{"id":197579,"date":"2026-03-20T04:52:00","date_gmt":"2026-03-20T08:52:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/03\/20\/iran-linked-cyberattack-what-u-s-companies-need-to-know-now-cybersecurity\/"},"modified":"2026-03-20T05:10:12","modified_gmt":"2026-03-20T09:10:12","slug":"iran-linked-cyberattack-what-u-s-companies-need-to-know-now-cybersecurity","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/03\/20\/iran-linked-cyberattack-what-u-s-companies-need-to-know-now-cybersecurity\/","title":{"rendered":"Iran-Linked Cyberattack: What U.S. Companies Need To Know Now – Cybersecurity"},"content":{"rendered":"

Iran-Linked Cyberattack: What U.S. Companies Need To Know Now – Cybersecurity<\/a><\/p>\n

https:\/\/www.mondaq.com\/unitedstates\/cybersecurity\/1761158\/iran-linked-cyberattack-what-us-companies-need-to-know-now<\/a><\/p>\n

Publish Date: 2026-03-20 04:52:00<\/a><\/p>\n

Source Domain: www.mondaq.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n

FL
\n Foley & Lardner<\/p>\n

More<\/p>\n

Foley & Lardner LLP looks beyond the law to focus on the constantly evolving demands facing our clients and their industries. With over 1,100 lawyers in 24 offices across the United States, Mexico, Europe and Asia, Foley approaches client service by first understanding our clients\u2019 priorities, objectives and challenges. We work hard to understand our clients\u2019 issues and forge long-term relationships with them to help achieve successful outcomes and solve their legal issues through practical business advice and cutting-edge legal insight. Our clients view us as trusted business advisors because we understand that great legal service is only valuable if it is relevant, practical and beneficial to their businesses. <\/p>\n

On March 11, 2026, independent reports confirmed that one of the largest medical device companies in the United States was the target of a significant cyberattack attributed to Iran-linked threat actors.<\/p>\n

United States
\n Technology<\/p>\n

To print this article, all you need is to be registered or login on Mondaq.com.<\/p>\n

Article Insights<\/p>\n

Foley & Lardner are most popular: <\/p>\n

within Coronavirus (COVID-19), Cannabis & Hemp and Insolvency\/Bankruptcy\/Re-Structuring topic(s)<\/p>\n

Overview
\nOn March 11, 2026, independent reports confirmed that one of the largest medical device companies in the United States was the target of a significant cyberattack attributed to Iran-linked threat actors. Although the investigation into the incident\u2019s scope and impact is ongoing, preliminary findings indicate that the attack may be part of a broader campaign by state-sponsored Iranian cyber syndicates tasked with targeting U.S. companies \u2013 especially those in the health care and life sciences sector.
\nThis alert provides an overview of the threat landscape, including the growing use of vishing (voice phishing) as an attack vector, summarizes the key legal and regulatory considerations, and offers practical steps that organizations should take immediately to strengthen their cybersecurity posture and preparedness.\u00a0Although health care and life sciences companies face acute risk, the threat posed by Iran-linked threat actors is not limited to that sector. All U.S. companies should be evaluating their exposure and taking proactive steps.\u00a0
\nWhy Health Care Companies Should Be on Heightened Alert
\nWhile the health care sector has long been recognized as a prime target for cyberattacks, recent changes in the threat environment reflect a significant escalation from foreign threat actors. Several factors make health care and life sciences companies especially vulnerable.\u00a0 Notable examples include the following:<\/p>\n

Geopolitical Risk. \u00a0The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and other U.S. government agencies have repeatedly warned that Iranian state-sponsored threat actors are actively targeting U.S. critical infrastructure, including health care. These threat actors employ a range of sophisticated techniques, including spear-phishing, vishing, exploitation of known vulnerabilities, credential theft, and deployment of ransomware and data-wiping malware.\u00a0
\nSensitive Data. Health care companies hold vast quantities of Protected Health Information (PHI), Personally Identifiable Information (PII), financial and insurance records, and proprietary research data. These categories of sensitive personal data are highly valuable to threat actors engaged in espionage, extortion, and data brokering on illicit markets.\u00a0State-sponsored threat actors, including those linked to Iran, are known to target U.S. companies to conduct economic and scientific espionage in addition to ransomware and extortion.\u00a0
\nIntellectual Property and Trade Secrets. Beyond personal data, health care and life sciences companies often hold valuable intellectual property, including patented medical device designs, pharmaceutical formulations, clinical trial data, manufacturing processes, proprietary algorithms, and research and development pipelines. The exfiltration of trade secrets and proprietary research can cause irreparable competitive harm, undermine patent portfolios, and compromise years of R&D investment. And unlike personal data breaches, which are governed by well-established notification frameworks, the theft of intellectual property may go undetected for extended periods. These scenarios present distinct legal, commercial, and strategic challenges that require specialized attention.\u00a0
\nExport Controlled Data.\u00a0 In additional to sensitive personal data and intellectual property, some health care and life sciences companies may also possess technical data, technology, and other articles subject to U.S. export control laws. This may include dual-use commercial items governed by the Export Administration Regulations (EAR) or, in more serious cases, military-grade items subject to the International Traffic in Arms Regulations (ITAR). Because the EAR and ITAR prohibit technology transfers to Iran and Iranian persons, companies targeted by Iranian threat actors may be investigated by the FBI and other U.S. government enforcement agencies \u2013 even in cases where they are the victims.\u00a0
\nOperational Urgency. Health care organizations often face intense pressure to maintain uninterrupted operations. This urgency can make them more likely to pay ransom demands quickly, which in turn makes them more attractive targets.\u00a0
\nComplex Supply Chains. The health care ecosystem involves extensive networks of vendors, business associates, and technology partners, each of which may represent a potential point of entry for attackers.<\/p>\n

The Vishing Threat: Voice Phishing as a Growing Attack Vector
\nOrganizations should be aware that vishing, voice phishing conducted over the telephone, has become an increasingly prominent tool in the threat actor\u2019s arsenal, including among state-sponsored groups. Unlike traditional email phishing, vishing exploits the inherent trust people place in voice communication and the difficulty of verifying a caller\u2019s identity in real time.
\nIn a typical vishing attack, a threat actor calls an employee and impersonates a trusted figure, such as an IT help desk technician, a senior executive, a government official, or a vendor representative. The caller may reference specific internal details (employee names, system names, recent events) to establish credibility. The objective is to manipulate the target by taking an action that compromises security, such as:<\/p>\n

Disclosing credentials,\u00a0including usernames, passwords, or multi-factor authentication (MFA) codes;
\nGranting remote access by installing remote desktop software or disabling security controls at the caller\u2019s direction;
\nAuthorizing financial transactions,\u00a0such as fraudulent wire transfers or changes to payment routing information; or
\nClicking a malicious link sent via text or email during or immediately after the call.<\/p>\n

Vishing is particularly dangerous in health care and professional services environments, where employees routinely interact with a wide range of external parties and where the pace of operations creates pressure to respond quickly to urgent-sounding requests. It is also increasingly used as the first stage of a multi-step attack, with the phone call serving to bypass technical defenses and set up subsequent exploitation via email, malware, or credential abuse.
\nOrganizations should treat vishing with the same seriousness as email phishing and ensure their security awareness programs, reporting protocols, and incident response plans address this vector explicitly.
\nRecommended Immediate Actions
\nIn light of the current threat environment, we recommend that all clients, and particularly those in the health care sector, take the following steps without delay:<\/p>\n

Review and Stress-Test Incident Response Plans. Every organization should have a written incident response plan that identifies key internal and external stakeholders, establishes clear lines of communication, and defines decision-making authority for critical actions such as system isolation, forensic engagement, regulatory notification, and public communication. If your plan has not been tested through a tabletop exercise in the past 12 months, now is the time to schedule one. The exercise should include scenarios involving vishing and other social engineering attacks, not just technical intrusions, to ensure employees and leadership are prepared for the full range of threats they may face.\u00a0
\nEnsure All Employees Know Reporting Protocols. Adopt and reinforce a \u201cif you see something, say something\u201d culture across the organization. Employees at every level should know how to report suspicious emails, suspicious phone calls, unusual system behavior, unexpected multi-factor authentication prompts, or any other anomalies. Specifically, employees should be trained to recognize the hallmarks of a vishing attempt, urgency, authority, requests for credentials or access, and reluctance to allow callback verification, and instructed to hang up and independently verify the caller\u2019s identity before taking any action. Speed of detection and reporting is one of the most significant factors in limiting the damage of a cyber incident.\u00a0
\nReview Access Controls and Multi-Factor Authentication (MFA). Audit user access privileges across all critical systems to ensure they are limited to the minimum necessary for each role. Confirm that MFA is enabled for all remote access, privileged accounts, and cloud-based applications. Remove or disable accounts that are no longer needed, including those of former employees, contractors, and vendors. Critically, remind all personnel that MFA codes should never be provided to anyone over the phone, by text, or by email. A legitimate IT or security team will never ask for them. Health care organizations should note that the proposed HIPAA Security Rule update (discussed below) would make MFA a mandatory requirement for access to electronic protected health information (ePHI). Organizations that have not yet implemented MFA universally should treat this as an immediate priority, both to address the current threat and to prepare for the anticipated regulatory requirements.\u00a0
\nIdentify and Protect Critical Intellectual Property. Organizations should conduct or update an inventory of their most sensitive intellectual property assets, including trade secrets, proprietary research data, patent applications in progress, clinical trial data, manufacturing specifications, and source code, and confirm that these assets are subject to enhanced technical and access controls. Key steps include:\u00a0<\/p>\n

Classifying IP assets by sensitivity and ensuring that access is restricted to personnel with a demonstrated business need, using role-based access controls and the principle of least privilege.\u00a0
\nConfirming that trade secret protections are in place, including confidentiality and invention assignment agreements with employees and contractors, nondisclosure agreements with business partners and collaborators, and clear internal policies governing the handling and marking of confidential and proprietary information. Under the federal Defend Trade Secrets Act (DTSA) and analogous state laws, trade secret status depends in part on the holder having taken \u201creasonable measures\u201d to keep the information secret; organizations should ensure their security measures are sufficient to satisfy this standard.\u00a0
\nConducting export classification reviews to determine whether an organization\u2019s technology, technical data, software, and other articles may be subject to control under the EAR and ITAR.\u00a0
\nImplementing data loss prevention (DLP) tools and enhanced monitoring on repositories containing high-value IP to detect unauthorized access, bulk downloads, or exfiltration attempts, particularly in the current heightened-threat environment.\u00a0
\nReviewing collaboration and file-sharing practices to confirm that proprietary research and development materials are not being stored or transmitted through unsecured channels.\u00a0<\/p>\n

Assess Vendor and Third-Party Risk. Evaluate the cybersecurity practices of your key vendors and business associates, particularly those with access to sensitive data or critical systems. Confirm that vendor contracts include appropriate data security requirements, breach notification obligations, and audit rights. Consider whether any third-party connections should be restricted or subjected to additional monitoring in the current threat environment. Be aware that vishing attacks frequently involve impersonation of known vendors. Employees should verify any unexpected vendor requests through established, independently verified contact channels. Under the proposed \u201cHIPAA 2.0\u201d framework, business associates would be required to verify their compliance with applicable technical safeguards. Organizations should begin incorporating such verification mechanisms into their vendor management processes now. Organizations should also confirm that vendor and collaboration agreements contain robust intellectual property ownership, confidentiality, and use-restriction provisions; a supply chain compromise that exposes shared R&D data or jointly developed IP can create complex disputes over ownership, liability, and loss allocation.\u00a0
\nPrioritize Patch Management and System Monitoring. Iranian-linked threat actors are known to exploit publicly disclosed software vulnerabilities, often within days of disclosure. Organizations should ensure that all systems, applications, and firmware are patched and updated promptly. Enhance monitoring of network traffic, endpoint activity, and access logs for indicators of compromise, and ensure that security information and event management (SIEM) systems are configured to detect known threat signatures associated with Iranian cyber groups. Health care organizations should also be aware that the proposed HIPAA Security Rule update would require vulnerability scanning at least every six months and penetration testing at least annually. Establishing these practices now will both strengthen defenses against current threats and position organizations favorably for compliance.\u00a0
\nInvest in Employee Training and Phishing Awareness. Spear-phishing remains one of the most common and effective attack vectors, but vishing is rapidly closing the gap. Conduct targeted training for all employees, with an emphasis on recognizing phishing attempts, verifying requests for credentials or financial information, and avoiding interaction with suspicious links or attachments. Training should include realistic vishing simulations, not just email-based phishing tests, so employees experience the pressure and persuasion techniques used in live social engineering calls. Consider deploying simulated phishing campaigns to test and reinforce awareness.\u00a0
\nUnderstand Your Regulatory Notification Obligations. In the event of a cyber incident involving the compromise of personal data or PHI, organizations may be subject to overlapping notification obligations under federal and state law. Key frameworks include:\u00a0<\/p>\n

HIPAA requires covered entities and business associates to notify affected individuals, the Secretary of Health and Human Services, and, in certain cases, the media, of breaches involving unsecured PHI, generally within 60 days of discovery. Importantly, health care organizations should be preparing for the proposed HIPAA Security Rule update, widely referred to as HIPAA 2.0,\u00a0published by the U.S. Department of Health and Human Services (HHS) as a Notice of Proposed Rulemaking (NPRM) in late 2024. The proposed rule would represent the most significant modernization of the HIPAA Security Rule since its original adoption and would substantially heighten cybersecurity obligations for covered entities and business associates. Key proposed changes include:\u00a0<\/p>\n

Elimination of the \u201caddressable\u201d vs. \u201crequired\u201d distinction for implementation specifications under the proposed rule would make all security measures mandatory, removing the discretion that currently allows organizations to implement alternative measures or to document why a specification is not reasonable and appropriate.\u00a0
\nMandatory encryption of ePHI both at rest and in transit, with very limited exceptions.\u00a0
\nMandatory multi-factor authentication (MFA) for all access to ePHI.\u00a0
\nTechnology asset inventories and network maps must be created and updated at least annually to provide organizations with a clear understanding of where ePHI resides and how it moves through their systems.\u00a0
\nMore prescriptive risk analysis requirements, including specific methodologies and documentation standards.\u00a0
\nVulnerability scanning every six months and penetration testing at least annually.\u00a0
\nBusiness associate compliance verification of regulated entities would be required to obtain written verification that their business associates have implemented required technical safeguards, rather than relying solely on contractual representations.\u00a0
\nIncident response plan testing requirements, reinforcing the need for regular tabletop exercises and plan updates.\u00a0
\nWhile the final rule has not yet been issued as of the date of this alert, organizations should not wait for finalization to begin assessing their readiness. The proposed requirements reflect the direction of federal cybersecurity regulation for health care, and many of the contemplated measures: encryption, MFA, asset inventories, regular vulnerability scanning, and incident response testing are already recognized best practices that would materially strengthen an organization\u2019s defenses against the types of state-sponsored attacks currently targeting the sector. We strongly recommend that organizations identify their applicable regulatory obligations in advance and incorporate notification procedures into their incident response plans, rather than attempting to navigate these requirements during an active incident.\u00a0<\/p>\n

CIRCIA requires covered critical infrastructure entities to report significant cyber incidents to CISA within 72 hours and ransomware payments within 24 hours. (Note: CISA is set to finalize the mandatory reporting regulations under CIRCIA by May 2026. While the final rule is pending, CISA currently encourages voluntary reporting.)\u00a0
\nState breach notification laws impose a patchwork of requirements that vary by jurisdiction, including differing definitions of personal information, notification timelines, and obligations to notify state regulators or attorneys general.\u00a0\u00a0
\nEconomic sanctions compliance must be considered before making any ransom payment. Any payments to Iran, the Iranian government, or other Iranian parties are strictly prohibited under the economic sanctions programs administered by the U.S. Treasury\u2019s Office of Foreign Assets Control (OFAC). The same is true for payments rendered to parties owned by (or working on behalf of) Iranian entities, or other parties appearing on OFAC\u2019s list of Specially Designated Nationals. Knowingly making payments to sanctioned countries and parties is a crime under U.S. laws and, in certain instances, may constitute material support for terrorism. Even accidental payments to sanctioned countries and parties can have serious consequences, including U.S. government investigations, significant civil penalties, and the loss of banking relationships.\u00a0\u00a0
\nExport control violations under the EAR and ITAR can also arise, even if there are no apparent economic sanctions risks. And because Iran is a \u201cdebarred\u201d country under the ITAR, the transfer or theft of military-grade technology and technical data can trigger mandatory reporting to the U.S. State Department\u2019s Directorate of Defense Trade Controls (DDTC). These mandatory reports invariably result in the DDTC notifying OFAC, the FBI, and other partner agencies \u2013 often resulting in overlapping government inquiries that must be managed carefully and concurrently.\u00a0
\nU.S. government contracts\u00a0may require prime contractors, subcontractors, and federal grant recipients to disclose material cybersecurity incidents and risks in a timely manner.\u00a0 This is especially true for aerospace and defense sector contracts for projects involving Controlled Unclassified Information (CUI), which are likely to contain provisions mandating disclosure within 72 hours of discovery. Coordinating these disclosures with other disclosed addressing economic sanctions and export control risks is strongly recommended.\u00a0
\nSEC disclosure obligations may require publicly traded companies to disclose material cybersecurity incidents and risks in a timely manner.\u00a0
\nDefend Trade Secrets Act (DTSA) and state trade secret laws. While these statutes do not impose breach notification obligations in the traditional sense, they are critically relevant when a cyberattack results in the exfiltration or exposure of trade secrets. The DTSA provides a federal civil cause of action, and, in cases involving economic espionage benefiting a foreign government, criminal penalties under the Economic Espionage Act of 1996 (18 U.S.C. \u00a7\u00a7 1831\u20131839) for the misappropriation of trade secrets. Organizations that discover or suspect theft of trade secrets in connection with a cyber incident should act swiftly to preserve forensic evidence, assess whether emergency injunctive relief (including ex parte seizure orders available under the DTSA) is warranted, and evaluate whether referral to the FBI or the Department of Justice National Security Division is appropriate, particularly where the theft appears linked to a foreign state actor. Critically, an organization\u2019s ability to pursue trade secret claims depends on its ability to demonstrate that it took \u201creasonable measures\u201d to maintain secrecy, making the preventive steps described above (access controls, classification, DLP tools, contractual protections) not only good security hygiene but essential legal prerequisites.<\/p>\n

How We Can Help
\nFoley & Lardner\u2019s Cybersecurity & Data Privacy Group is closely monitoring this incident and the broader threat landscape. Our team has extensive experience advising clients on cybersecurity preparedness, incident response, regulatory compliance, and breach-related litigation, across the health care sector and beyond.
\nWe are available to assist with:<\/p>\n

Reviewing and updating incident response and business continuity plans, including integrating vishing and social engineering scenarios into tabletop exercises
\nConducting tabletop exercises and readiness assessments
\nDeveloping and reviewing employee security awareness programs that address phishing, vishing, and other social engineering threats
\nAdvising on regulatory notification obligations under HIPAA, state law, CIRCIA, and other frameworks
\nConducting HIPAA 2.0 gap analyses to assess organizational readiness against the proposed Security Rule requirements
\nAssessing OFAC sanctions exposure in connection with ransomware demands
\nManaging forensic investigations and coordinating with law enforcement
\nEvaluating vendor and third-party cybersecurity risk
\nDefending against regulatory inquiries and data breach litigation
\nAdvising on trade secret protection strategies, including IP asset classification, \u201creasonable measures\u201d assessments, and review of confidentiality, NDA, and invention assignment agreements to ensure trade secret status is preserved
\nPursuing emergency injunctive relief and DTSA\/state trade secret claims in the event of confirmed or suspected IP exfiltration
\nAssessing export control implications of cyber incidents involving controlled technology or technical data, and advising on reporting obligations under EAR and ITAR
\nConducting IP risk assessments in connection with vendor, collaboration, and supply chain agreements to identify and mitigate exposure to IP loss in the event of a third-party compromise<\/p>\n

\u00a0The content of this article is intended to provide a general guide
\nto the subject matter. Specialist advice should be sought about your
\nspecific circumstances. [View Source] <\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Iran-Linked Cyberattack: What U.S. Companies Need To Know Now – Cybersecurity https:\/\/www.mondaq.com\/unitedstates\/cybersecurity\/1761158\/iran-linked-cyberattack-what-us-companies-need-to-know-now Publish Date: 2026-03-20…<\/p>\n","protected":false},"author":1,"featured_media":197580,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"http:\/\/www.mondaq.com\/images\/profile\/companythumb\/19711.webp?v=20241101121959","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[30,24,28,31,32,25,34,27],"class_list":["post-197579","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-breach","tag-cybersecurity","tag-data-security","tag-exploit","tag-malware","tag-phishing","tag-threat-actor","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/197579"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=197579"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/197579\/revisions"}],"predecessor-version":[{"id":197581,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/197579\/revisions\/197581"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/197580"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=197579"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=197579"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=197579"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}