Iran-Linked Cyberattack: What U.S. Companies Need to Know Now

Overview

On March 11, 2026, independent reports confirmed that one of the largest medical device companies in the United States was the target of a significant cyberattack attributed to Iran-linked threat actors. Although the investigation into the incident’s scope and impact is ongoing, preliminary findings indicate that the attack may be part of a broader campaign by state-sponsored Iranian cyber syndicates tasked with targeting U.S. companies – especially those in the health care and life sciences sector.

This alert provides an overview of the threat landscape, including the growing use of vishing (voice phishing) as an attack vector, summarizes the key legal and regulatory considerations, and offers practical steps that organizations should take immediately to strengthen their cybersecurity posture and preparedness. Although health care and life sciences companies face acute risk, the threat posed by Iran-linked threat actors is not limited to that sector. All U.S. companies should be evaluating their exposure and taking proactive steps.

Why Health Care Companies Should Be on Heightened Alert

While the health care sector has long been recognized as a prime target for cyberattacks, recent changes in the threat environment reflect a significant escalation from foreign threat actors. Several factors make health care and life sciences companies especially vulnerable. Notable examples include the following:

Geopolitical Risk. The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and other U.S. government agencies have repeatedly warned that Iranian state-sponsored threat actors are actively targeting U.S. critical infrastructure, including health care. These threat actors employ a range of sophisticated techniques, including spear-phishing, vishing, exploitation of known vulnerabilities, credential theft, and deployment of ransomware and data-wiping malware.
Sensitive Data. Health care companies hold vast quantities of Protected Health Information (PHI), Personally Identifiable Information (PII), financial and insurance records, and proprietary research data. These categories of sensitive personal data are highly valuable to threat actors engaged in espionage, extortion, and data brokering on illicit markets. State-sponsored threat actors, including those linked to Iran, are known to target U.S. companies to conduct economic and scientific espionage in addition to ransomware and extortion.
Intellectual Property and Trade Secrets. Beyond personal data, health care and life sciences companies often hold valuable intellectual property, including patented medical device designs, pharmaceutical formulations, clinical trial data, manufacturing processes, proprietary algorithms, and research and development pipelines. The exfiltration of trade secrets and proprietary research can cause irreparable competitive harm, undermine patent portfolios, and compromise years of R&D investment. And unlike personal data breaches, which are governed by well-established notification frameworks, the theft of intellectual property may go undetected for extended periods. These scenarios present distinct legal, commercial, and strategic challenges that require specialized attention.
Export Controlled Data. In additional to sensitive personal data and intellectual property, some health care and life sciences companies may also possess technical data, technology, and other articles subject to U.S. export control laws. This may include dual-use commercial items governed by the Export Administration Regulations (EAR) or, in more serious cases, military-grade items subject to the International Traffic in Arms Regulations (ITAR). Because the EAR and ITAR prohibit technology transfers to Iran and Iranian persons, companies targeted by Iranian threat actors may be investigated by the FBI and other U.S. government enforcement agencies – even in cases where they are the victims.
Operational Urgency. Health care organizations often face intense pressure to maintain uninterrupted operations. This urgency can make them more likely to pay ransom demands quickly, which in turn makes them more attractive targets.
Complex Supply Chains. The health care ecosystem involves extensive networks of vendors, business associates, and technology partners, each of which may represent a potential point of entry for attackers.

The Vishing Threat: Voice Phishing as a Growing Attack Vector

Organizations should be aware that vishing, voice phishing conducted over the telephone, has become an increasingly prominent tool in the threat actor’s arsenal, including among state-sponsored groups. Unlike traditional email phishing, vishing exploits the inherent trust people place in voice communication and the difficulty of verifying a caller’s identity in real time.

In a typical vishing attack, a threat actor calls an employee and impersonates a trusted figure, such as an IT help desk technician, a senior executive, a government official, or a vendor representative. The caller may reference specific internal details (employee names, system names, recent events) to establish credibility. The objective is to manipulate the target by taking an action that compromises security, such as:

Disclosing credentials, including usernames, passwords, or multi-factor authentication (MFA) codes;
Granting remote access by installing remote desktop software or disabling security controls at the caller’s direction;
Authorizing financial transactions, such as fraudulent wire transfers or changes to payment routing information; or
Clicking a malicious link sent via text or email during or immediately after the call.

Vishing is particularly dangerous in health care and professional services environments, where employees routinely interact with a wide range of external parties and where the pace of operations creates pressure to respond quickly to urgent-sounding requests. It is also increasingly used as the first stage of a multi-step attack, with the phone call serving to bypass technical defenses and set up subsequent exploitation via email, malware, or credential abuse.

Organizations should treat vishing with the same seriousness as email phishing and ensure their security awareness programs, reporting protocols, and incident response plans address this vector explicitly.

Recommended Immediate Actions

In light of the current threat environment, we recommend that all clients, and particularly those in the health care sector, take the following steps without delay:

Review and Stress-Test Incident Response Plans. Every organization should have a written incident response plan that identifies key internal and external stakeholders, establishes clear lines of communication, and defines decision-making authority for critical actions such as system isolation, forensic engagement, regulatory notification, and public communication. If your plan has not been tested through a tabletop exercise in the past 12 months, now is the time to schedule one. The exercise should include scenarios involving vishing and other social engineering attacks, not just technical intrusions, to ensure employees and leadership are prepared for the full range of threats they may face.
Ensure All Employees Know Reporting Protocols. Adopt and reinforce a “if you see something, say something” culture across the organization. Employees at every level should know how to report suspicious emails, suspicious phone calls, unusual system behavior, unexpected multi-factor authentication prompts, or any other anomalies. Specifically, employees should be trained to recognize the hallmarks of a vishing attempt, urgency, authority, requests for credentials or access, and reluctance to allow callback verification, and instructed to hang up and independently verify the caller’s identity before taking any action. Speed of detection and reporting is one of the most significant factors in limiting the damage of a cyber incident.
Review Access Controls and Multi-Factor Authentication (MFA). Audit user access privileges across all critical systems to ensure they are limited to the minimum necessary for each role. Confirm that MFA is enabled for all remote access, privileged accounts, and cloud-based applications. Remove or disable accounts that are no longer needed, including those of former employees, contractors, and vendors. Critically, remind all personnel that MFA codes should never be provided to anyone over the phone, by text, or by email. A legitimate IT or security team will never ask for them. Health care organizations should note that the proposed HIPAA Security Rule update (discussed below) would make MFA a mandatory requirement for access to electronic protected health information (ePHI). Organizations that have not yet implemented MFA universally should treat this as an immediate priority, both to address the current threat and to prepare for the anticipated regulatory requirements.
Identify and Protect Critical Intellectual Property. Organizations should conduct or update an inventory of their most sensitive intellectual property assets, including trade secrets, proprietary research data, patent applications in progress, clinical trial data, manufacturing specifications, and source code, and confirm that these assets are subject to enhanced technical and access controls. Key steps include:
- Classifying IP assets by sensitivity and ensuring that access is restricted to personnel with a demonstrated business need, using role-based access controls and the principle of least privilege.
- Confirming that trade secret protections are in place, including confidentiality and invention assignment agreements with employees and contractors, nondisclosure agreements with business partners and collaborators, and clear internal policies governing the handling and marking of confidential and proprietary information. Under the federal Defend Trade Secrets Act (DTSA) and analogous state laws, trade secret status depends in part on the holder having taken “reasonable measures” to keep the information secret; organizations should ensure their security measures are sufficient to satisfy this standard.
- Conducting export classification reviews to determine whether an organization’s technology, technical data, software, and other articles may be subject to control under the EAR and ITAR.
- Implementing data loss prevention (DLP) tools and enhanced monitoring on repositories containing high-value IP to detect unauthorized access, bulk downloads, or exfiltration attempts, particularly in the current heightened-threat environment.
- Reviewing collaboration and file-sharing practices to confirm that proprietary research and development materials are not being stored or transmitted through unsecured channels.
Assess Vendor and Third-Party Risk. Evaluate the cybersecurity practices of your key vendors and business associates, particularly those with access to sensitive data or critical systems. Confirm that vendor contracts include appropriate data security requirements, breach notification obligations, and audit rights. Consider whether any third-party connections should be restricted or subjected to additional monitoring in the current threat environment. Be aware that vishing attacks frequently involve impersonation of known vendors. Employees should verify any unexpected vendor requests through established, independently verified contact channels. Under the proposed “HIPAA 2.0” framework, business associates would be required to verify their compliance with applicable technical safeguards. Organizations should begin incorporating such verification mechanisms into their vendor management processes now. Organizations should also confirm that vendor and collaboration agreements contain robust intellectual property ownership, confidentiality, and use-restriction provisions; a supply chain compromise that exposes shared R&D data or jointly developed IP can create complex disputes over ownership, liability, and loss allocation.
Prioritize Patch Management and System Monitoring. Iranian-linked threat actors are known to exploit publicly disclosed software vulnerabilities, often within days of disclosure. Organizations should ensure that all systems, applications, and firmware are patched and updated promptly. Enhance monitoring of network traffic, endpoint activity, and access logs for indicators of compromise, and ensure that security information and event management (SIEM) systems are configured to detect known threat signatures associated with Iranian cyber groups. Health care organizations should also be aware that the proposed HIPAA Security Rule update would require vulnerability scanning at least every six months and penetration testing at least annually. Establishing these practices now will both strengthen defenses against current threats and position organizations favorably for compliance.
Invest in Employee Training and Phishing Awareness. Spear-phishing remains one of the most common and effective attack vectors, but vishing is rapidly closing the gap. Conduct targeted training for all employees, with an emphasis on recognizing phishing attempts, verifying requests for credentials or financial information, and avoiding interaction with suspicious links or attachments. Training should include realistic vishing simulations, not just email-based phishing tests, so employees experience the pressure and persuasion techniques used in live social engineering calls. Consider deploying simulated phishing campaigns to test and reinforce awareness.
Understand Your Regulatory Notification Obligations. In the event of a cyber incident involving the compromise of personal data or PHI, organizations may be subject to overlapping notification obligations under federal and state law. Key frameworks include:
- HIPAA requires covered entities and business associates to notify affected individuals, the Secretary of Health and Human Services, and, in certain cases, the media, of breaches involving unsecured PHI, generally within 60 days of discovery. Importantly, health care organizations should be preparing for the proposed HIPAA Security Rule update, widely referred to as HIPAA 2.0, published by the U.S. Department of Health and Human Services (HHS) as a Notice of Proposed Rulemaking (NPRM) in late 2024. The proposed rule would represent the most significant modernization of the HIPAA Security Rule since its original adoption and would substantially heighten cybersecurity obligations for covered entities and business associates. Key proposed changes include:
  - Elimination of the “addressable” vs. “required” distinction for implementation specifications under the proposed rule would make all security measures mandatory, removing the discretion that currently allows organizations to implement alternative measures or to document why a specification is not reasonable and appropriate.
  - Mandatory encryption of ePHI both at rest and in transit, with very limited exceptions.
  - Mandatory multi-factor authentication (MFA) for all access to ePHI.
  - Technology asset inventories and network maps must be created and updated at least annually to provide organizations with a clear understanding of where ePHI resides and how it moves through their systems.
  - More prescriptive risk analysis requirements, including specific methodologies and documentation standards.
  - Vulnerability scanning every six months and penetration testing at least annually.
  - Business associate compliance verification of regulated entities would be required to obtain written verification that their business associates have implemented required technical safeguards, rather than relying solely on contractual representations.
  - Incident response plan testing requirements, reinforcing the need for regular tabletop exercises and plan updates.
  - While the final rule has not yet been issued as of the date of this alert, organizations should not wait for finalization to begin assessing their readiness. The proposed requirements reflect the direction of federal cybersecurity regulation for health care, and many of the contemplated measures: encryption, MFA, asset inventories, regular vulnerability scanning, and incident response testing are already recognized best practices that would materially strengthen an organization’s defenses against the types of state-sponsored attacks currently targeting the sector. We strongly recommend that organizations identify their applicable regulatory obligations in advance and incorporate notification procedures into their incident response plans, rather than attempting to navigate these requirements during an active incident.
- CIRCIA requires covered critical infrastructure entities to report significant cyber incidents to CISA within 72 hours and ransomware payments within 24 hours. (Note: CISA is set to finalize the mandatory reporting regulations under CIRCIA by May 2026. While the final rule is pending, CISA currently encourages voluntary reporting.)
- State breach notification laws impose a patchwork of requirements that vary by jurisdiction, including differing definitions of personal information, notification timelines, and obligations to notify state regulators or attorneys general.
- Economic sanctions compliance must be considered before making any ransom payment. Any payments to Iran, the Iranian government, or other Iranian parties are strictly prohibited under the economic sanctions programs administered by the U.S. Treasury’s Office of Foreign Assets Control (OFAC). The same is true for payments rendered to parties owned by (or working on behalf of) Iranian entities, or other parties appearing on OFAC’s list of Specially Designated Nationals. Knowingly making payments to sanctioned countries and parties is a crime under U.S. laws and, in certain instances, may constitute material support for terrorism. Even accidental payments to sanctioned countries and parties can have serious consequences, including U.S. government investigations, significant civil penalties, and the loss of banking relationships.
- Export control violations under the EAR and ITAR can also arise, even if there are no apparent economic sanctions risks. And because Iran is a “debarred” country under the ITAR, the transfer or theft of military-grade technology and technical data can trigger mandatory reporting to the U.S. State Department’s Directorate of Defense Trade Controls (DDTC). These mandatory reports invariably result in the DDTC notifying OFAC, the FBI, and other partner agencies – often resulting in overlapping government inquiries that must be managed carefully and concurrently.
- U.S. government contracts may require prime contractors, subcontractors, and federal grant recipients to disclose material cybersecurity incidents and risks in a timely manner. This is especially true for aerospace and defense sector contracts for projects involving Controlled Unclassified Information (CUI), which are likely to contain provisions mandating disclosure within 72 hours of discovery. Coordinating these disclosures with other disclosed addressing economic sanctions and export control risks is strongly recommended.
- SEC disclosure obligations may require publicly traded companies to disclose material cybersecurity incidents and risks in a timely manner.
- Defend Trade Secrets Act (DTSA) and state trade secret laws. While these statutes do not impose breach notification obligations in the traditional sense, they are critically relevant when a cyberattack results in the exfiltration or exposure of trade secrets. The DTSA provides a federal civil cause of action, and, in cases involving economic espionage benefiting a foreign government, criminal penalties under the Economic Espionage Act of 1996 (18 U.S.C. §§ 1831–1839) for the misappropriation of trade secrets. Organizations that discover or suspect theft of trade secrets in connection with a cyber incident should act swiftly to preserve forensic evidence, assess whether emergency injunctive relief (including ex parte seizure orders available under the DTSA) is warranted, and evaluate whether referral to the FBI or the Department of Justice National Security Division is appropriate, particularly where the theft appears linked to a foreign state actor. Critically, an organization’s ability to pursue trade secret claims depends on its ability to demonstrate that it took “reasonable measures” to maintain secrecy, making the preventive steps described above (access controls, classification, DLP tools, contractual protections) not only good security hygiene but essential legal prerequisites.

How We Can Help

Foley & Lardner’s Cybersecurity & Data Privacy Group is closely monitoring this incident and the broader threat landscape. Our team has extensive experience advising clients on cybersecurity preparedness, incident response, regulatory compliance, and breach-related litigation, across the health care sector and beyond.

We are available to assist with:

Reviewing and updating incident response and business continuity plans, including integrating vishing and social engineering scenarios into tabletop exercises
Conducting tabletop exercises and readiness assessments
Developing and reviewing employee security awareness programs that address phishing, vishing, and other social engineering threats
Advising on regulatory notification obligations under HIPAA, state law, CIRCIA, and other frameworks
Conducting HIPAA 2.0 gap analyses to assess organizational readiness against the proposed Security Rule requirements
Assessing OFAC sanctions exposure in connection with ransomware demands
Managing forensic investigations and coordinating with law enforcement
Evaluating vendor and third-party cybersecurity risk
Defending against regulatory inquiries and data breach litigation
Advising on trade secret protection strategies, including IP asset classification, “reasonable measures” assessments, and review of confidentiality, NDA, and invention assignment agreements to ensure trade secret status is preserved
Pursuing emergency injunctive relief and DTSA/state trade secret claims in the event of confirmed or suspected IP exfiltration
Assessing export control implications of cyber incidents involving controlled technology or technical data, and advising on reporting obligations under EAR and ITAR
Conducting IP risk assessments in connection with vendor, collaboration, and supply chain agreements to identify and mitigate exposure to IP loss in the event of a third-party compromise

If you have questions about the current threat environment, your organization’s preparedness, or any aspect of your cybersecurity and data privacy program, please do not hesitate to contact any member of the Cybersecurity & Data Privacy Group.

_____________________________________________________________________________________________________

This alert is provided by Foley & Lardner LLP for informational purposes only and does not constitute legal advice. The information contained herein is based on publicly available reporting as of March 11, 2026, and is subject to change as additional facts become available. Receipt of this alert does not create an attorney-client relationship. Readers should consult with qualified legal counsel regarding their specific circumstances and obligations.