On June 28, 2026, the ransomware group known as Redact claimed responsibility for an attack against Hologic (hologic.com), a major U.S. medical device and diagnostics supplier with reported revenue of roughly $4 billion. According to a listing surfaced by threat intelligence firm DeXpose, Redact has threatened to publish exfiltrated data unless its demands are met. The claim places Hologic among a growing roster of healthcare-sector organizations targeted by data-extortion crews.
What Happened
Redact posted Hologic to its extortion infrastructure on June 28, 2026, tagging the victim by sector ("Medical Supplies") and revenue ("$4B USD"). The posting follows the standard double-extortion playbook: the actor claims to have gained access to Hologic's environment, exfiltrated internal data, and is now applying pressure through a public countdown and the threat of a full leak.
As of this writing, the claim is sourced from the Redact leak listing and DeXpose's monitoring. Hologic has not published a confirmation, and the specific intrusion vector, dwell time, and whether encryption was deployed alongside theft remain unconfirmed. Redact's branding emphasizes data theft and disclosure rather than pure file encryption, which is consistent with the exfiltration-first trend across the current ransomware landscape.
What Was Taken
Redact has not published a sample tranche or a detailed file inventory in the material reviewed. The actor's listing asserts possession of sensitive Hologic data and frames the leak threat around that holding.
Given Hologic's footprint in diagnostics, breast and skeletal health imaging, surgical products, and laboratory supply, the data at realistic risk in an incident of this type typically includes corporate intellectual property and engineering documentation, employee and HR records, financial and contract data, customer and distributor information, and potentially regulated health-adjacent data tied to clinical and device operations. Until Redact releases proof or Hologic discloses, treat the scope as unverified but potentially high-sensitivity.
Why It Matters
Medical device and diagnostics firms sit at the intersection of regulated patient-adjacent data, valuable R&D, and a supply chain that downstream hospitals and labs depend on. A leak that exposes proprietary designs, regulatory filings, or distributor data carries consequences well beyond the victim, reaching the clinical customers who rely on Hologic products.
Healthcare remains one of the most heavily targeted verticals because of the value of its data and the operational pressure that makes victims more likely to pay. A confirmed extortion event against a $4 billion supplier signals continued actor interest in the sector and should prompt peer organizations to revisit exposure assumptions, third-party risk, and breach-readiness.
The Attack Technique
The initial access method used against Hologic has not been disclosed. Redact-style data-extortion operations commonly enter through stolen or reused credentials sourced from infostealer logs and dark web markets, phishing, exploitation of internet-facing applications and VPN or remote-access appliances, and abuse of weak or absent multi-factor authentication. Post-access activity generally involves lateral movement, privilege escalation, identification of high-value data stores, and staged exfiltration prior to any extortion notice.
Notably, infostealer-driven credential compromise often precedes a public ransom demand by weeks, meaning the exposure that enabled this incident may have been observable in malware log dumps before June 28. Defenders should treat the absence of confirmed technique details as a reason to harden broadly rather than narrowly.
What Organizations Should Do
- Monitor exposure continuously: track dark web leak sites, stealer log dumps, and threat-actor chatter for breached credentials and data tied to your domains, executives, and key personnel before damage spreads.
- Run a compromise assessment: if you have Hologic supply-chain or partner ties, review access paths, audit data potentially exfiltrated, and hunt for persistence mechanisms.
- Validate backups: keep backups current, encrypted, offline, and immutable so they resist ransomware encryption and deletion.
- Enforce MFA and kill credential reuse: apply phishing-resistant MFA across all access points and rotate credentials known to appear in infostealer logs.
- Operationalize threat intelligence: feed indicators of compromise into your SIEM or XDR for real-time correlation and alerting.
- Engage response professionals early: involve incident response, threat analysts, and legal counsel before any contact with a ransomware group or broker.
Sources: Redact Ransomware Strikes Medical Giant Hologic - DeXpose