← Back to incidents

Incident · Unknown

Surmodics, Inc. · SRDX

Health CareUSAIncident June 5, 2025Filed July 2, 2025
Impact score
Business continuity
Effective
Insurance involved
Not disclosed
Filing
8-K · 8.01

Breach taxonomy

UnknownMalwareRevenue ProcessConfidential BizBiz Interruption

Summary

On June 5, 2025, Surmodics, Inc. discovered that a threat actor had gained unauthorized access to certain of its IT systems, rendering certain systems and data unavailable. The company initiated containment measures including proactively taking IT systems offline and implemented its security incident response plan. Law enforcement was notified. By the filing date, critical IT systems had been restored and the company was able to accept customer orders and ship products throughout the incident without material interruption using alternative systems. Filed under Item 8.01.

Tagging rationale

ThreatUnknown

Filing does not attribute the incident to a specific actor → UNKNOWN.

MethodsMalware

Unauthorized access rendered IT systems and data unavailable, requiring proactive system shutdowns and triggering incident response — consistent with malware deployment → MALWARE.

AssetsRevenue ProcessConfidential Biz

IT systems supporting business operations were rendered unavailable (REVENUE-PROCESS); data was also made unavailable or potentially accessed (CONFIDENTIAL-BIZ).

EffectsBiz Interruption

Certain IT systems and data were unavailable and systems were proactively taken offline, disrupting normal operations → BIZ-INTERRUPTION.

Business continuityEffective

Filing states critical IT systems were restored by the filing date and the company accepted orders and shipped products throughout the incident without material interruption using alternative systems → Effective.

Impact

IT systems disrupted at a medical device coatings company; operations maintained via alternatives throughout; critical systems restored by filing date; non-material → score 2.

InsuranceNot disclosed

Filing makes no mention of insurance → null.

Read the original SEC filing excerpt
Item 8.01 Other Events. On June 5, 2025, Surmodics, Inc (the Company) discovered that a third party (a Threat Actor) had gained unauthorized access to certain of its information technology (IT) systems (the Cyber Incident) and that certain IT systems and data were unavailable to the Company. The Company promptly initiated containment measures, including proactively taking certain IT systems offline, and implemented its security incident response plan. The Company has notified law enforcement about the matter. Since discovering the Cyber Incident, the Company has worked with third party IT experts to contain, assess, and remediate the incident. As of the time of filing of this Current Report on Form 8-K, the Company's critical IT systems have been restored and IT data is being validated. The Company's remaining IT systems and data are being restored and validated in accordance with a recovery plan. Throughout the Cyber Incident to date, the Company has been able to accept customer orders and ship products without any material interruption of customer impact using alternatives to its normal IT systems.
View SEC filingBack to database

More in Health Care

Unknown · March 16, 2026

CareCloud, Inc.

On March 16, 2026, CareCloud experienced a network disruption in its CareCloud Health division caused by an unauthorized third party that te

Unknown · March 11, 2026

Stryker Corporation

On March 11, 2026, Stryker Corporation identified a cybersecurity incident affecting its Entra ID/Active Directory environment, servers, and

Unknown · November 3, 2025

The Oncology Institute, Inc.

The Oncology Institute disclosed that a cybersecurity incident at a third-party IT software provider was causing potential delays in the com

Unknown · August 8, 2025

Inotiv, Inc.

On August 8, 2025, Inotiv, Inc. identified a cybersecurity incident in which a threat actor gained unauthorized access to and encrypted cert