Cardiac monitoring company iRhythm Technologies has disclosed a cybersecurity incident involving unauthorized access to data stored within certain third-party-hosted business applications. The company revealed details of the iRhythm data breach in a recent SEC filing, stating that sensitive information, including protected health information (PHI), may have been accessed and exfiltrated by a threat actor. 

According to the SEC filing, iRhythm identified suspicious activity on June 8 and immediately activated its cybersecurity response protocols. The company launched an investigation with assistance from external advisors and cybersecurity specialists to determine the scope of the incident and implement containment measures. 

Decoding the iRhythm Data Breach 

The company reported that on June 9, it received communications from a threat actor who claimed to have obtained “sensitive information” from the affected systems. According to iRhythm, the allegedly compromised data included proprietary company information, patient protected health information, and other forms of personal information. 

The threat actor also demanded payment in exchange for withholding the information from public disclosure. 

Following the communication, iRhythm conducted additional reviews and confirmed that certain data had indeed been exfiltrated from the impacted third-party-hosted applications. By June 10, the company determined that the incident was material due to the volume of potentially affected information. 

The SEC filing noted that the company continues to investigate the full nature and scope of the iRhythm data breach. 

Company Says Core Operations Remain Unaffected 

Despite the seriousness of the incident, iRhythm stated that it has not identified any disruption to its products, patient services, or operational capabilities. 

According to the SEC filing, the company has found no impact on: 

• Products and services 
• Clinical systems 
• Medical device systems 
• Patient safety 
• Manufacturing operations 
• Distribution activities 
• Financial reporting systems 
• The company’s ability to continue serving patients 

iRhythm said the data breach at iRhythm stemmed from a social engineering attack targeting certain third-party-hosted business applications rather than its clinical infrastructure. 

The company further emphasized that the incident did not affect its clinical or medical device systems, nor did it involve connections used by customers. Additionally, iRhythm stated that it does not store or retain individual financial account information or payment card information, reducing the likelihood that such data was compromised. 

Investigation Continues as Company Assesses Impact 

As of the latest SEC filing, iRhythm reported that it has found no evidence of ongoing unauthorized access within its systems. 

The company stated that its investigation remains active and that it is continuing to evaluate the extent of the exposure and any potential consequences arising from the incident. At present, iRhythm believes the cybersecurity event is “not reasonably likely” to have a material effect on its financial condition or operating results. 

The company also noted that it maintains cybersecurity insurance that could potentially offset certain losses related to the incident. However, iRhythm cautioned that there can be no assurance that insurance coverage would fully compensate for all losses associated with the breach.