Heart Monitoring Device Manufacturer Discloses Cyberattack; Data Breach
iRhythm Holdings Inc., a publicly traded heart monitoring device manufacturer, has notified the U.S. Securities and Exchange Commission (SEC) about a cybersecurity incident that was first identified on June 8, 2026. According to the SEC filing, iRhythm identified unauthorized access to certain business applications that are hosted on a third-party platform. The company activated its cybersecurity incident response plan and launched an investigation to determine the nature and scope of the unauthorized activity. On June 9, 2026, one day after the unauthorized access was identified, the company received communications from a threat actor who claimed to have exfiltrated sensitive data from its applications and demanded payment to prevent the data from being publicly released. San Francisco, CA-based iRhythm makes cardiac monitoring devices that are used by approximately 8 million patients in the United States and Europe, and cloud-based data analytics for diagnosing and tracking patients with heart arrhythmias. The threat actor claimed to have exfiltrated proprietary data and patient...
HIPAA Training for Medical Spas
Medical spas that qualify as HIPAA-Covered Entities should provide all members of their workforce with HIPAA training that covers foundational knowledge of the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule, the specific compliance challenges that arise from working in a medical spa environment, and then any internal policies and procedures. The HIPAA training requirements are set out at 45 CFR §164.530(b) of the HIPAA Privacy Rule and 45 CFR §164.308(a)(5) of the HIPAA Security Rule. Both are mandatory standards, not implementation specifications, meaning they cannot be waived or substituted. Failure to provide documented HIPAA training is a standalone violation. For example, in 2023 St. Joseph’s Medical Center received an $80,000 penalty from OCR after an impermissible disclosure was partly attributed directly to a lack of HIPAA Privacy Rule training. A medical spa workforce that includes physicians, nurses, licensed estheticians performing medical treatments, laser technicians, receptionists, and billing staff with system access must...
HIPAA Compliance for Medical Spas
A medical spa becomes a HIPAA covered entity when it is a health care provider that transmits health information electronically in connection with a HIPAA-covered transaction. They must therefore comply with the applicable sections of the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule. This compliance obligation applies regardless of whether the facility describes itself as a spa, a wellness center, or an aesthetic clinic. Medical spa operators can not assume HIPAA applies only to hospitals, physician practices, or insurance companies. That assumption is incorrect and carries substantial regulatory risk. OCR enforcement actions have reached small practices and specialty providers, and civil monetary penalties apply equally to all covered entities regardless of size. Medical Spas as HIPAA-Covered Entities A medical spa becomes HIPAA-Covered Entity when it bills electronically or otherwise transmits health information in connection with HIPAA-covered transactions. The touchpoint that triggers covered entity status is not the treatment itself, but...
Flo Health; Google; Flurry to Pay $59.5M to Settle Privacy Lawsuit (Updated)
A settlement has been finalized to resolve a litigation against Flo Health, Inc., Google LLC, and Flurry, Inc., over the use of tracking code on Flo Health’s fertility tracking app. Under the terms of the settlement, the defendants will pay almost $60 million to cover legal costs, expenses, and benefits for the plaintiffs and class members. The Flo Health app is one of the most popular health and wellness apps and has over 38 million monthly users. Prior to using the app, users are asked a series of personal questions about their general, sexual, and gynecological health and menstrual cycles. Further questions are asked as use of the app continues, with the answers used to provide tailored health and wellness advice. Users are told that their information will remain private and confidential and will not be shared with any third parties unless consent is provided, yet code within the app (software development kits) shared that data with the defendants, without the knowledge or consent of app users. Several lawsuits were filed against Flo Health and the other defendants, which were...
Hackers Claim Responsibility for Novo Nordisk Cyberattack
A hacking group has claimed responsibility for the cyberattack on the pharmaceutical company Novo Nordisk and says it exfiltrated more than 1 terabyte of data over several weeks. Another individual/group has also claimed it breached certain Novo Nordisk systems in June, in a separate hacking incident in June. FulcrumSec is a cyber extortion group that has been active since at least September 2025. The group specializes in high-speed data exfiltration, commonly from cloud-hosted databases, and demands payment to prevent the publication or sale of stolen data. The group exploits unrotated API keys and cloud misconfigurations for initial access. Novo Nordisk disclosed the attack on June 11, 2026, and shortly thereafter, FulcrumSec added Novo Nordisk to its dark web data leak site, along with samples of data from its claimed 1.3 TB data heist. The listing states that data exfiltrated in the attack includes clinical trial information, intellectual property, and artificial intelligence models used for drug discovery. FulcrumSec claims it issued a $25 million ransom demand to prevent the...



