Medical Device Manufacturer UFP Technologies Confirms Data Stolen in Cyberattack
The U.S. medical device manufacturer UFP Technologies has submitted a FORM 8-K filing to the U.S Securities and Exchange Commission (SEC) to notify the SEC and investors about a cyberattack and data breach that could potentially impact its financial condition or operations.
UFP Technologies is a publicly traded contract manufacturer based in Newburyport, Massachusetts, that makes single-use medical devices and highly engineered components for the aerospace, automotive, healthcare, and defense industries. The company produces a wide range of medical devices and medical components for products used in wound care, implants, and orthopedic and surgical products. UFP Technologies has an annual revenue of $600 million and employs 4,300 people.
According to the filing, UFP Technologies detected an IT systems intrusion on February 14, 2026. Immediate action was taken to assess, contain, and remediate the threat, and third-party cybersecurity experts were engaged to assist with the investigation. UFP Technologies said it believes the cyber threat actor responsible for the attack has been eradicated from its IT environment and confirmed that it has restored access to systems and information impacted by the incident in all material respects. While the attack did not impact all of its IT systems, many were affected, including the systems used for billing and label-making. UFP Technologies implemented its incident response and contingency plans, and since the incident was detected, it was able to continue operations in all material respects.
Some company and company-related data was either stolen or destroyed in the attack, which suggests this was a ransomware attack or that wiper malware was used. No threat group appears to have claimed responsibility for the attack. UFP Technologies explained in the filing that data has been recovered from backups. The company has confirmed that some data was exfiltrated from its system, although it is too early to determine the extent of the data theft, such as whether any personal or protected health information was stolen. The investigation to determine the nature and scope of the incident is ongoing, and the company is exploring the legal and regulatory notifications and filings that may be required.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
As of the date of the filing (February 19, 2026), UFP Technologies said the incident has not had any material impact on its financial systems, operations, or financial condition. While costs have naturally been incurred, the company expects a significant proportion of the costs of containment, investigation, and mitigation will be covered by its cyber insurance policy.
