Minnesota-based Surmodics, a leading U.S. provider of hydrophilic coatings for intravascular medical devices, experienced a significant cyberattack on June 5 that led to the partial shutdown of its IT infrastructure. As first reported by The Record from Recorded Future News, the breach prompted the company to take systems offline while continuing to fulfill orders through alternative methods. The incident highlights the increasing vulnerability of the healthcare and medtech sector to cybersecurity threats.
The company disclosed the attack in a filing with the U.S. Securities and Exchange Commission (SEC), noting that law enforcement had been notified and cybersecurity experts were brought in to assist. While critical IT systems have since been restored, the full scope of data compromised is still under investigation. The attackers have not publicly identified themselves, and so far, Surmodics reports that no data has been leaked.
Growing scrutiny and risk of litigation
This incident marks Surmodics as the third publicly traded medtech firm to report a cyberattack to the SEC in recent months, following similar disclosures by Artivion and Masimo. In its SEC filing, Surmodics warned of potential litigation, reputational damage, and increased regulatory scrutiny stemming from the attack. The company also noted that disruptions may impact operational processes and customer relationships in the short term.
Although Surmodics has cyber insurance expected to cover most incident-related costs, the company remains cautious about ongoing legal exposure. The rising trend of class action lawsuits in the wake of data breaches — including recent cases against firms like Coinbase and Krispy Kreme — reflects growing legal risks for companies across industries when sensitive data is compromised.
Complicating an already tense regulatory landscape
The cyberattack adds to an already complex period for Surmodics, which is currently facing a federal lawsuit from the Federal Trade Commission (FTC) aiming to block a $627 million acquisition by a private equity firm. The FTC argues that the proposed deal would create a monopoly by combining the two leading suppliers of medical device coatings — a critical component in minimally invasive procedures.
A growing cybersecurity challenge in medtech
The Surmodics breach underscores the urgent need for stronger cybersecurity protocols in the medical technology industry. As digital infrastructure becomes increasingly integral to healthcare delivery and manufacturing, cyberattacks pose not just operational and financial threats, but also regulatory and reputational risks. With high-stakes acquisitions under scrutiny and litigation on the horizon, medtech firms will need to prioritize cyber resilience as a core component of their business continuity strategies.
