I am the Chief Information Officer of Stryker Corporation.
— Peter Girnus 🦅 (@gothburz) March 13, 2026
I build the robots that perform your surgery. The defibrillators that restart your heart. The systems that let your nurse find your doctor at three in the morning when something goes wrong. Twenty-five billion dollars a…
I am the Chief Information Officer of Stryker Corporation.
I build the robots that perform your surgery. The defibrillators that restart your heart. The systems that let your nurse find your doctor at three in the morning when something goes wrong. Twenty-five billion dollars a year. Fifty-six thousand employees. Sixty-one countries. Every device in every country, managed from one console.
On March 11th, someone who was not me sat down at that console and erased everything.
I should be precise. They did not hack us. They logged in.
Microsoft Intune is an endpoint management platform. I deployed it across every laptop, workstation, manufacturing terminal, and enrolled phone in my organization. From one console I could push an update to Kalamazoo, enforce a policy in Cork, wipe a compromised device in Freiburg. One console. Every device. That was the architecture. That was the selling point. That was the attack surface.
Intune can push software. It can enforce compliance. It can, if instructed by an administrator with the correct credentials, wipe any device to factory settings. These are features. I paid for them. I presented them to the board as our zero-trust posture. A group called Handala used them to erase every managed device in my organization in a single afternoon.
I will be precise about what happened next, because my lawyers are in the room and precision is the only thing that still belongs to me.
No malware was deployed. No ransomware was installed. No zero-day was used. No vulnerability in any product was found. A threat actor obtained administrative credentials and issued a remote wipe command using the remote wipe feature that I chose this product for.
My security tool did not fail. It performed exactly as designed. It wiped every device it was told to wipe, without error, on schedule. The architect of my destruction was my own IT budget line item.
The command went out. The devices obeyed. Laptops in Kalamazoo. Workstations in Cork. Terminals in Freiburg. Manufacturing floors in Mahwah. The screens did not go dark. They changed. Where there had been a Stryker logo, there was now a barefoot cartoon boy with his back turned to the viewer -- the Handala icon, hands clasped behind him, facing away from the audience -- on every monitor in every office in sixty-one countries.
They claim fifty terabytes. I cannot confirm or deny this. I do not yet know what I still own.
Let me walk you through my first forty-eight hours.
Hour one. Our Irish operations -- fifty-five hundred employees, eight sites, our largest hub outside the United States -- went dark. Not gradually. Entirely. Security walked everyone out. The voicemail at our Michigan headquarters was changed to say "building emergency." There was no building emergency. The building was fine. Everything inside it was gone.
Hour four. Employees who had installed Microsoft Outlook on their personal phones discovered that their personal phones had been wiped. Intune does not distinguish between a corporate laptop and a personal iPhone with a company email profile. It manages endpoints. It managed them.
Hour eight. Hospitals called. Not because they had been breached. Because they could not order surgical implants. I make the hip replacements. The knee joints. The spinal hardware. The trauma fixation systems. My ordering system was down. My manufacturing was down. My shipping was down. A hospital in Baltimore could not schedule a knee replacement because a hacktivist group on another continent had pressed a single button on a console I built.
Hour twelve. Maryland Emergency Medical Services issued a memo. Hospitals were disconnecting from LIFENET -- my system that transmits your EKG from the ambulance to the emergency department while you are still in the back of the ambulance -- not because LIFENET had failed, but because they no longer trusted anything with my name on it.
Hour twenty-four. Fifty-six thousand employees coordinating on WhatsApp. Twenty-five billion dollar company. Sixty-one countries. Crisis response running on a free consumer messaging app, because every internal system I owned was now owned by someone else.
Hour thirty-six. I released my first official statement. "As a precaution, we have proactively taken all systems offline." Proactively. As though I had a choice. As though the systems I was taking offline had not already been taken.
I released six statements in forty-eight hours, plus an SEC filing. Each said less than the one before it. By statement five, I was confirming that specific products still functioned. Mako surgical robots: unaffected. LIFEPAK 35 defibrillators: unaffected. Vocera badges: unaffected.
When a medical device company begins listing which of its products still work, that is not reassurance. That is a casualty report delivered in reverse.
Handala says this is retaliation. For Minab. February 28th. A U.S. Tomahawk struck an IRGC naval base in southeastern Iran. The girls' school next door collapsed. One hundred and seventy-five dead. Most of them children. Handala published a statement. They called Stryker a "Zionist-rooted corporation." They said they would make us understand what it means to lose something you cannot replace.
I do not make missiles. I make hip replacements. I make the robot that holds the scalpel and the defibrillator in the crash cart. But I am a defense contractor's second cousin, and in the calculus of retaliation, proximity is guilt.
I filed with the SEC on March 11th. "The full scope, nature and impacts of the incident are not yet known." That is the most honest sentence I have produced in two days. I do not know what they took. I do not know what they copied before they wiped. I cannot audit what was lost, because the tool I built to audit my systems is the tool they used to erase them.
My stock dropped three and a half percent. One analyst called it "contained." A cybersecurity researcher called it "the first drop of blood in the water." I prefer the analyst. The analyst is wrong, but I prefer him.
Here is what I know.
I built a console that could touch every device in sixty-one countries. I gave it the authority to wipe anything it touched. I protected it with credentials. Someone obtained those credentials.
And my management tool managed.
No malware. No ransomware. No exploit. No CVE. Nothing to patch. Nothing to update. Nothing broken. Just a feature, performing its documented function, at the scale I purchased it for.
I make the machines that keep people alive. I was taken offline by my own architecture doing the one thing it was designed to do.
The system worked. That is the problem.
Replies