Monthly Round-up: All big cybersecurity incidents happened in the Month of April 2026

April 2026 was one of the most eventful months in recent cybersecurity history. Well, yes. Attackers did not just target one industry or one country. They went after hospitals, government bodies, travel platforms, water utilities, education companies, and healthcare technology firms. The scale and variety of these attacks made it clear that no organization is safe.

Whether you run a small municipal service or a global corporation with thousands of employees, cybercriminals are looking for a way in.

What made April 2026 stand out was the sophistication of the methods used. Ransomware groups, data extortion gangs, supply chain attackers, and state-linked threat actors all made headlines. Groups like ShinyHunters ran automated campaigns that swept hundreds of organizations at once. Others exploited simple misconfigurations that had been sitting open for months.

One theme ran through almost every incident: the weakest link was often a third party, a misconfigured platform, or a single employee account with too many permissions.

Part 1: Ransomware Hits Healthcare: ChipSoft Attack Cripples Dutch Hospitals

The single most disruptive ransomware attack of April 2026 did not target just one hospital. It targeted the software that runs most of them.

Dutch healthcare software vendor ChipSoft was hit by a ransomware attack on April 7, 2026, forcing parts of its digital infrastructure offline, including its public-facing website. ChipSoft is a major supplier of electronic health record systems in the Netherlands. Its flagship platform, HiX, is used by roughly 70 percent of Dutch hospitals and is widely deployed to manage patient records and facilitate communication between healthcare providers and patients.

The attack caused chaos across the country’s healthcare system. Here is what happened and what it meant for patients and providers:

• Patient portals went dark: As a precaution, ChipSoft disabled connections to several of its platforms, including Zorgportaal, HiX Mobile, and the Zorgplatform, making them temporarily unavailable while the company restored systems in stages.

• Eleven hospitals disconnected: Eleven hospitals disconnected their systems entirely. Nine of those used the ChipSoft system most extensively and faced the worst disruptions to daily operations.

• Z-CERT confirmed the attack: The cyberattack was confirmed by Z-CERT, the Netherlands’ computer emergency response team for healthcare. Z-CERT advised affected institutions to audit their ChipSoft systems for unusual activity and report any findings immediately.

• Patient data was at risk: The company confirmed possible unauthorized access and said it could not rule out that patient data had been accessed or stolen. Names, national identification numbers, diagnoses, treatment histories, and insurance details were all potentially exposed.

• Embargo ransomware group claimed credit: The attack was the work of the ransomware group Embargo, which threatened to publish the stolen data. The group claimed to have stolen 100 GB of data from ChipSoft’s systems.

• Stolen data reportedly destroyed: At the end of April, ChipSoft announced that all stolen data had been destroyed and that cybersecurity experts confirmed this was carried out in a technically sound manner. However, whether a ransom was paid remains unclear.

• Dutch minister raised doubts: The Dutch health minister publicly stated there is no way to be certain that hackers actually deleted the stolen patient data, raising serious questions about the reliability of such promises from ransomware groups.

Part 2: Medtronic Breached by ShinyHunters: 9 Million Records at Risk

The world’s largest medical device maker became one of the highest-profile victims of April 2026.

Medtronic, the world’s largest medical device manufacturer by revenue, confirmed a data breach of its corporate IT systems following claims by the extortion group ShinyHunters. The group alleged it had stolen more than 9 million records containing personally identifiable information and terabytes of internal corporate data. Medtronic provides a wide range of solutions, from pacemakers to surgical robots. It employs more than 95,000 people across 150 countries.

ShinyHunters added Medtronic to its dark web leak site on April 17 and 18, 2026, with an April 21 deadline to open ransom negotiations. The listing disappeared from the site ahead of the deadline, a pattern typically associated with ongoing negotiations or ransom payment. ShinyHunters did not include Medtronic in the mass data release it published from its other listed victims on April 22.

Medtronic confirmed the breach publicly on April 24, 2026, alongside a Form 8-K filing with the US Securities and Exchange Commission. The company stated that an unauthorized party had accessed data in certain corporate IT systems. Medtronic was clear that no medical devices, patient safety, or manufacturing operations were affected. Hospital customer networks remain separate from Medtronic’s IT networks and are secured and managed by customers’ IT teams.

Despite those assurances, a class-action lawsuit was filed on April 30, 2026, alleging negligence and seeking compensation for affected individuals. The investigation remained ongoing at the end of the month, and the full scope of what was stolen had not yet been confirmed.

Part 3: The ShinyHunters Campaign: Education, Retail, and Beyond

ShinyHunters expanded its attacks across multiple industries in April 2026, using misconfigured systems and phone-based social engineering instead of advanced exploits. McGraw-Hill lost data from 13.5 million users after attackers exploited a Salesforce misconfiguration, leading to a leak of over 100 GB of personal data. Booking.com also suffered a breach that fueled targeted WhatsApp phishing attacks.

On April 23, ShinyHunters leaked data from more than 40 organizations across healthcare, finance, and retail. Victims included Rockstar Games, Basic-Fit, and the European Commission. April also became a record month for ransomware, with 105 publicly disclosed attacks worldwide, most heavily affecting healthcare organizations.

Part 4: Critical Infrastructure Under Attack: Water Plant and Government Systems

Critical infrastructure attacks gained major attention in April 2026 after a ransomware attack hit Minot’s Water Treatment Plant in North Dakota. The city quickly switched to manual operations, avoided paying any ransom, and kept water services running safely. Around the same time, the FBI and Pentagon warned that an Iranian-linked hacking group was targeting water systems, local governments, and the energy sector. The European Commission also dealt with a cloud platform breach, though officials said internal systems were not affected.

Part 5: Supply Chain and Third-Party Attacks: Checkmarx, Vercel, and Adobe

April 2026 firmly established supply chain attacks as the dominant threat pattern of the year. Attackers are no longer trying to break into organizations directly. They are targeting the tools and vendors that those organizations trust.

Here are the key supply chain incidents that shaped the month:

• Checkmarx supply chain poisoning: Checkmarx KICS, Bitwarden CLI, Trivy, and LiteLLM were all compromised in a single coordinated campaign. Anodot’s analytics connectors handed attackers authenticated access to a dozen cloud environments at once. When the scanner that finds your vulnerabilities becomes the vulnerability, your security program is not designed to catch it. More than 50,000 businesses were put at risk, and CI/CD secrets were stolen at scale.

• Vercel breached through an AI tool: A third-party AI tool led to the breach of Vercel. The threat actor was able to access additional environments through this tool, highlighting the potential risks of AI tools in enterprise environments. One employee granting broad Workspace permissions to the AI tool gave attackers an inherited trust path into Vercel’s systems. The breach was not discovered by Vercel’s own security team. It was discovered when the attacker chose to monetize publicly.

• Adobe breached via BPO contractor: Adobe was reportedly breached through a third-party BPO support contractor via phishing and privilege escalation. This incident highlighted the risk that comes from outsourcing support operations without strict security controls in place.

• ADT’s Salesforce opened by one phone call: ADT’s entire Salesforce environment was opened by a single compromised Okta SSO account obtained through a vishing call. No exploit was used. No malware was deployed. Have I Been Pwned confirmed 5.5 million affected individuals, including names, phone numbers, addresses, and in some cases partial Social Security numbers.

• WordPress plugin supply chain attack: EssentialPlugin, a WordPress plugin development firm, suffered a supply chain compromise that pushed malicious updates to more than 30 plugins installed on thousands of websites. The backdoored code enabled unauthorized access and spam page creation. WordPress.org closed the affected plugins, but infections were expected to remain on sites that had not yet updated.

• French government agency hit: ANTS, the French government agency storing citizens’ personal data such as ID cards, passports, and driving licenses, faced a breach that exposed sensitive information. France’s data protection authority CNIL, the Paris Public Prosecutor, and national cybersecurity agency ANSSI all became involved in the investigation.

• Los Angeles City Attorney’s Office targeted: The Los Angeles City Attorney’s Office was listed among victims in a month that saw government entities targeted with increasing frequency across multiple countries.

• Two major US banks via shared vendor: The Everest ransomware group posted two major US banks on its dark web leak site on April 20. Both banks confirmed that the breach originated at an unnamed third-party vendor, not their own networks. The same-day leak involving shared document-production data pointed to a single-vendor compromise affecting both institutions simultaneously.

Tips to Stay Protected Against Cyber Threats

Cyberattacks are growing in scale and speed. But many of them succeed because of gaps that organizations and individuals can actually fix. Here are practical steps you can take right now:

• Audit your third-party tools regularly. Make a list of every vendor, app, and SaaS platform that has access to your systems. Remove any that are not actively needed. The Vercel and ADT breaches both happened because a third-party tool or account had more access than it should have had.

• Review your SaaS configurations. Misconfigured platforms like Salesforce are now a top entry point for attackers. Check guest user permissions, open portals, and legacy settings at least once a quarter. The McGraw-Hill breach involved no hacking at all. Just a door left open in a Salesforce environment.

• Train employees to spot vishing calls. Teach your team to never reset passwords or confirm credentials over a phone call without proper verification. ShinyHunters compromised dozens of organizations in April 2026 using nothing more than convincing phone calls.

• Apply patches as soon as they are released. Microsoft fixed over 160 vulnerabilities in April 2026 Patch Tuesday alone, including actively exploited flaws. Delaying patches gives attackers a window they will use.

• Have an offline backup ready. The Minot water treatment plant survived a ransomware attack because staff could switch to manual operations quickly. Your organization needs a tested backup plan that does not depend on the systems that might get encrypted.

Conclusion

April 2026 became a major month for cybersecurity as attackers used smarter and more targeted tactics. From hospital software attacks to phishing campaigns and large-scale SaaS breaches, threat actors showed how easily trust and weak configurations can be exploited. The month also highlighted a growing reality: third-party risks, compromised accounts, and poorly secured tools can quickly affect entire organizations.

Companies now need stronger systems to detect, respond to, and recover from attacks before serious damage is done.

FAQs

Q1. What was the biggest ransomware attack of April 2026?

The ChipSoft attack in the Netherlands was the most disruptive ransomware incident of April. The attack affected hospital systems across the country, forcing 11 hospitals to disconnect their networks. The Embargo ransomware group claimed responsibility and threatened to leak 100 GB of stolen data. ChipSoft later said the data was destroyed, though officials could not independently confirm it.

Q2. How did ShinyHunters breach so many companies in April 2026?

ShinyHunters mainly used phone scams and automated scanning instead of advanced hacking methods. They tricked employees into sharing login details, which gave them access to company SaaS systems. The McGraw-Hill breach was caused by a Salesforce misconfiguration, and on April 23 alone, the group leaked data from more than 40 organizations, exposing tens of millions of records.

Q3. Was the Medtronic breach a risk to patient safety?

Medtronic said the breach did not affect medical devices, patient safety, or manufacturing systems because those networks are separated from its corporate IT systems. However, ShinyHunters claimed to have stolen over 9 million records containing personal and health information. A class-action lawsuit was filed on April 30, 2026, while the investigation into the full extent of the breach remained ongoing.