Abbott Laboratories Investigating Two Major Cybersecurity Incidents, Including Alleged Data Theft by ShinyHunters and Breach of LabCentral Portal

Abbott Laboratories is currently embroiled in the investigation of two significant and distinct cybersecurity incidents. The healthcare giant confirmed unauthorized access to internal legacy Exact Sciences systems within its Cancer Diagnostics business, an incident that has drawn the attention of the notorious extortion group ShinyHunters. Simultaneously, Abbott is probing a separate claim of a breach impacting its LabCentral portal, where threat actors allege the exfiltration of company data. These events raise critical questions about the security posture of a leading medical technology company and the persistent threats posed by sophisticated cybercriminal organizations.
The first incident, linked to the ShinyHunters group, came to light after the gang added Abbott to its data leak site. Initially, ShinyHunters issued a threat to publish allegedly stolen data by July 18, later extending the deadline to July 21, demanding negotiation. Abbott, when approached by BleepingComputer, directed inquiries to a statement published on its corporate website, confirming the cybersecurity event.
The ShinyHunters Threat and Abbott’s Response
In its official statement, Abbott acknowledged the cyber incident, stating, "Abbott is investigating a cyber incident in which there was unauthorized access to a limited number of internal systems in our Cancer Diagnostics business only." Crucially, the company sought to reassure stakeholders by adding, "This does not impact any business operations, product or product availability, manufacturing or lab operations, or our ability to serve patients." Abbott emphasized that the incident was confined to legacy Exact Sciences systems, which are distinct from Abbott’s core infrastructure, and that no other Abbott businesses or systems were affected.
Following the discovery of the incident, Abbott stated it promptly activated its incident response protocols, engaged external cybersecurity experts, and notified relevant law enforcement agencies. The company further projected that the incident would not have a material impact on its business or financial performance.

ShinyHunters has provided a narrative suggesting the breach was initiated in mid-June through a "vishing" (voice phishing) attack targeting several Abbott employees. According to the threat actor, this attack enabled them to compromise a Microsoft Entra single sign-on (SSO) account, thereby gaining access to internal systems. This modus operandi aligns with ShinyHunters’ broader campaign strategy, which has, since last year, focused on social engineering attacks targeting employee SSO accounts with platforms like Microsoft Entra, Okta, and Google. Such breaches often lead to the theft of data from various connected Software-as-a-Service (SaaS) applications, including Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Adobe, Atlassian, Zendesk, and Dropbox, among others.
The extortion group has demonstrably escalated its targeting of the medical technology sector, with previous attacks noted against companies such as Medtronic, OneMedical, and AdaptHealth. Furthermore, BleepingComputer has attributed the iRhythm data breach to ShinyHunters and reported their involvement in targeting Stryker shortly after the latter recovered from a destructive data-wiping attack originating from Iran.
Regarding the scope of the alleged data exfiltration, ShinyHunters claimed to have extracted data from Microsoft Entra, ServiceNow, SharePoint, Databricks, and Coupa. This purportedly includes internal documents, contracts, and customer information. The threat actor’s most alarming claim involves the theft of over 30 million rows of personally identifiable information (PII) from multiple datasets. This PII allegedly includes names, email addresses, phone numbers, physical addresses, dates of birth, and critically, over one million Social Security numbers. The group also asserted the theft of more than 22 million client notes containing doctor-patient conversations, over 20 million medical orders, and various customer agreements and non-disclosure agreements (NDAs). BleepingComputer has stated that these claims have not been independently verified by their publication.
Timeline of the ShinyHunters Incident (Alleged)
- Mid-June 2026: Threat actor ShinyHunters allegedly initiates a vishing attack targeting Abbott employees, compromising a Microsoft Entra SSO account.
- Post-Mid-June 2026: Unauthorized access to internal legacy Exact Sciences systems within Abbott’s Cancer Diagnostics business is gained.
- Early July 2026: ShinyHunters adds Abbott to its data leak site, demanding negotiation.
- July 18, 2026: Initial deadline set by ShinyHunters for data publication.
- July 18-21, 2026: Deadline extended by ShinyHunters.
- Unknown Date: Abbott discovers the unauthorized access and initiates its incident response.
- July 2026 (Specific date unconfirmed): Abbott confirms the cyber incident to BleepingComputer and issues a public statement.
The LabCentral Portal Breach: A Separate Threat Actor
Adding to Abbott’s cybersecurity challenges, a second incident involves a different threat actor, known as ShadowByt3$, who contacted BleepingComputer with claims of breaching Abbott’s Core Laboratory diagnostics business through its LabCentral customer portal. ShadowByt3$ alleges that the breach was facilitated by exploiting compromised customer credentials and identifying a "weak point" within the portal’s environment.
The threat actor claims to have gained access on July 4, 2026, and subsequently exfiltrated files by targeting API endpoints over a period. The data purportedly stolen includes CE manufacturing certificates, operation manuals, technical specifications, regulatory documentation, product requirement archives, calibrator value assignments, assay files, and other product documentation pertinent to Abbott’s laboratory diagnostic systems. ShadowByt3$ explicitly stated that no customer data was compromised, but emphasized the acquisition of sensitive business documents and intellectual property. To substantiate their claims, the group provided BleepingComputer with screenshots and a file listing.

Abbott has acknowledged awareness of this "potential" cyber incident but has contested the threat actor’s characterization of the stolen data. The company asserts that all data residing within the affected environment is publicly available and not considered sensitive.
An Abbott spokesperson clarified to BleepingComputer, "LabCentral is an externally facing third-party hosted portal used by Abbott’s core laboratory diagnostics business. It houses publicly available technical product reference documents, including operating manuals, troubleshooting checklists and product specifications, and does not contain proprietary/sensitive customer or business information."
As of the latest reports, neither ShinyHunters nor ShadowByt3$ has publicly released any data they claim to have obtained from Abbott.
Broader Implications for the Healthcare Sector
The twin cybersecurity incidents at Abbott Laboratories underscore the escalating and multifaceted threats facing the healthcare and medical technology industries. These sectors are particularly attractive targets for cybercriminals due to the sensitive nature of the data they hold, including patient health information (PHI), proprietary research, and critical operational data.
The alleged theft of over a million Social Security numbers and extensive patient-related information by ShinyHunters, if confirmed, would represent a significant breach with profound implications for individuals whose data was compromised. The potential for identity theft, financial fraud, and further targeted attacks is substantial. For Abbott, such a breach could lead to regulatory penalties, reputational damage, and costly remediation efforts. The fact that the attackers exploited legacy systems and SSO vulnerabilities highlights a common challenge in large organizations: maintaining robust security across a complex and often disparate IT infrastructure.

The second incident, involving the LabCentral portal, while Abbott claims the data is public, still points to a breach of intellectual property and operational documents. This can impact competitive advantage, product development timelines, and regulatory compliance. The exploitation of customer credentials, even for accessing seemingly public information, raises questions about access controls and third-party vendor security, especially if the portal is hosted externally.
The increasing frequency of attacks by groups like ShinyHunters on medtech companies is a worrying trend. These organizations are not just opportunistic; they appear to be strategically targeting sectors that are critical to public health and possess valuable data. The sophistication of their methods, including social engineering and the exploitation of SSO systems, requires a proactive and multi-layered security approach from organizations.
Industry-Wide Challenges and Future Outlook
The Abbott incidents serve as a stark reminder of the ongoing cybersecurity challenges faced by the healthcare ecosystem. Regulatory bodies, such as the U.S. Department of Health and Human Services (HHS) and the European Medicines Agency (EMA), are continuously updating guidelines and enforcement actions to strengthen data protection. However, the rapid evolution of cyber threats often outpaces defensive measures.
For companies like Abbott, and the broader healthcare industry, a comprehensive strategy involving regular vulnerability assessments, penetration testing, employee training on phishing and social engineering, robust access management, and the implementation of advanced threat detection and response capabilities is paramount. The incident also highlights the importance of segmenting networks and systems, especially isolating legacy systems, to contain the impact of potential breaches.
The prolonged nature of these investigations and the potential for data to be leaked or sold on the dark web means that the full impact of these incidents may not be immediately apparent. The industry will be watching closely for further developments and for Abbott’s comprehensive response to mitigate the fallout from these two significant cybersecurity events. The focus will remain on ensuring patient safety, protecting sensitive information, and bolstering defenses against future attacks.







