Intuitive Surgical Data Breach Exposes Korean Medical Staff Information

Intuitive Surgical, the U.S.-based global leader in surgical robotics, suffered a cyberattack that exposed personal information of Korean medical professionals, the company disclosed.

The breach is significant given the company's dominant position in Korea's surgical robot market for over two decades, with leaked data including sensitive details such as physicians' surgical proficiency levels and training records.

Intuitive Surgical Korea notified members via email on the night of May 12 that it had "identified a personal data breach suspected to be caused by external hacking," according to medical industry sources on May 15.

The company said it discovered on May 9 that a hacker accessed its business management network through an employee's account and exfiltrated some customer information. The company has since blocked unauthorized access, conducted an inspection, and reported the incident to the Korea Internet & Security Agency.

Compromised data includes customers' names, titles, affiliated hospitals and facility addresses, specialties, email addresses, phone numbers, medical equipment usage records, training history, training performance, event and mentoring participation records, and complaints.

Intuitive Surgical is the world's leading surgical robotics company headquartered in the United States. Its proprietary da Vinci surgical system became the first to receive U.S. Food and Drug Administration approval in 2000, establishing the company as a pioneer in minimally invasive surgery. The da Vinci system enables physicians to perform precise surgery by remotely controlling robotic arms while viewing 3D images with magnified visibility. The technology has evolved through successive generations to the da Vinci 5, generating $10.1 billion in revenue last year.

Analysts attribute the company's accelerating growth to expanding da Vinci installations driven by rising global demand for minimally invasive robotic surgery, combined with revenue from robot maintenance, parts replacement, and physician training services. In Korea, since Severance Hospital first introduced the system in 2005, Intuitive Surgical has maintained a virtual monopoly for over 20 years. Major Korean hospitals including Samsung Medical Center, Asan Medical Center Seoul, and Seoul St. Mary's Hospital now routinely use da Vinci systems for cancer surgeries and other procedures. Consequently, the breach likely affects most key medical staff and hospital personnel who perform robotic surgery at these institutions.

Despite the severity of the incident, the company has not disclosed the specific scope of damage. Intuitive Surgical's headquarters stated on its website that "the incident was limited to an internal administrative network and does not affect the operation or safety of surgical robot systems." While this indicates the worst-case scenario of surgical malfunction was avoided, the statement omitted details about the extent of member data exposure and countermeasures.

The Korean subsidiary maintains that headquarters-level investigation is ongoing and that it cannot yet determine even the potential domestic damage scope. An Intuitive Surgical Korea representative said, "We confirmed that an unauthorized third party accessed the company's customer information management system through targeted cyber phishing, and we notified customers via email as quickly as possible. We will promptly inform customers once the exact scope of damage is determined."

According to materials released by Intuitive Surgical Korea last year marking the 20th anniversary of da Vinci surgical robot systems in Korea, more than 200 units are installed domestically, including at all 47 tertiary hospitals nationwide. More than 2,000 Korean medical professionals have completed da Vinci robotic surgery training programs. This suggests personal information of virtually all physicians trained to perform robotic surgery at major Korean hospitals may have been exposed. Given that da Vinci robotic surgery in Korea spans urology, obstetrics and gynecology, general surgery, otolaryngology, and thoracic surgery, personal and sensitive information of key medical professionals across these specialties appears to have been compromised.

Medical professionals in the field reacted strongly to the notification that their sensitive information was fully exposed. A specialist at a major hospital said, "[The manufacturer] encouraged web-based membership registration starting with the fourth-generation da Vinci Xi model, and approximately 90% of domestic users likely signed up. They must fully explain why the equipment company collected physicians' personal information and how it was leaked externally."

Some observers suggest this incident could shake Intuitive's dominant market position. A medical industry official noted, "The possibility that data could flow to competitors or be maliciously manipulated cannot be ruled out. In a medical device market built on trust, a confirmed security vulnerability is fatal to brand value."

Amid growing social concern over personal data breaches, attention is also focused on potential penalties including fines. Another medical industry official pointed out, "This case shows that medical device companies have been managing physician data through cloud and network systems while underinvesting in security. Beyond a simple apology, they must present specific compensation plans addressing how the leaked data might be misused and measures to prevent recurrence."