"Abbott is investigating a cyber incident in which there was unauthorized access to a limited number of internal systems in our Cancer Diagnostics business only," the company said.
Abbott confirms limited access in Cancer Diagnostics; says operations unaffected
Abbott Laboratories has acknowledged an investigation into unauthorized access affecting a “limited number of internal systems” within its Cancer Diagnostics business, according to a company statement provided to BleepingComputer. Abbott said the affected systems are legacy Exact Sciences systems and that those legacy systems are separate from Abbott’s other businesses and systems.
The company said it activated incident response procedures, engaged cybersecurity experts and notified law enforcement. Abbott told BleepingComputer the incident “does not impact any business operations, product or product availability, manufacturing or lab operations, or our ability to serve patients” and that it does not expect a material impact on its business or financial results.
ShinyHunters claims SSO vishing compromise and voluminous data exfiltration
The extortion group ShinyHunters added Abbott to its data leak site and initially threatened to publish allegedly stolen data after July 18, later extending the deadline to July 21. ShinyHunters told BleepingComputer it gained access via a vishing attack targeting several Abbott employees in mid-June, which the group said allowed it to compromise a Microsoft Entra single sign-on (SSO) account and access internal systems.
According to ShinyHunters’ account to BleepingComputer, after gaining a corporate SSO account the group exfiltrated data from connected SaaS applications including Microsoft Entra, ServiceNow, SharePoint, Databricks and Coupa, and from other common enterprise services the gang has targeted in past operations. The threat actor described the takings as internal documents, contracts and customer information and claimed more than 30 million rows of customer personally identifiable information (PII), including names, email addresses, phone numbers, physical addresses, dates of birth and “more than one million Social Security numbers.”
ShinyHunters also claimed to have stolen over 22 million client notes containing doctor-patient conversations, more than 20 million medical orders, and customer agreements and NDAs. BleepingComputer notes it has not independently verified those claims. The extortion gang has told BleepingComputer it has increasingly targeted medtech companies, naming Medtronic, OneMedical and AdaptHealth, and has been linked to other incidents such as an iRhythm breach and a targeting attempt against Stryker.
ShadowByt3$ says LabCentral portal was abused via compromised customer credentials
A second actor, identifying itself as ShadowByt3$, told BleepingComputer it breached Abbott’s Core Laboratory diagnostics business through the LabCentral customer portal. ShadowByt3$ said it obtained access on July 4, 2026, using compromised customer credentials and then “slowly exfiltrated files” by targeting API endpoints.
ShadowByt3$ provided BleepingComputer with screenshots and a file listing as purported proof and claimed the stolen material included CE manufacturing certificates, operation manuals, technical specifications, regulatory documentation, product requirement archives, calibrator value assignments, assay files and other documentation related to Abbott’s laboratory diagnostic systems. The group said no customer data was stolen but described the haul as sensitive business documents and intellectual property.
Abbott disputes LabCentral claims and separates the two incidents
Abbott told BleepingComputer it is aware of the “potential” LabCentral incident but disputed ShadowByt3$’s characterization of the data. An Abbott spokesperson said, “LabCentral is an externally facing third‑party hosted portal used by Abbott's core laboratory diagnostics business. It houses publicly available technical product reference documents, including operating manuals, troubleshooting checklists and product specifications, and does not contain proprietary/sensitive customer or business information.”
When asked whether the ShinyHunters listing and the LabCentral claim were connected, Abbott said the incidents are unrelated and directed BleepingComputer to its statement about the Cancer Diagnostics incident. As of the reporting, neither ShinyHunters nor ShadowByt3$ had publicly released the data they claim to possess.
What this means for technologists and security teams, policymakers and patients
- Technologists and security teams: The incidents, as described, hinge on compromised credentials and SSO access (Microsoft Entra) and on compromised customer credentials for an externally hosted portal. Security teams will focus on SSO account controls, customer-portal authentication, API exposure and logging to validate the actors’ claims and to search for lateral movement or additional exfiltration.
- Policymakers and regulators: Regulators will note Abbott’s statement that operations and patient service are unaffected and that law enforcement has been notified; they will likely monitor whether the company later substantiates or refutes the scope of the data claims and whether material business impact emerges.
- Patients and customers: Abbott has said the Cancer Diagnostics incident “does not impact any business operations” and that LabCentral contains publicly available product reference documents. Nevertheless, customers and patients named in the attackers’ claims—if those claims are confirmed—would face exposure of PII or clinical notes; at present, BleepingComputer has not independently verified the alleged data volumes.
Two different extortion groups have publicly claimed separate intrusions against Abbott: ShinyHunters tied to a mid‑June vishing compromise of a Microsoft Entra SSO account and ShadowByt3$ alleging access to the LabCentral portal on July 4, 2026. Abbott says the events are unrelated, that impacted systems are limited and segregated, and that it does not expect material business impact; the threat actors’ detailed claims and the screenshots one provided remain uncorroborated in public reporting. How those competing narratives resolve — through forensic detail, disclosures to affected individuals or follow‑up statements from Abbott or law enforcement — is the next concrete step to watch.




