On October 10, 2025, the FDA issued an alert regarding a cybersecurity vulnerability affecting the Automated Impella Controller (AIC) used in conjunction with Impella Catheters. Healthcare facilities, clinicians, and regulatory teams should be aware of the implications of this notice, as uncorrected devices pose a risk of serious injury or death.
Who is affected?
The alert targets healthcare providers using Abiomed’s Automated Impella Controller (AIC), which serves as the primary interface for operating and monitoring Impella Catheters. These catheters are designed for patients requiring hemodynamic support, assisting the heart’s recovery by offloading cardiac workload. Devices currently in use and sold in the United States are included in this recall; however, the FDA has confirmed this recall focuses on corrections rather than device removal.
What changed?
Abiomed determined unacceptable residual cybersecurity risks associated with network and physical access to the AIC Operating System. If exploited, these vulnerabilities could compromise the device’s essential performance, potentially causing loss of user control or pump stoppages, which may result in life-threatening injuries, permanent impairments, or fatalities. To date, no patient harm or cyberattacks related to these vulnerabilities have been reported.
Actions required by users
Affected customers received a letter from Abiomed on October 1, outlining immediate steps to mitigate these risks:
- Keep the AIC in a secure environment with restricted access, regardless of clinical use.
- Arrange to disable the device’s network connectivity through an Abiomed field representative.
- Users wishing to disable network capabilities before an Abiomed contact can reach out for instructions via ra-abm-fieldaction@its.jnj.com or local clinical field representatives.
- Review the official notice carefully and share its contents with relevant facility personnel responsible for device management.
- If the AIC has been transferred to another facility, ensure the notification is forwarded there.
- Suspected cybersecurity events should be reported directly to https://www.productsecurity.jnj.com/.
Abiomed is actively developing security updates to address these vulnerabilities and will provide further instructions regarding network re-enablement once solutions are ready.
What additional resources are available?
The letter also highlights several regulatory resources:
- FDA’s Medical Device Recall Database entries and Enforcement Reports.
- Abiomed’s Field Safety Notification on HeartRecovery.com, dated October 2, 2025.
- Guidance for recognizing the Unique Device Identifier (UDI) on medical device labeling.
- AccessGUDID database for detailed device identification.
Healthcare professionals and consumers experiencing adverse reactions or quality issues associated with the AIC are encouraged to report these events through MedWatch, the FDA’s Safety Information and Adverse Event Reporting Program.
Next steps
Abiomed recommends that providers carefully follow mitigation steps outlined in the notification to maintain patient safety and regulatory compliance. Facilities should proactively communicate the alert to all relevant staff and continue monitoring updates from Abiomed to ensure timely application of forthcoming security measures.
Disclaimer
This informational article is directed at healthcare professionals and regulatory teams managing affected devices. It should not be interpreted as legal or compliance advice. Always consult official FDA and manufacturer communications for authoritative guidance.
Mandatory FDA information
For full information about the FDA announcement, see the link below.
https://www.fda.gov/medical-devices/medical-device-recalls-and-early-alerts/alert-automated-impella-controller-correction-due-cybersecurity-issue-abiomed