Cardiac monitoring company iRhythm has confirmed that sensitive data was stolen in a cyberattack involving third-party-hosted business applications after a threat actor claimed to have obtained proprietary information, patient protected health information, and other personal data.
The company disclosed the incident in a filing with the U.S. Securities and Exchange Commission, stating that it detected unauthorized activity on June 8 and immediately activated its cybersecurity response plan.
According to iRhythm, a threat actor contacted the company on June 9 claiming to have exfiltrated sensitive information and demanded payment in exchange for not publicly releasing the data. Following an investigation, the company confirmed that certain information had in fact been exfiltrated from affected applications.
Social engineering led to unauthorized access
iRhythm said the incident involved certain third-party-hosted business applications and was the result of a social engineering attack.
The company has not disclosed which third-party platforms were affected or how the social engineering attack was carried out. It also has not disclosed the volume of records involved or the number of individuals who may have been impacted.
According to the company’s SEC filing, the threat actor claimed to have obtained proprietary business information, patient protected health information, and other personal data.
iRhythm said it continues to investigate the nature and scope of the incident, including what categories of information were accessed and which individuals may have been affected.
Medical device systems unaffected
While healthcare cyber incidents often raise concerns about patient safety and medical operations, iRhythm stated that the attack did not impact its clinical systems, medical device infrastructure, or product operations.
The company said it has not identified any disruption to manufacturing, distribution, financial reporting systems, or customer connectivity. It also reported no evidence of ongoing unauthorized access within its environment.
In a public statement, iRhythm said it has not identified any impact on patient safety or its ability to continue serving healthcare providers and patients.
The company further noted that it does not store individual financial account information or payment card data.
Investigation remains ongoing
iRhythm deemed the incident material on June 10 due to the volume of potentially affected information and launched an investigation with external cybersecurity experts and advisors.
The company has not identified a threat actor publicly and has not disclosed whether any ransom payment has been made or is being considered.
According to the company, cybersecurity insurance may cover certain losses associated with the incident, and management currently believes the attack is unlikely to have a material impact on financial results or operations.
However, the investigation remains ongoing and the full scope of the compromised information has not yet been determined.
Healthcare sector remains a frequent target
The incident adds to a growing list of cyberattacks affecting healthcare and medical technology organizations in 2026.
Several major healthcare technology companies have disclosed cybersecurity incidents in recent months, highlighting the continued attractiveness of healthcare organizations to financially motivated threat actors seeking access to sensitive patient and business information.
Recent examples include Medtronic’s disclosure of unauthorized access to internal IT systems, the CareCloud breach affecting electronic health record services, and allegations that Careficient EMR patient data was exposed in a separate healthcare-sector incident.
As investigations continue, affected individuals and healthcare providers may receive additional notifications if iRhythm determines personal or protected health information was exposed during the attack.
