Medical device company confirms data theft after cyberattack

UFP Technologies has confirmed that a cyberattack in February 2026 resulted in the theft and destruction of company data. The incident disrupted various operations, including billing and labeling.

What happened

According to Bleeping Computer, U.S. medical device manufacturer UFP Technologies has warned investors and the public that a cyberattack detected on 14 February resulted in unauthorized access to its IT systems and the theft of company data. The Massachusetts-based maker of surgical components, wound care products, and healthcare wearables disclosed the incident in a regulatory filing with the U.S. Securities and Exchange Commission on February 19.

Going deeper

According to the Form 8-K filed with the SEC, UFP Technologies identified “suspicious activity” on its internal systems and immediately initiated containment and remediation efforts, including isolating affected servers and bringing in external cybersecurity experts. The company says it believes the threat actor has since been removed and that access to impacted systems has been restored in all “material respects.”

Despite these efforts, the filing indicates that some company data was stolen and even destroyed during the intrusion. Furthermore, the attack disrupted functions like billing and label-making for customer deliveries; however, backups and contingency plans enabled operations to carry on.

The company has not yet determined whether personal information, such as employee, patient, or partner data, was compromised, but says it will provide notifications if required by law, should that be confirmed later.

What was said

In its SEC filing, UFP Technologies stated that “through the Company’s efforts, the Company believes that the third party responsible for this cybersecurity incident has been removed from the Company’s IT systems, and the Company’s ability to access information impacted by this incident has been restored in all material respects. The incident appears to have impacted many but not all of the Company’s IT systems and affected functions such as billing and label making for customer deliveries.” The filing continues to state that “although the Company has ascertained that certain files were exfiltrated, it is still investigating the extent of any sensitive information contained in the accessed systems, including whether any personal information was exfiltrated. It is evaluating what legal and regulatory notifications and filings may be required as a result of this incident and will make such filings as are required based on its findings.”

While the company continues to investigate the “nature and scope of the unauthorized access,” they have reassured that “a significant portion of its direct costs incurred relating to containing, investigating and remediating the cybersecurity incident will be reimbursed through insurance recoveries.”

Why it matters

According to Paubox, "Third-party vendors often introduce invisible risk." The UFP Technologies incident exemplifies this point. As noted in the company’s SEC filing, “Through the Company’s efforts, the Company believes that the third party responsible for this cybersecurity incident has been removed from the Company’s IT systems.”

Even with the attacker removed, the breach demonstrates how vendor access can create unseen vulnerabilities that extend beyond a single organization. Furthermore, disruptions to billing, labeling, and operational systems show how a compromise at a third-party vendor can ripple across the healthcare supply chain. The case shows why strong vendor risk management, continuous monitoring, and layered security controls are required to protect interconnected healthcare operations.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQS

How can healthcare organizations protect themselves from vendor-related attacks?

Best practices include strong vendor risk management, continuous monitoring of vendor access, contractually required cybersecurity standards, segmented network access, and layered defenses such as email and endpoint security.

Could this attack have been prevented?

While no system is completely immune, strong vendor risk management, network segmentation, multi-factor authentication, and continuous monitoring could reduce the likelihood or impact of such incidents.