UFP Technologies reports cybersecurity incident, data stolen from IT systems

UFP Technologies, a Massachusetts-based medical engineering and manufacturing company, disclosed that a cybersecurity incident detected Feb. 14 compromised portions of its IT systems and resulted in stolen data, according to a filing submitted Tuesday to the U.S. Securities and Exchange Commission.

The publicly traded company said it identified suspicious activity on its network and immediately implemented isolation and remediation measures. External cybersecurity advisors were engaged to assist with the investigation and response.

Preliminary findings indicate that the threat actor has been removed from the company’s systems and that access to affected information has been restored in all material respects. The incident impacted many, but not all, of UFP Technologies’ IT systems and disrupted functions including billing and label generation for customer deliveries. The company also disclosed that certain company or company-related data appears to have been stolen or destroyed.

The reference to data destruction suggests the possibility of a ransomware or wiper-style attack, though the specific nature of the malware has not been determined. As of publication, no ransomware group has publicly claimed responsibility for the intrusion.

UFP Technologies produces a wide range of medical devices and components used in surgery, wound care, implants, orthopedic applications and healthcare wearables. The company employs approximately 4,300 people and generates about $600 million in annual revenue, with a market capitalization of roughly $1.86 billion based on recent market data.

The company stated that it has not yet determined whether personal information was exfiltrated during the incident. If confirmed, affected individuals will be notified in accordance with applicable laws.

Despite the disruption, UFP Technologies said its primary IT systems remain operational. Based on current evidence and ongoing assessments, the company believes the incident is unlikely to have a material impact on its operations or financial condition.