Intuitive Surgical said an unauthorized third party accessed information from certain internal IT business applications after a targeted phishing incident, triggering a market reaction that saw the company's shares drop as much as 4% midday on Monday.
The company stated it discovered the incident and immediately activated its incident response procedures, securing the affected applications. Intuitive said the access was obtained through an employee's compromised credentials into the company's internal business administrative network.
Information accessed during the intrusion included certain customer business and contact information, together with Intuitive employee and corporate data, the company said. Intuitive emphasized that the accessed data did not come from its clinical or robotic systems, and specifically noted that information was not taken from its da Vinci or Ion platforms.
Intuitive reassured customers and the market that its da Vinci, Ion and digital platforms were not impacted and remain safe and operational. The company highlighted that its network architecture is segmented, with separate networks maintained for internal IT business applications, manufacturing operations, and the da Vinci and Ion platforms and digital products.
In addition, Intuitive said hospital customer networks are segregated from its own networks, are secured and managed by customers' IT teams, and therefore were not affected by this incident.
The company reported no operational disruption and said there has been no impact on its ability to support customers. It added that its robotic systems run on independent security protocols and operate separately from the internal business network where the breach occurred.
Intuitive outlined the immediate steps it took after discovering the incident: assessing and containing the event, launching an investigation, reviewing security measures, and reinforcing online security training and processes for employees. The company said it is communicating directly with customers and has notified the appropriate data privacy regulators.
The investigation remains ongoing. Intuitive indicated it will provide updates as appropriate while the inquiry continues.
Summary
Intuitive Surgical reported a targeted phishing incident that allowed unauthorized access to certain internal business application data. The firm secured affected systems, said its core surgical platforms and hospital customer networks were not impacted, and confirmed no disruption to operations. Shares fell up to 4% during midday trading on Monday.
Key points
- Unauthorized access resulted from a targeted phishing attack using a compromised employee account; internal business applications were affected.
- Data accessed included some customer business and contact details plus employee and corporate information, but not data from da Vinci or Ion systems.
- Intuitive's segmented network architecture and the independent operation of its robotic platforms are cited as reasons clinical systems and hospital networks were not impacted.
Risks and uncertainties
- The company's investigation is ongoing, creating uncertainty about the full scope and any subsequent findings.
- Intuitive has notified data privacy regulators, which introduces regulatory scrutiny related to the breach and the data accessed.
- Market sentiment reacted to the disclosure, evidenced by the intraday share decline of up to 4%.