In this week's threat report: Medtronic has confirmed that an unauthorised party accessed data in its corporate IT systems, with the investigation still ongoing. Alongside that, there are critical patches needed for MOVEit Automation, an actively exploited Linux kernel flaw that can hand attackers full root access, a large-scale phishing campaign designed to bypass MFA, and the UK government's latest cyber breach survey, which shows 43 per cent of UK businesses were hit by a cyber incident last year.
Full details below...
Medtronic, one of the world's largest medical device manufacturers, has confirmed that an unauthorised party accessed data held in certain Medtronic corporate IT systems. The company published an official statement on 24 April 2026, setting out what it knows so far.
Medtronic says it has found no evidence of impact to its products, patient safety, customer connections, manufacturing and distribution operations, or financial reporting systems. The company states that its corporate IT networks, its product networks, and its manufacturing and distribution systems are kept separate, and that hospital customer networks are managed independently by the NHS and other healthcare customers.
Upon discovering the breach, Medtronic says it took immediate steps to contain the incident, activated its incident response protocols, and engaged external cybersecurity experts to investigate. The company is currently working to identify what personal data may have been accessed and says it will notify affected individuals and provide support services as needed. The investigation is ongoing, and further updates are expected.
Medtronic is one of the most significant medical device suppliers in the world, and has deep relationships with NHS trusts across the UK. Its products include cardiac devices, insulin pumps, surgical robotics, and a wide range of monitoring and diagnostic equipment. Medtronic also employs thousands of people in the UK and holds contracts with NHS procurement bodies, ICBs, and individual trusts.
Although Medtronic states that product systems and hospital networks are separate from the compromised corporate IT environment, the breach still carries meaningful risk for NHS organisations and NHS suppliers. Corporate IT systems typically hold a wide range of data, including employee records, commercial and procurement contracts, customer contact information, supplier details, and correspondence. Any of this could be of value to attackers, particularly if it reveals information about NHS infrastructure, procurement timelines, or staff with privileged access to healthcare systems.
For NHS organisations that use Medtronic devices or services, the key immediate question is whether any data shared with Medtronic, such as customer contact details, procurement information, or data relating to device users, may have been in scope. This is also a reminder of how third-party supplier breaches can create exposure for NHS organisations even when the attacker has not directly targeted the NHS itself. Organisations subject to the DSPT should consider whether this incident triggers any review of their third-party risk assessments or data sharing arrangements with Medtronic.
Recommendations
Progress Software has released emergency updates for MOVEit Automation, its server-based managed file transfer platform, to fix two serious vulnerabilities. The most serious, CVE-2026-4670, has a severity score of 9.8 out of 10. It allows an attacker to bypass the login process completely and gain access to the system without any valid credentials. The second flaw, CVE-2026-5174, allows an attacker to escalate their privileges once inside. Together, these two vulnerabilities could allow an unauthorised person to take full control of a MOVEit Automation server.
The affected versions are MOVEit Automation 2025.1.4 and earlier, 2025.0.8 and earlier, and 2024.1.7 and earlier. Fixes are available in versions 2025.1.5, 2025.0.9, and 2024.1.8. Progress says there is no evidence of exploitation in the wild at this time.
MOVEit has a significant history with the NHS and UK healthcare. In 2023, a critical flaw in MOVEit Transfer was exploited at scale by the Cl0p ransomware group, affecting organisations across the UK, including NHS-linked suppliers. MOVEit Automation is a separate but related product, used by many organisations to automate file transfers between internal systems and third parties, including clinical data exchanges, payroll systems, and supplier integrations.
An authentication bypass of this severity means that anyone who can reach the MOVEit Automation server over the network could potentially access files being transferred, disrupt automated workflows, or use the server as a stepping stone into the wider network. For organisations in the scope of the Data Security and Protection Toolkit (DSPT), any compromise of a file transfer platform that touches patient or personal data could trigger a reportable data breach. Given the history of MOVEit being targeted, patching must be treated as urgent.
Recommendations
The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-31431, nicknamed "Copy Fail," to its Known Exploited Vulnerabilities catalogue, confirming it is being actively exploited in the real world. The flaw is a logic bug in the Linux kernel's page cache, the part of the operating system that holds copies of files and executables in memory. By manipulating this, an attacker who already has a low-level account on a Linux system can escalate their access to full root (administrator) level in a matter of seconds.
The vulnerability affects Linux distributions shipped since 2017, meaning a very large number of servers are potentially at risk. A working proof-of-concept exploit is publicly available. CISA has directed US federal government agencies to apply patches by 15 May 2026.
Researchers have also confirmed that the flaw can be used to break out of containers, the lightweight, isolated environments used to run cloud applications and services. This makes it particularly dangerous in containerised cloud environments, since an attacker inside one container could potentially gain control of the underlying physical server and any other workloads running on it. Notably, the exploit uses only standard system calls, which makes it hard to detect with many traditional security monitoring tools.
Linux underpins a huge amount of UK healthcare and NHS supplier infrastructure. It runs cloud platforms, electronic patient record back-ends, clinical integration engines, medical device firmware, and containers used by digital health services. It is also used extensively by managed service providers that support NHS organisations.
A vulnerability that allows a low-privilege attacker to gain full root access and that can break container isolation represents a very serious risk across all of these environments. Attackers could use root access to install persistent malware, steal credentials, exfiltrate data, disable logging, or move laterally across the broader environment. The fact that exploitation is already happening and that a ready-made exploit is publicly available makes this an urgent operational issue, not just a theoretical risk.
Recommendations
Microsoft has published details of a large-scale credential theft campaign that targeted more than 35,000 users across 26 countries over a two-day period in April 2026. The campaign used polished, realistic-looking email lures themed around code of conduct reviews and HR policy notifications. The emails created a sense of urgency by including repeated time-limited action prompts and claiming messages had been issued through an authorised HR compliance system.
The attack used a technique called adversary-in-the-middle (AiTM) phishing. Rather than simply stealing a password, this method intercepts the victim's login session in real time, allowing attackers to capture both the password and the authentication token that proves the user has already passed their multi-factor authentication check. This means that even users who have MFA enabled can have their accounts compromised if they are tricked into using one of these fake login pages.
The emails were sent through legitimate email delivery services, which helped them bypass many standard email security filters. Victims were directed through multiple intermediate pages, including CAPTCHA challenges, before reaching the fake login page.
Multi-factor authentication is one of the most effective defences against account takeover. AiTM phishing is specifically designed to defeat it. Healthcare organisations, NHS suppliers, and digital health companies rely heavily on Microsoft 365, Microsoft Entra, and related cloud services. A stolen session token gives an attacker the same level of access as the legitimate user to email, SharePoint, Teams, clinical collaboration platforms, and administrative systems.
The volume and sophistication of phishing attacks on Microsoft environments continue to grow. Microsoft's own data shows more than 21 billion malicious emails were sent in Q1 2026 alone, with around 80 per cent using link-based methods. QR code phishing is also surging significantly, as attackers experiment with ways to avoid detection by email security tools. Business email compromise attacks crossed the one-million mark multiple times in Q1 2026.
For organisations subject to the DSPT, a compromised Microsoft account that provides access to patient data or clinical systems would require prompt assessment under the UK GDPR and could trigger reporting obligations to the ICO.
Recommendations
The UK government has published its annual Cyber Security Breaches Survey for 2026, and the headline figure has barely moved. Forty-three per cent of UK businesses and 28 per cent of UK charities reported a cyber incident in the past year. That equates to approximately 612,000 businesses and 57,000 charities affected.
Phishing remains the dominant attack method by a very significant margin. Around 85 per cent of businesses that reported a breach said it involved phishing, typically impersonation emails directing staff to fake login pages, or messages designed to trick people into opening attachments or handing over information.
Supply chain risk management is a particular weak point. Only 15 per cent of businesses say they review the risks posed by their direct suppliers. Just 6 per cent look at their wider supply chain. Among charities, these figures fall to 9 per cent and 4 per cent respectively. Meanwhile, 14 per cent of businesses and 22 per cent of charities say they hold personal data that is not protected by measures such as encryption or anonymisation.
These are not abstract statistics. They describe the actual risk environment in which UK digital health companies, NHS suppliers, and charities operate every day. The low rates of supply chain risk assessment are particularly concerning for the NHS ecosystem, where a single compromised supplier can affect multiple trusts, ICBs, and care providers simultaneously. Events such as the Synnovis attack in 2024 illustrated exactly this kind of cascading impact.
The continued dominance of phishing as the entry point for breaches reinforces the importance of investing in staff awareness training, strong email security controls, and phishing-resistant authentication. The fact that these figures have not improved year on year suggests that many organisations still treat cybersecurity as a compliance exercise rather than an ongoing operational priority.
For NHS suppliers and organisations subject to the DSPT, the survey findings are a direct reminder of the gap between having a policy on paper and applying effective controls in practice. Governance teams and senior leadership should use this survey as a prompt to review whether security investments are reaching the parts of the organisation where they are most needed.
Recommendations
Want help staying ahead of threats like these? Contact Periculo about our Threat Intelligence services and find out how we support UK digital health organisations and NHS suppliers with practical, hands-on cybersecurity assurance.