Opening incident

Loading disclosure

Pulling the filing, breach taxonomy, and impact scoring…

Duke

Blog Incident database Request access

Loading database

Indexing incidents

Fetching SEC-disclosed cyber incidents and Duke's breach taxonomy…

Duke

Blog Incident database Request access

Opening incident

Loading disclosure

Pulling the filing, breach taxonomy, and impact scoring…

Surmodics, Inc. Unknown (2025) | SEC Cybersecurity Incident | Duke Security

Duke

Blog Incident database Request access

← Back to incidents

Incident · Unknown

Surmodics, Inc. · SRDX

Health CareUSAIncident June 5, 2025Filed July 2, 2025

Impact score

Business continuity

Effective

Insurance involved

Not disclosed

Filing

8-K · 8.01

Breach taxonomy

UnknownMalwareRevenue ProcessConfidential BizBiz Interruption

Summary

On June 5, 2025, Surmodics, Inc. discovered that a threat actor had gained unauthorized access to certain of its IT systems, rendering certain systems and data unavailable. The company initiated containment measures including proactively taking IT systems offline and implemented its security incident response plan. Law enforcement was notified. By the filing date, critical IT systems had been restored and the company was able to accept customer orders and ship products throughout the incident without material interruption using alternative systems. Filed under Item 8.01.

Tagging rationale

ThreatUnknown

Filing does not attribute the incident to a specific actor → UNKNOWN.

MethodsMalware

Unauthorized access rendered IT systems and data unavailable, requiring proactive system shutdowns and triggering incident response — consistent with malware deployment → MALWARE.

Assets

Revenue ProcessConfidential Biz

IT systems supporting business operations were rendered unavailable (REVENUE-PROCESS); data was also made unavailable or potentially accessed (CONFIDENTIAL-BIZ).

EffectsBiz Interruption

Certain IT systems and data were unavailable and systems were proactively taken offline, disrupting normal operations → BIZ-INTERRUPTION.

Business continuityEffective

Filing states critical IT systems were restored by the filing date and the company accepted orders and shipped products throughout the incident without material interruption using alternative systems → Effective.

Impact

IT systems disrupted at a medical device coatings company; operations maintained via alternatives throughout; critical systems restored by filing date; non-material → score 2.

InsuranceNot disclosed

Filing makes no mention of insurance → null.

Read the original SEC filing excerpt

Item 8.01 Other Events. On June 5, 2025, Surmodics, Inc (the Company) discovered that a third party (a Threat Actor) had gained unauthorized access to certain of its information technology (IT) systems (the Cyber Incident) and that certain IT systems and data were unavailable to the Company. The Company promptly initiated containment measures, including proactively taking certain IT systems offline, and implemented its security incident response plan. The Company has notified law enforcement about the matter. Since discovering the Cyber Incident, the Company has worked with third party IT experts to contain, assess, and remediate the incident. As of the time of filing of this Current Report on Form 8-K, the Company's critical IT systems have been restored and IT data is being validated. The Company's remaining IT systems and data are being restored and validated in accordance with a recovery plan. Throughout the Cyber Incident to date, the Company has been able to accept customer orders and ship products without any material interruption of customer impact using alternatives to its normal IT systems.

View SEC filing Back to database

Get alerts on new incidents

Drop your email and we’ll let you know when fresh SEC disclosures land in the database. No spam.

More in Health Care

Unknown · May 4, 2026

West Pharmaceutical Services, Inc.

West Pharmaceutical Services detected a network intrusion on May 4, 2026 and on May 7, 2026 determined it to be a material cybersecurity inc…

Unknown · April 1, 2026

Medtronic plc

Medtronic disclosed via a Reg FD (Item 7.01) press release dated April 24, 2026 that an unauthorized party accessed data in certain corporat…

Unknown · March 16, 2026

CareCloud, Inc.

On March 16, 2026, CareCloud experienced a network disruption in its CareCloud Health division caused by an unauthorized third party that te…

Unknown · March 11, 2026

Stryker Corporation

On March 11, 2026, Stryker Corporation identified a cybersecurity incident affecting its Entra ID/Active Directory environment, servers, and…