Fluke Corp. Discloses May 2026 Breach Exposing SSNs and Health Records

TL;DR: Fluke Corp. disclosed a May 13, 2026 breach that exposed Social Security numbers and health records; affected individuals should place fraud alerts or credit freezes with Equifax, Experian, and TransUnion.

Context: Fluke Corp., an American maker of industrial test and measurement equipment, filed a breach notice with the Vermont Attorney General on May 13, 2026. The notice confirmed that personal data including Social Security numbers and health records were compromised. At this time, the company has not released details about how the breach occurred or the timeline of the intrusion.

Key Facts: - Disclosure date: May 13, 2026 to the Vermont Attorney General. - Exposed data: Social Security numbers and health records. - Recommended consumer action: place a fraud alert or credit freeze with Equifax (1-800-525-6285), Experian (1-888-397-3742), and TransUnion (1-800-680-7289).

What It Means: The exposure of SSNs and health information increases the risk of medical identity theft and fraudulent tax filings. Organizations that hold similar data should review access controls and monitor for unauthorized use of personal identifiers.

Mitigations / What Defenders Should Do: - Enforce multi-factor authentication on all systems that store or process personal data. - Review and tighten privileged access management; remove unnecessary admin rights. - Deploy endpoint detection and response (EDR) rules that look for credential dumping (MITRE ATT&CK T1003) and lateral movement via SMB (T1021.002). - Ensure patches for known vulnerabilities in external-facing applications are applied within 30 days of release; prioritize CVEs related to remote code execution. - Implement network segmentation to isolate databases containing SSNs and health records from user workstations. - Conduct regular tabletop exercises that simulate a data exfiltration scenario involving PII and PHI.

Watch for Fluke Corp.’s follow‑up communication detailing the attack vector, any threat actor attribution, and the scope of affected records.