Stryker says March cyberattack materially hit first-quarter operations

The Michigan medical-device maker told the SEC that order processing, manufacturing and shipping all went down for parts of March. The company says full-year guidance still stands.

PORTAGE, Mich. - Stryker Corporation (NYSE: SYK) told the Securities and Exchange Commission on April 3 that a March 11 cybersecurity incident materially affected its operations and its first-quarter 2026 financial results, the company's first formal acknowledgement that the attack moved past the IT department and into the books.

The amended Form 8-K, filed under accession 0001193125-26-149607, also said the incident is not reasonably likely to materially affect Stryker's full-year 2026 guidance and that, as of the date of the amendment, the company's global manufacturing network was fully operational and its commercial, ordering and distribution systems had been restored. That tension, a quarter-sized hit at a $25 billion-revenue medical-device manufacturer that the company says will not bend the full year, is the business story.

A Stryker Endoscopy facility. Stryker said its March cybersecurity incident disrupted order processing, manufacturing and shipping before systems were restored. (CC BY-SA 3.0)

The Story So Far

Stryker is one of the largest medical-technology manufacturers in the United States. The company's 2025 Form 10-K, filed February 6, 2026 under accession 0000310764-26-000010, reported $25.116 billion in net sales for 2025 and approximately 56,000 employees globally, with approximately 28,000 employees in the United States. The same filing listed approximately 27 company-owned and 306 leased locations worldwide, including 55 manufacturing locations.

That scale is the context for what Stryker disclosed in mid-March. On March 11, 2026, the company filed a Form 8-K under accession 0001193125-26-102460 stating that it had identified a cybersecurity incident affecting certain information technology systems "that has resulted in a global disruption to the Company's Microsoft environment." The filing also said the incident "has caused, and is expected to continue to cause, disruptions and limitations of access to certain of the Company's information systems and business applications supporting aspects of the Company's operations and corporate functions." The March 11 8-K did not yet make a materiality call. It said: "Accordingly, the Company has not yet determined whether the incident is reasonably likely to have a material impact on the Company."

A second filing, dated March 12 under accession 0001193125-26-104431, sharpened the operational picture. "The Company noted that its operations continue to be disrupted, including its order processing, manufacturing and shipping," that filing said. The same document told investors and customers that "the Company does not believe that its patient-related services have been disrupted or that its connected products were impacted by the incident."

By March 19, Stryker's customer-update page made the patient-care side concrete. "Some of our customers that utilize our personalized implants are experiencing some disruptions," the company wrote. "We understand that some patient-specific cases scheduled for the week of March 16 have been rescheduled due to shipping delays we are experiencing." The same update said "All Stryker products across our global portfolio, including connected, digital, and life-saving technologies, remain safe to use," and said the company was in contact with the White House National Cyber Director, FBI, CISA, the Defense Health Agency, the Department of Health and Human Services and H-ISAC.

What's Happening Now

The April 3 amendment is the document that converts the March disruption into a financial event. In its 8-K/A, Stryker stated: "The Company has determined that the incident had a material impact on its operations, with resulting impact to the Company's financial results for the first quarter of 2026."

The filing explained how the company reached that conclusion. "In reaching this determination, the Company considered factors including the scope and duration of the operational disruption, the systems affected and the potential for customer, regulatory and other impacts," the amendment said.

Stryker did not put a dollar figure on the Q1 hit in the amendment. The company said it would discuss the incident on its scheduled first-quarter earnings call and that, as of the filing date, "the Company is fully operational across its global manufacturing network and commercial, ordering and distribution systems have been restored." The filing also stated, in the same section: "The Company believes that the incident has not had, and is not reasonably likely to have, a material impact on the Company's 2026 full-year guidance."

That is the disclosure investors now have to price. A material Q1 impact, a global manufacturing footprint described as fully operational, and full-year guidance that the company says is not reasonably likely to be materially affected.

The Conservative View

The market-discipline reading of the Stryker filings starts with what the company chose to disclose and when. Item 1.05 of Form 8-K, the SEC rule that requires disclosure of material cybersecurity incidents within four business days of a materiality determination, is the regulatory backbone for the April 3 amendment. Stryker filed an initial 8-K on the day it identified the incident, an operational-update 8-K the following day, and an amendment determining materiality after it had measured the quarter. From that vantage, the company filed early on operational facts and waited to make the materiality call until it had data to support it, which is what the rule contemplates.

The conservative reading also notes that Stryker explicitly held its full-year 2026 guidance in the April 3 filing. The company did not pull or revise its outlook. For shareholders weighing operational resilience, the question is whether a material Q1 disruption at a 55-manufacturing-location, 28,000-U.S.-employee company can be absorbed inside a full-year plan, or whether the April 3 language gives way under questions on the Q1 earnings call.

The Progressive View

The labor and customer-impact reading focuses on the parts of the filings that describe what stopped working. Stryker's own March 12 filing said order processing, manufacturing and shipping were disrupted. Stryker's own March 19 customer update said personalized-implant cases scheduled for the week of March 16 were rescheduled because of shipping delays. Those are not abstractions. They are surgeries that did not happen on the day they were planned, at hospitals that depend on a single supplier for patient-specific hardware.

The same vantage notes that Stryker is a Michigan-headquartered manufacturer with 28,000 U.S. employees, per its 2025 10-K. A material Q1 operational hit at a company of that size is also a material Q1 hit to the workflows of the people who run those 55 manufacturing locations and the U.S. distribution network that feeds hospitals. Whether that translates into idle time, overtime to catch up, or shifts in production scheduling is a question for the Q1 earnings call.

Other Perspectives

Stryker said in its March 19 customer update that it was "in close contact with the White House National Cyber Director, FBI, CISA, DHA, HHS and H-ISAC and appreciate the ongoing support they have been giving us." Those agencies have not, as of the company's amended filing, issued public attribution or a joint advisory naming the threat actor. The company itself has not, in its filings or customer updates, attributed the incident to a state actor or a named criminal group.

Health-sector cybersecurity bodies have flagged medical-device manufacturers as a supply-chain concern in prior advisories. The Stryker filings give a concrete example of the mechanism those advisories describe: an IT-environment incident that flows into order processing, manufacturing and shipping, and then into patient-specific cases at hospitals that depend on the manufacturer for personalized hardware.

Economic Implications

Stryker's 2025 Form 10-K reports $25.116 billion in 2025 net sales, approximately 56,000 employees globally, approximately 28,000 employees in the United States and 55 manufacturing locations worldwide. A material first-quarter operational disruption at that scale is the kind of event the U.S. medical-device supply chain is built to absorb only because it does not happen often.

The U.S. labor exposure is concentrated in Michigan, where Stryker is headquartered, and across the company's domestic manufacturing and distribution footprint. The March 12 filing identified order processing, manufacturing and shipping as disrupted, which maps directly onto warehouse, plant and logistics labor. The March 19 customer update identified personalized-implant shipping as the customer-facing pinch point, which maps onto hospital surgical scheduling.

On the capital-expenditure side, the April 3 amendment did not separately quantify remediation spend, insurance recoveries or one-time costs. Investors will be watching the Q1 earnings call for any breakout of incident-related expense, which under U.S. GAAP would typically appear as either a charge in cost of sales or selling, general and administrative expense, depending on where the disruption hit.

On tax base, a material Q1 hit at a Michigan-headquartered company with 28,000 U.S. employees is a Q1 hit to U.S. corporate taxable income, which feeds federal and state corporate tax receipts. The April 3 filing's statement that full-year 2026 guidance is not reasonably likely to be materially affected is the company's view that this is a timing event inside a larger annual plan, not a permanent reset.

For hospitals that buy patient-specific implants, the economic implication is operational. A rescheduled patient-specific case is operating-room time that was bought and paid for, then released. Whether those rescheduled cases were recovered later in March or pushed into Q2 is a hospital-level question that does not appear in Stryker's filings.

By the Numbers

• $25.116 billion: Stryker's 2025 net sales, per the 2025 Form 10-K.
• 56,000: Approximate global employees at year-end 2025.
• 28,000: Approximate U.S. employees at year-end 2025.
• 55: Manufacturing locations worldwide listed in the 2025 10-K.
• 27 / 306: Approximate company-owned and leased locations worldwide.
• March 11, 2026: Date Stryker identified the incident and filed its initial 8-K.
• March 12, 2026: Date of the operational-disruption update 8-K.
• March 19, 2026: Date of the customer update covering rescheduled patient-specific cases for the week of March 16.
• April 3, 2026: Date Stryker filed the 8-K/A determining material Q1 impact.

What People Are Saying

"The Company has determined that the incident had a material impact on its operations, with resulting impact to the Company's financial results for the first quarter of 2026."

Stryker Corporation, Form 8-K/A, accession 0001193125-26-149607

"The Company believes that the incident has not had, and is not reasonably likely to have, a material impact on the Company's 2026 full-year guidance."

Stryker Corporation, Form 8-K/A, accession 0001193125-26-149607

"The Company noted that its operations continue to be disrupted, including its order processing, manufacturing and shipping."

Stryker Corporation, Form 8-K, accession 0001193125-26-104431

"Some of our customers that utilize our personalized implants are experiencing some disruptions. We understand that some patient-specific cases scheduled for the week of March 16 have been rescheduled due to shipping delays we are experiencing."

Stryker Corporation, Customer Updates page, March 19, 2026

"All Stryker products across our global portfolio, including connected, digital, and life-saving technologies, remain safe to use."

Stryker Corporation, Customer Updates page, March 19, 2026

The Big Picture

The Stryker filings draw a clean line from a March 11 IT incident to a Q1 financial event at one of the largest U.S. medical-device manufacturers. The amendment converts an operational story into an SEC-reportable materiality determination, and it does so without pulling full-year 2026 guidance.

What is left to watch is the quantitative file. The April 3 amendment did not state the dollar magnitude of the Q1 hit, did not separately disclose incident-related expense, and did not name a threat actor. The Q1 earnings call is the next document of record, and it is the place where Stryker will have to put numbers next to the language in its 8-K/A. The same call is where investors will be able to test the company's view that a material Q1 disruption is contained inside the 2026 plan.

For the broader U.S. medical-device sector, the Stryker timeline is a case study in how an IT environment becomes an operations event becomes a financial event. The mechanism in this filing, an attack on the company's Microsoft environment that flowed into order processing, manufacturing and shipping and then into rescheduled patient-specific cases, is the version of the medical-device cyber risk that hospital chief operating officers, supply-chain directors and SEC filers have been preparing for. The Stryker filings are the version where it actually happened, at a $25 billion-revenue, 28,000-U.S.-employee manufacturer, and where the company itself has now told the SEC the quarter took a hit.