MedSecLedger
Breach Analysis13 min read

Nova Biomedical Cyberattack Disrupts Operations, Exposes 10,764 Records

Analysis of the Nova Biomedical Corp cyberattack — malware deployment disrupted the medical device maker's operations and exposed 10,764 individuals' data.

By MedSecLedger
Records: 10,764
Vector: ransomware
Status: confirmed
Occurred: Jul 22, 2025Discovered: Jul 22, 2025Disclosed: Jan 27, 2026
Exposed:NamesSSN
Sources:Maine Attorney General

A cyberattack against Nova Biomedical Corp. did not just expose data — it disrupted the company's operations. That distinction matters. Nova Biomedical manufactures blood gas analyzers and point-of-care testing equipment used in hospitals and clinical settings worldwide. When a medical device manufacturer's operations go dark, the downstream effect is not measured in inconvenient downtime. It is measured in supply chain pressure on the hospitals and clinical laboratories that depend on those devices to care for patients.

The company disclosed the breach on January 27, 2026, reporting that 10,764 individuals had their personally identifiable information compromised in an attack that occurred on July 22, 2025. The filing with the Maine Attorney General and the offer of 24 months of Experian IdentityWorks credit monitoring — double the industry standard — signals that Nova Biomedical's internal assessment of this incident reached a severity threshold that warrants extended protective measures.

Timeline of Events

The attack occurred on July 22, 2025. Nova Biomedical disclosed it publicly on January 27, 2026 — approximately six months after the incident date.

That gap is longer than HIPAA's 60-day breach notification window for covered entities, and it raises immediate questions about Nova Biomedical's regulatory classification. If Nova functions as a business associate (BA) to covered entity hospital customers — handling ePHI related to device usage or patient testing data — the HIPAA notification clock would have started at discovery, not at the completion of forensic review. If Nova is not a covered entity or BA, the notification timeline is governed by applicable state law, including Massachusetts's data breach statute and Maine's notification requirements triggered by the AG filing.

The six-month window from attack to disclosure is consistent with what investigators typically encounter in sophisticated malware intrusions. Determining the full scope of data access, identifying every affected individual, and reconstructing attacker activity across a compromised network takes time — particularly when the attackers had sufficient access to disrupt operations. Nova Biomedical disclosed that it coordinated with law enforcement, which adds further procedural weight to the timeline. Law enforcement coordination can extend the notification period when investigators need time to preserve evidence without tipping off threat actors.

What the timeline does not resolve is when Nova Biomedical first detected the intrusion. The attack date and the detection date are not necessarily the same day. If the malware was present in Nova's environment for any period before July 22, 2025, the actual window of unauthorized access could be longer than the public record reflects.

What Data Was Exposed

Nova Biomedical confirmed that PII was impacted through investigation and data review. The specific data categories were not detailed in the public notification record — a common limitation in AG filings where the notification letter is submitted as a scanned image or in a format that obscures granular disclosure.

Given Nova Biomedical's business profile as a medical device manufacturer headquartered in Waltham, Massachusetts, the affected data population likely spans several categories:

  • Employee and contractor PII: names, addresses, Social Security numbers, payroll and HR records — the standard exposure set in a corporate network compromise
  • Hospital and clinical customer contact data: account contacts, procurement representatives, and technical support personnel at hospital and laboratory customers
  • Device service and configuration records: field service logs, device serial numbers, hospital facility identifiers, and technical configuration data associated with deployed analyzers
  • Research and development data: proprietary testing protocols, product development documentation, and intellectual property — categories that do not trigger individual notification requirements but represent significant competitive and security risk

The 10,764 figure covers individuals whose PII was confirmed as impacted. It does not speak to the volume of institutional or proprietary data that may have been accessed without triggering individual notification obligations. In a manufacturing environment, the data that does not require consumer notification is often the data with the highest strategic value to threat actors.

How the Attack Happened

Nova Biomedical described the incident as a "sophisticated cybersecurity attack" in which the attacker deployed malware that accessed the company's electronic infrastructure and disrupted operations.

That description — malware, operational disruption, law enforcement coordination — maps closely to the profile of a ransomware attack, even if Nova Biomedical has not confirmed that characterization publicly. Ransomware groups targeting manufacturers follow a consistent playbook: gain initial access through phishing, exposed remote desktop protocol (RDP), or vulnerability exploitation; move laterally through the network; exfiltrate data before deploying encryption; then present a ransom demand backed by the threat of publishing stolen data. The operational disruption Nova Biomedical experienced is consistent with a ransomware encryption event. The law enforcement coordination is consistent with the FBI's standing guidance to ransomware victims. The extended notification timeline is consistent with the forensic complexity these attacks leave behind.

Medical device manufacturers have become high-priority targets for ransomware groups for a straightforward reason: they sit at the intersection of valuable intellectual property, regulated manufacturing environments with operational technology (OT) systems, and institutional customer relationships with hospitals. A ransomware operator who compromises a medical device manufacturer can potentially pivot toward hospital customer networks, access device firmware or configuration data, and leverage the reputational pressure of disrupting a healthcare supply chain to accelerate ransom payments.

CISA's Healthcare and Public Health Sector resources have consistently flagged medical device manufacturers as a critical component of healthcare supply chain risk — a designation that this incident reinforces.

Who Is Affected

The 10,764 individuals named in the breach notification are most likely a mix of Nova Biomedical employees, contractors, and hospital or laboratory customer contacts whose information resided in the compromised systems. Nova Biomedical is not a direct patient care provider, so the affected population is unlikely to include patient PHI in the traditional sense — though device-generated testing data associated with patient encounters could present a more complex picture depending on how Nova's data infrastructure interfaces with hospital systems.

The 24-month Experian IdentityWorks offer is notable. The industry default for breach identity monitoring is 12 months. Companies extend that to 24 months when internal assessment concludes that the exposed data carries elevated risk of identity fraud — typically when Social Security numbers, financial account data, or other high-value identifiers were confirmed as compromised. Nova Biomedical's decision to offer 24 months is a signal, not a guarantee, but it is a signal that the company's legal and security teams believe the exposed data is serious enough to warrant extended protection.

Affected individuals should enroll in the offered monitoring, place credit freezes with all three major bureaus (Equifax, Experian, TransUnion), and monitor for account activity consistent with synthetic identity fraud — a tactic increasingly used when full identity data sets are available to threat actors.

Regulatory Implications

Nova Biomedical's regulatory exposure depends significantly on how its relationships with hospital customers are structured.

HIPAA Business Associate classification. If Nova Biomedical's devices generate, transmit, or store ePHI — for example, if blood gas analyzer results are transmitted to or from hospital EHR systems through Nova's infrastructure — Nova may qualify as a business associate under HIPAA. Business associates are subject to the HIPAA Security Rule, must maintain signed business associate agreements (BAAs) with covered entity customers, and are required to notify covered entities of breaches involving ePHI within 60 days of discovery. If Nova is a BA, every hospital customer with a BAA in place had a notification obligation triggered by this incident. HHS OCR's breach reporting portal is the appropriate destination for any covered entity or BA assessing their reporting obligations.

FDA medical device cybersecurity requirements. The FDA's medical device cybersecurity guidance applies to device manufacturers at two stages: premarket (security requirements baked into device design and submission) and postmarket (ongoing monitoring, vulnerability disclosure, and software update obligations). A ransomware-style attack that disrupts a manufacturer's operations and accesses its electronic infrastructure raises questions about whether the compromised systems included device software repositories, firmware update infrastructure, or device configuration management systems. If any of those systems were accessed, FDA postmarket cybersecurity guidance may impose additional disclosure and remediation obligations.

Massachusetts data protection law. Nova Biomedical is headquartered in Waltham, MA, and is subject to Massachusetts's data protection regulations under 201 CMR 17.00, which requires a written information security program (WISP) and mandates breach notification to affected Massachusetts residents and the Attorney General. The Maine AG filing satisfies Maine's notification requirement, but Massachusetts has its own parallel obligation.

NIST Cybersecurity Framework. While not a regulatory mandate for most medical device manufacturers, NIST CSF alignment — particularly the Identify, Protect, Detect, and Respond functions — is increasingly expected by hospital customers evaluating vendor security posture. A manufacturer that has experienced a confirmed operational disruption from malware will face heightened scrutiny from hospital procurement and biomedical engineering teams performing third-party risk assessments.

The Bigger Picture: Medical Device Manufacturers as Healthcare Supply Chain Risk

The Nova Biomedical breach is not an isolated event. It is a case study in a threat category that hospital security and biomedical engineering teams have been warned about repeatedly but have rarely seen generate a major public incident — until now.

Medical device manufacturers occupy a uniquely sensitive position in healthcare security. They hold intellectual property with significant competitive value. They maintain ongoing service relationships with hospital customers that may involve remote access to deployed devices. Their manufacturing and quality systems sit on the same corporate networks as their business operations. And they are often significantly smaller than their hospital customers, with correspondingly smaller security teams and budgets.

The hospitals and clinical laboratories that use Nova Biomedical's blood gas analyzers and point-of-care testing equipment should be reviewing their vendor risk management files today. Not because Nova Biomedical's devices are compromised — there is no public evidence of that — but because a cyberattack that disrupts a device manufacturer's operations is precisely the scenario that third-party risk programs exist to anticipate.

Our healthcare breach tracker documents the ongoing volume of incidents affecting the healthcare sector and its supply chain. The Jackson Hospital and Clinic breach illustrates how cyberattacks against healthcare organizations generate cascading compliance and operational consequences. The Cottage Hospital breach demonstrates that even smaller institutions face the full weight of HIPAA enforcement and patient notification obligations when their systems are compromised.

The pattern across these cases is consistent: organizations that treat cybersecurity as a cost center until an incident forces the issue end up spending far more on response, notification, and regulatory compliance than they would have spent on prevention.

Action Items for Medical Device Companies and Hospital Security Teams

For medical device manufacturers:

  1. Classify your HIPAA obligations before an incident forces the question. Determine whether your device infrastructure generates, transmits, or stores ePHI. If yes, assess your business associate status, audit your BAA inventory with hospital customers, and confirm your breach notification workflow can execute within 60 days of discovery. This classification exercise should be documented and reviewed annually.

  2. Segment your manufacturing and OT environments from corporate IT. If a ransomware infection in a corporate network can reach manufacturing systems, quality management systems, or device update infrastructure, your network architecture is creating unnecessary risk. Implement network segmentation that limits lateral movement between business systems and operational technology environments.

  3. Test your incident response plan against an operational disruption scenario. Most IR tabletop exercises assume a data breach. A medical device manufacturer also needs to rehearse the scenario where malware disrupts production, shipping, or device support operations — and map the downstream customer notification and supply chain communication obligations that follow.

  4. Disclose to hospital customers proactively. If a cyberattack affects your ability to service, update, or support deployed devices, your hospital customers need to know. Waiting for them to discover the disruption independently damages the trust relationships that sustain long-term customer contracts and creates liability exposure if a hospital's clinical operations are affected by a device support gap.

  5. Align with FDA postmarket cybersecurity guidance. Review the FDA's postmarket cybersecurity guidance and assess whether your current vulnerability management, software update, and incident disclosure processes meet the expectations set for your device classifications. A breach that implicates device software infrastructure may trigger direct FDA reporting obligations.

For hospital biomedical engineering and security teams:

  1. Audit your medical device vendor risk inventory. Identify every device manufacturer that has remote access capabilities into your clinical environment or whose devices interface with your EHR or network infrastructure. Confirm that current vendor risk assessments are on file and that security questionnaires have been completed within the past 12 months.

  2. Review business associate agreements with device manufacturers. If device manufacturers handle any ePHI — including device-generated patient data transmitted through their infrastructure — confirm that BAAs are in place, current, and contain the breach notification provisions required under HIPAA.

  3. Establish a device manufacturer incident notification protocol. Define who in your organization receives notification if a medical device vendor reports a cyberattack. Biomedical engineering, IT security, legal, and clinical operations all have a stake. A notification that sits in a vendor management inbox while clinical teams wonder why device support has degraded is a process failure with patient safety implications.

  4. Assess your device inventory for supply chain exposure. If a key device manufacturer's operations are disrupted by ransomware, which devices in your clinical environment could experience delayed servicing, firmware updates, or replacement part fulfillment? Map that exposure now, before an incident creates urgency.

  5. Brief your CISO and CMO jointly. Medical device cybersecurity incidents are not purely an IT security issue. The clinical and operational implications require leadership alignment across security and clinical operations. If your organization does not have a defined escalation path for medical device vendor security incidents, establish one.

Conclusion

The Nova Biomedical Corp. breach is a 10,764-record incident that tells a more significant story than its size alone suggests. A cyberattack that deploys malware and disrupts operations at a medical device manufacturer is a healthcare supply chain event — one with potential patient safety implications that extend far beyond the individuals whose PII was directly exposed.

The six-month notification timeline, the law enforcement coordination, and the 24-month identity monitoring offer all point to an incident that Nova Biomedical's teams assessed as serious. The hospitals and clinical laboratories that rely on Nova's equipment should treat it the same way.

The regulatory and operational response to this breach will continue to develop. MedSecLedger will track updates as they become available. The breach tracker provides the full record of healthcare sector incidents filed with state attorneys general and HHS OCR.

MedSecLedger monitors healthcare data breach filings with state attorneys general and HHS OCR. Breach details in this analysis are based on publicly available notification filings. If you have corrections or additional information about this breach, contact us.

Tags:breachmedical_deviceransomwaremassachusetts

Related Analysis

Central Maine Healthcare Breach Exposes 145,000 Patient Records
10 min read
Cottage Hospital Breach Exposes Employee SSNs and Patient Medical Data
10 min read
Counseling Center Breach Exposes 83,000 Mental Health Patients' Data
9 min read
Jackson Hospital Breach via Vendor Exposes 14,485 Patient Records
9 min read