TriMed reports September 2025 data breach involving limited patient information

TriMed Inc., a Santa Clarita, California-based manufacturer of orthopedic implants, disclosed a data security incident involving unauthorized access to parts of its network between Sept. 13 and Sept. 21, 2025, potentially exposing limited personal and medical-related information tied to patient orders.

The company detected suspicious activity within certain systems in September 2025 and initiated an internal investigation supported by an independent forensic firm. The review determined that an unauthorized third party accessed portions of TriMed’s environment where order forms and invoices were stored, with some files potentially viewed or acquired during the intrusion window.

TriMed develops and manufactures hardware surgically implanted to repair or replace damaged joints. A detailed review of the affected files found that most contained operational data related to medical devices, including part types, associated components such as screws and the names of ordering surgeons. In some instances, however, the documents included personal information such as patient names, dates of birth and medical record numbers. The company confirmed that Social Security numbers and financial information, including bank account and payment card details, were not present in the compromised files.

The total number of individuals affected has not been disclosed. A filing with the Maine Attorney General indicated that two residents of the state were impacted. The incident has not yet appeared on the U.S. Department of Health and Human Services Office for Civil Rights breach reporting portal.

TriMed reported the incident to law enforcement and proceeded with notifying affected individuals after identifying the scope of impacted data. The company is offering 24 months of credit monitoring and identity theft protection services as a precaution.

In response to the breach, TriMed stated it has strengthened its existing security controls and threat detection capabilities and implemented a global security operations center to enhance monitoring and response. The company indicated it will continue to evaluate and update its cybersecurity measures.

No threat actor has publicly claimed responsibility for the incident.

The disclosure comes amid a series of cybersecurity incidents affecting medical device manufacturers. UFP Technologies, a Massachusetts-based developer of disposable medical devices and sterile packaging, experienced a ransomware attack in February that may have resulted in data theft or loss. In March, Stryker, a global medical technology company, reported a cyberattack that disrupted operations after attackers gained access to its device management systems.