March 2026 delivered a cross-industry attack pattern that security researchers are calling the most volatile month of the year so far: medical technology, legal data, higher education, and manufacturing each absorbed significant incidents, driven by a combination of ransomware operators seeking high-value data and geopolitically-motivated groups targeting U.S. and allied infrastructure. The breadth of this month’s incidents is itself a data point that business leaders should act on.
Stryker, LexisNexis, and the Strategic Targeting of Data-Rich Organizations
Stryker Corporation, one of the world’s largest medical technology companies, reported a significant cyberattack in March attributed to an Iran-aligned hacktivist group. The attack disrupted administrative and operational systems at multiple business units. Stryker’s products and services reach hospitals, surgical centers, and medical providers across dozens of countries — the downstream impact of any sustained operational disruption extends well beyond the company itself.
LexisNexis, the legal and professional services data platform used by law firms, financial institutions, and compliance teams worldwide, also experienced an incident in March affecting portions of its data infrastructure. The nature of the data LexisNexis manages — legal records, professional credentials, financial due diligence files, court documents — makes it a high-value target for both nation-state actors seeking intelligence and criminal operators building identity fraud capabilities. The incident is under investigation.
Both incidents share a characteristic that defines the March 2026 threat environment: attackers are targeting organizations for their data value, not their revenue size. Stryker’s medical data and LexisNexis’s legal records have intelligence value far exceeding any ransom that could be extracted. The strategic motivation behind these attacks extends beyond financial extortion to information collection — a pattern that security agencies in the U.S., U.K., and EU have all flagged as an accelerating concern in 2026.
Higher Education and Manufacturing: Sectors That Underestimate Their Exposure
The University of Hawaii and several peer institutions experienced ransomware incidents in March, continuing a pattern from 2025 that saw education sector attacks increase 70 percent year-over-year. Universities hold a specific combination of data that makes them attractive targets: personal information on hundreds of thousands of students and alumni, research data with potential commercial or strategic value, financial records, and healthcare information from campus medical services. They also typically operate with fragmented IT environments and limited security staffing relative to their attack surface.
Michelin, the global tire and automotive manufacturing company, also reported a March incident, reinforcing that manufacturing sector organizations are increasingly targeted for operational disruption and intellectual property theft simultaneously. Manufacturing facilities that have integrated operational technology — connected machinery, automated production systems, supply chain software — with traditional IT networks face a particular risk: ransomware that crosses from the IT environment into operational systems can halt physical production, not just digital operations.
For small and mid-size businesses in manufacturing, healthcare services, professional services, or education-adjacent industries, March’s headlines carry a direct message: your sector is not off the target list. The incidents at Stryker, LexisNexis, and university systems involved attackers who had specifically researched these organizations’ data holdings and systems before executing their attacks. Opportunistic attacks are still common, but targeted attacks — where attackers invest weeks or months in reconnaissance before executing — are increasing in frequency.
Supply Chain and OAuth Abuse: The Technical Pattern Behind March’s Incidents
April will bring news of the March incidents’ downstream effects, as is typical of the months following major attacks. What the March data already shows is a technical pattern worth understanding: OAuth abuse and supply chain compromises are responsible for a disproportionate share of the month’s incidents. OAuth is the authentication framework that allows one application to access another on a user’s behalf — the mechanism behind “Sign in with Google” or “Connect your Slack account.”
When attackers compromise an OAuth token or abuse OAuth permissions in a connected application, they gain access to everything that token is authorized to reach — often across multiple systems simultaneously, without triggering traditional login-based detection. The proliferation of connected business applications has expanded the OAuth attack surface significantly: the average SMB now uses more than 80 cloud applications, many of which are interconnected through OAuth relationships that have never been audited.
The practical implication for business owners is that connected app permissions represent an unreviewed attack surface in most small business environments. Applications granted access to your Google Workspace, Microsoft 365, or financial systems years ago may still hold permissions that are no longer necessary. An attacker who gains access to one connected application inherits whatever access that application holds across your environment.
What Business Leaders Should Consider
- Audit your connected application permissions this month. In Google Workspace, go to Security → API Controls → Third-party apps. In Microsoft 365, go to the Azure Active Directory portal → Enterprise Applications. Review what applications have been granted access, what permissions they hold, and whether those applications are still in active use. Revoke permissions for any application your organization no longer uses.
- If you work in healthcare, legal, or professional services, treat your data as a strategic intelligence target, not just a compliance requirement. The March incidents demonstrate that data-rich organizations are targeted not just for ransom but for the intelligence value of the information they hold. Your response plan should account for both data theft and operational disruption scenarios.
- Ask your IT provider about network segmentation if you have any connected operational equipment. Manufacturing, healthcare, and facilities management businesses that have connected physical equipment — machinery, HVAC, security systems, medical devices — to their business network need to confirm that a compromise of the IT network cannot reach operational systems. Network segmentation is the primary technical control for this risk.
- Verify that your cyber insurance covers geopolitically-motivated attacks. Some cyber policies include exclusions for nation-state or politically-motivated attacks. The Iran-aligned group behind the Stryker attack places that incident in a potentially excluded category for some policy holders. Review your exclusions now.
- Run a phishing simulation with your team in Q2. The reconnaissance-heavy, targeted attacks documented in March begin with social engineering — attackers gather information about your organization and craft highly personalized communications that are difficult to distinguish from legitimate business correspondence. A quarterly phishing simulation, even a simple one, trains your team to pause before clicking and report suspicious messages.