Phishing, SSO/OAuth Abuse, Cloud Exploitation
Target Sectors
Government, Healthcare (via SSO/SaaS), Technology
Activity Level
Active · High Volume · Expanding