UFP Technologies, a Massachusetts-based medical device manufacturer, recently filed a Form 8-K with the SEC to report a significant cyberattack on its IT systems. While the company has restored its operations and eradicated the threat, an ongoing investigation is assessing the extent of data theft and potential financial impacts.

UFP Technologies is a publicly traded contract manufacturer headquartered in Newburyport, Massachusetts, specializing in the production of single-use medical devices and engineered components. Their expertise spans multiple critical sectors, including healthcare, aerospace, automotive, and defense, with a specific focus on wound care, implants, and surgical products. With an annual revenue of 600 million dollars and a workforce of 4,300 employees, the company serves as a vital link in the medical supply chain.

The security incident was first detected on February 14, 2026, when the company identified an unauthorized intrusion into its IT environment. In response, leadership immediately initiated containment and remediation protocols while bringing in external cybersecurity specialists to manage the investigation. Although the breach did not compromise every system, it significantly affected core administrative functions, specifically those responsible for billing and the creation of product labels.

Despite the disruption to these specific areas, UFP Technologies managed to maintain its primary operations by activating established incident response and contingency plans. The company has since reported that the threat actors have been removed from their network and that access to the impacted systems and information has been substantially restored. This recovery was aided by the company's ability to retrieve lost or damaged data from existing backup files.

The nature of the event, which involved both the theft and destruction of company data, points toward the use of ransomware or wiper malware by the attackers. While the company has confirmed that some information was exfiltrated from its servers, no specific cybercriminal group has come forward to claim responsibility for the breach. The forensic process is currently focused on identifying exactly what was taken and whether any sensitive personal or protected health information was compromised.

UFP Technologies is now working to determine the full scope of the incident and evaluate its long-term impact on the company's financial standing and operational stability. Part of this process involves identifying any necessary legal or regulatory notifications that must be filed based on the findings of the investigation. The company remains in communication with the SEC and other relevant authorities as they navigate the aftermath of the cyberattack.

Source: Medical Device Maker UFP Technologies Confirms Cyberattack Stole Sensitive Data