The medical technology company said the attack hit its Microsoft environment and left the timing of a full recovery unclear.
PORTAGE, MI — Stryker said Wednesday that a cyberattack disrupted parts of its global computer network, limiting access to some business systems and forcing the medical technology company to begin restoring operations while an Iran-linked hacker group claimed responsibility.
The disruption matters because Stryker is one of the world’s largest makers of medical devices, selling implants, surgical technology and hospital equipment to healthcare providers around the globe. The company said it had activated its cyber response plan, brought in outside advisers and kept business continuity measures in place, but it also warned in a securities filing that the full operational and financial impact was not yet known and that the timetable for a full restoration remained uncertain.
Stryker said it identified the incident on March 11 and found that certain information technology systems had been affected in what it described as a global disruption to its Microsoft environment. The Portage, Michigan, company said it moved quickly to investigate and contain the threat, and told customers in a public statement that it had “no indication” of ransomware or malware. In its filing, Stryker said the attack had already caused disruptions and limits on access to some information systems and business applications tied to operations and corporate functions. News reports Wednesday also said employees were told to stay off company devices and disconnect from internal networks as the company worked through the outage. By late in the day, Stryker said the investigation was still ongoing and that key questions about the incident’s nature, scope and longer-term effects had not yet been answered.
The group claiming responsibility called itself Handala, a name that has surfaced in previous cyber incidents tied by outside researchers to Iran. Reuters reported that Handala posted messages on Telegram claiming it carried out the attack, while social media posts from staff and contractors appeared to show the group’s logo on company login pages. Reuters said it could not verify those posts independently. Stryker itself did not publicly assign blame and did not name the attackers in either its customer message or its filing with the Securities and Exchange Commission. Cybersecurity researchers, however, described Handala as a significant actor. Sergey Shykevich of Check Point Research said the incident marked an escalation in target choice because of the company’s role in healthcare supply chains. Palo Alto Networks’ Unit 42 has previously linked Handala to a broader Iranian intelligence-linked threat ecosystem. Even so, some of the most dramatic claims circulating online, including assertions about the amount of data taken or the number of systems damaged, remained unconfirmed as of Wednesday night.
The attack landed on a company with a wide global footprint and a central role in hospital operations. Stryker says it has about 56,000 employees and operations in 61 countries, and reported $25.1 billion in 2025 revenue. Its products range from artificial joints and surgical robots to hospital beds and other equipment used every day in patient care. That scale helps explain why the incident drew immediate attention beyond the company itself. Researchers and industry outlets said a disruption at a major medtech supplier can ripple through manufacturing, support, logistics and customer service even when patient-facing systems are not directly targeted. Stryker has said it put continuity measures in place to keep supporting customers and partners, but it has not yet publicly detailed which internal functions were slowed, what workarounds were being used, or whether any customer, employee or partner data was accessed. Those unanswered questions are likely to shape the next phase of the company’s response.
The cyberattack also unfolded during a period of rising concern in Washington and among private-sector security firms about possible Iranian retaliation in cyberspace. Reuters reported that the White House was monitoring cyber threats as tensions widened in the Middle East. Researchers cited in news reports said pro-Iran or Iran-linked groups had become more active in recent weeks and that Stryker appeared to be the most prominent U.S. corporate target publicly linked to that campaign so far. The company’s filing stopped short of calling the incident material, saying it had not yet determined whether the attack was reasonably likely to have a material impact. That leaves several procedural steps ahead. Stryker said restoration work was ongoing, and future updates could come through additional company statements, further securities filings or comments to customers and investors. If investigators find evidence of data theft, destructive wiping or substantial business interruption, that could widen the legal, regulatory and financial consequences in the weeks ahead.
At Stryker’s headquarters and other sites, the disruption showed up in ordinary but jarring ways. Reuters reported that calls to the company’s main office in Portage were met with a recording referring to a building emergency. Media reports from Michigan and abroad described workers being sent home or told not to use company-issued devices while technicians and outside experts tried to stabilize systems. Stryker said in its public statement that “our teams are working rapidly” to understand the effect on its systems, and that line captured the tone of a company still in the middle of the event rather than at the end of it. For now, the clearest picture is a partial one: a global medtech company hit by a disruptive cyber incident, an Iran-linked group publicly taking credit, and investigators still sorting out what happened, how far it spread and whether the fallout will extend beyond temporary operational disruption.
Stryker said Wednesday night that the incident was believed contained, but it also said the investigation was continuing and the date for full restoration was still unknown. The next milestone is likely to be the company’s next formal update on system recovery, operational effects or any confirmed findings about who was behind the attack.
Author note: Last updated March 12, 2026.