When Valentine's Day Turns Hostile: UFP Technologies Ransomware Attack Exposes the Medical Device Industry's Growing Cyber Crisis

On February 14, 2026, while the rest of the country exchanged valentines, someone was sending UFP Technologies a very different kind of message. Hackers infiltrated the Massachusetts-based medical device manufacturer's IT systems, stole corporate data, and left a trail of destruction that disrupted billing systems, shipping operations, and label-making capabilities across the company's network.

The attack on UFP Technologies is not an isolated incident. It is the latest in an accelerating wave of cyberattacks targeting medical device manufacturers, a sector that has become one of the most attractive hunting grounds for ransomware operators. And this particular breach raises some uncomfortable questions about how prepared the healthcare supply chain really is to withstand the onslaught.

What Happened at UFP Technologies

UFP Technologies is a publicly traded contract manufacturer headquartered in Newburyport, Massachusetts, with approximately 4,300 employees and record 2025 annual revenue of $602.8 million. The company designs and produces single-use medical devices and highly engineered components used in surgery, wound care, orthopedic implants, and healthcare wearables. Its products touch patients in operating rooms and clinical settings every single day.

On February 25, 2026, UFP Technologies filed a Form 8-K with the U.S. Securities and Exchange Commission disclosing the incident. The filing stated that suspicious activity was detected on or about February 14, and that the company immediately deployed isolation and remediation measures while engaging external cybersecurity advisors to assist with the investigation.

The SEC filing revealed that the threat actor had been removed from the company's IT environment, but not before significant damage was done. According to the filing, "the incident appears to have impacted many but not all of the Company's IT systems and affected functions such as billing and label making for customer deliveries. Certain Company or Company-related data appear to have been stolen or destroyed." That combination of data exfiltration with destruction is a hallmark of modern ransomware operations.

During a quarterly earnings conference call on February 25, UFP Technologies CFO Ronald Lataille confirmed what the SEC filing had only hinted at. He told analysts directly that the incident was ransomware. As reported by Cybersecurity Dive, Lataille stated: "This was a classic ransomware attack that appeared to have impacted many, but not all, of our IT systems. Data was taken and then destroyed."

CEO R. Jeffrey Bailly acknowledged during the same call that product shipments might face delays, with Lataille adding that the company expected some revenue softness in February but anticipated making up the shortfall during March. The company also noted that it carries cyber insurance and expects a significant portion of the direct costs associated with containment, investigation, and mitigation to be reimbursed.

The timing of the disclosure carried its own particular irony. The cyberattack 8-K was filed on February 25, 2026 — the same day the company reported its best financial results in its history. UFP Technologies' full-year 2025 earnings announcement, released that morning, showed net sales of $602.8 million, up 19.5% from the prior year, and net income up 15.8% to $68.3 million. A company announcing record results on the same day it disclosed a ransomware attack is a jarring illustration of how cyberattacks respect neither timing nor achievement.

A Pattern That Should Alarm Everyone

The UFP Technologies breach does not exist in a vacuum. It is part of an unmistakable pattern that has been building over the past 18 months within the medical device manufacturing sector specifically.

In November 2024, Artivion, an Atlanta-based manufacturer of heart surgery devices including mechanical heart valves and implantable cardiac tissues, disclosed a ransomware attack to the SEC. The attackers both encrypted files and exfiltrated data, disrupting the company's order processing and shipping operations and forcing multiple systems offline. Artivion markets and sells its products in over 100 countries, meaning the ripple effects of that disruption extended across the global surgical supply chain. The company acknowledged in its 8-K filing that it "will continue to incur expenses related to its response to this incident" and that insurance may not cover all costs.

In April 2025, Masimo Corporation, one of the world's largest manufacturers of patient monitoring devices with over $2 billion in annual revenue, reported a cyberattack that forced manufacturing facilities to operate below normal capacity. The company's ability to process, fulfill, and ship customer orders was temporarily compromised. In a subsequent SEC filing, Masimo indicated the company did not expect the incident to materially impact its financial guidance for fiscal year 2025, and that its manufacturing operations were back to near full capacity within weeks.

By the summer of 2025, Surmodics, a Minnesota-based manufacturer of specialized hydrophilic coatings for intravascular medical devices and diagnostic tests, became the third publicly traded medical device company in rapid succession to report a cyberattack to the SEC. The company discovered unauthorized access on June 5, took systems offline, and was forced to use alternative methods to accept customer orders and ship products while critical systems were restored.

As Recorded Future News reported at the time of the UFP Technologies disclosure, medical device manufacturers have "repeatedly warned the SEC over the last year of cyberattacks impacting their ability to fulfill customer orders." This is no longer a series of one-off incidents. It is a sustained campaign against a critical segment of the healthcare supply chain.

Why Medical Device Manufacturers Are in the Crosshairs

Understanding why this sector has become such an attractive target requires looking at the intersection of several factors that make medical device manufacturers uniquely vulnerable and uniquely lucrative for ransomware operators.

First, these companies handle an extraordinarily valuable mix of data. Their systems contain proprietary engineering designs, manufacturing processes, quality control data, regulatory submission documents, supply chain details, employee records, and in some cases, patient-related information. That combination of intellectual property and personal data creates multiple avenues for extortion.

Second, the operational pressure on these companies is immense. When a medical device manufacturer cannot ship products, the downstream consequences are not abstract business losses. They are delayed surgeries, unavailable monitoring equipment, and gaps in clinical care. As Jeff Wichman, director of incident response at Semperis, told GovInfoSecurity in response to the UFP Technologies attack: "There is fragility in medical device and healthcare supply chains. The slightest disruptions slow patient care, where minutes can matter in life-or-death cases." That urgency to restore operations gives ransomware operators significant leverage during negotiations.

Third, many of these companies operate complex IT environments that have grown organically over years of acquisitions and expansion. UFP Technologies, for example, operates ISO 13485-certified and FDA-registered manufacturing facilities across the United States, the Dominican Republic, Mexico, Ireland, Costa Rica, Puerto Rico, and Singapore. Managing consistent cybersecurity across that kind of distributed international infrastructure is a significant challenge, and attackers know it.

Finally, the manufacturing sector broadly has experienced what the World Economic Forum and IBM X-Force have described as a disproportionate increase in cyberattacks. Manufacturing has been the single most attacked industry globally for five consecutive years according to IBM X-Force data — a streak confirmed in the 2026 X-Force Threat Intelligence Index, released on the same day as the UFP Technologies attack disclosure — with the sector experiencing a dramatic surge in cyberattacks since 2019. Ransomware operators recognize that downtime in production environments creates immediate financial pain and maximum pressure to pay.

The Bigger Healthcare Picture

The medical device manufacturing attacks are occurring against the backdrop of a broader healthcare cybersecurity crisis that shows no signs of abating.

According to the HIPAA Journal's breach tracking data, approximately 57 million individuals were affected by healthcare data breaches in 2025, with at least 642 large-scale breaches reported to the Department of Health and Human Services Office for Civil Rights. While those numbers actually represent an improvement over 2024, which was dominated by the catastrophic Change Healthcare breach affecting an estimated 190 million individuals, they still reflect an industry under relentless assault.

The Sophos State of Ransomware in Healthcare 2025 report, based on frontline experiences of 292 IT and cybersecurity leaders across 17 countries, found a notable shift in attacker tactics. The proportion of healthcare organizations hit by extortion-only attacks, where data was not encrypted but a ransom was still demanded, tripled to 12% of attacks in 2025, up from just 4% in 2022 and 2023. This shift toward pure data theft and extortion, rather than encryption, aligns with what appears to have occurred at UFP Technologies, where the CFO described data being taken and then destroyed. That specific sequence — exfiltration followed by destruction — deserves closer attention. It suggests attackers who either had no intention of offering a decryption key, were covering their tracks to eliminate forensic evidence, or were operating under a model where the extortion leverage comes entirely from the threat of publishing stolen data rather than holding encrypted systems hostage. It also makes recovery fundamentally dependent on backup integrity rather than negotiation.

There is some positive news buried in the data. The Sophos report also found that the rate of healthcare organizations actually paying ransoms has declined sharply, from 61% in 2022 to just 36% in 2025. And the percentage of attacks stopped before encryption reached a five-year high, suggesting that defensive capabilities are improving even as attack volumes increase.

But the overall trajectory remains deeply concerning. ScienceSoft projects that by the end of 2026, the average cost of a healthcare data breach will surpass $12 million, up from $9.77 million in 2024. And more than 40% of U.S. health systems are projected to experience a ransomware attack within the same timeframe.

Regulatory Pressure Is Mounting, But Is It Enough?

The FDA has not been idle while the medical device sector absorbs these blows. On June 27, 2025, the agency released its updated final guidance on cybersecurity in medical devices, titled "Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions." This guidance represents a significant regulatory shift, moving cybersecurity from an advisory recommendation to an enforceable legal requirement under Section 524B of the Federal Food, Drug, and Cosmetic Act.

Under the updated framework, any device that contains software is now classified as a "cyber device" and subject to stricter submission requirements. Manufacturers must include cybersecurity management plans, Software Bills of Materials (SBOMs), coordinated vulnerability disclosure policies, and detailed threat models in their premarket submissions. The FDA has made it clear that it can and will refuse to accept submissions that do not provide adequate cybersecurity documentation.

Additionally, as of February 2, 2026, just twelve days before the UFP Technologies attack was discovered, the FDA transitioned to the Quality Management System Regulation (QMSR), which harmonizes the agency's quality system requirements with ISO 13485:2016. This transition means that cybersecurity risk management must now be formally integrated into a manufacturer's quality management system, with full traceability between threat models, risk assessments, SBOMs, and test documentation.

"I've seen this exact scenario across dozens of healthcare and manufacturing engagements. When attackers hit an organization like UFP Technologies and disrupt billing systems, delivery labels and production operations, they aren't just encrypting files. They're threatening a supply chain that surgical teams and clinicians rely on daily." — Jeff Wichman, Director of Incident Response, Semperis (via GovInfoSecurity)

These are meaningful steps forward. But it is important to recognize their limitations. The FDA's cybersecurity guidance primarily addresses the security of medical devices themselves, specifically how they are designed, built, and maintained to resist cyber threats. It does not directly address the cybersecurity posture of the manufacturer's corporate IT environment, which is where attacks like the one on UFP Technologies actually occur.

The attack on UFP Technologies was not an attack on a medical device. It was an attack on the business systems that enable a medical device company to operate: the billing systems, the label-making systems, the corporate data repositories. This is the gap that current regulatory frameworks do not fully address. You can build the most secure medical device in the world, and a ransomware attack on your corporate network can still shut down your ability to manufacture and ship it.

What the UFP Technologies Attack Should Teach Us

The UFP Technologies incident, viewed alongside the attacks on Artivion, Masimo, and Surmodics, delivers several lessons that the broader medical device and healthcare industry should take seriously.

1. Tested incident response plans and functional data backups are not optional. UFP Technologies was able to continue operations in material respects because it had contingency plans and backup systems in place. Remarkably, by the time of the February 25 earnings call — just eleven days after the attack was detected — Lataille told analysts that the company was already "back online in all of our ERP systems." That level of resilience does not happen by accident. It happens because someone invested in preparation before the crisis arrived.
2. Cyber insurance, while valuable, is not a cybersecurity strategy. UFP Technologies expects insurance to cover a significant portion of its direct response costs. But insurance does not prevent the attack, does not eliminate the operational disruption, does not recover the stolen data, and does not address the reputational consequences. It is a financial backstop, not a shield.
3. SEC disclosure requirements are functioning as intended. The 2023 SEC cybersecurity disclosure rules that require material incidents to be reported via Form 8-K are giving the market and the public visibility into attacks that might previously have been handled quietly behind closed doors. That transparency, while uncomfortable for the companies involved, is creating a more accurate picture of the threat landscape and putting pressure on organizations across the sector to take their defenses seriously.
4. Corporate IT security must match product security rigor. The FDA is pushing hard on device-level cybersecurity, and that work is essential. But attackers are not limiting themselves to medical devices. They are going after the companies that make them, through the same corporate networks, phishing emails, and vulnerable systems that threaten every other industry. The difference is that when a medical device manufacturer goes down, the consequences reach all the way to the patient.

Looking Ahead

As the investigation at UFP Technologies continues, the industry will be watching for answers to several key questions. Was personal or protected health information compromised? Will any ransomware group come forward to claim the attack? And what specific vulnerabilities were exploited to gain initial access?

Those answers matter not just for UFP Technologies, but for every company in the medical device supply chain that wants to avoid being next. Because if the pattern of the past 18 months tells us anything, it is that this is not going to stop. The attackers have found a sector where the stakes are high, the data is valuable, and the pressure to pay or at least to restore operations quickly is enormous.

Wichman's assessment of the broader situation is sobering: "Organizations should keep in mind that in 40% of ransomware attacks, companies received corrupted decryption keys or none." Paying the ransom is never a guarantee of recovery, and the financial and operational cost of an attack extends far beyond any single payment.

The question for medical device manufacturers in 2026 is no longer whether they will face a cyberattack. It is whether they will be prepared when it arrives.