Heart Monitoring Device Manufacturer Discloses Cyberattack; Data Breach
iRhythm Holdings Inc., a publicly traded heart monitoring device manufacturer, has notified the U.S. Securities and Exchange Commission (SEC) about a cybersecurity incident that was first identified on June 8, 2026.
According to the SEC filing, iRhythm identified unauthorized access to certain business applications that are hosted on a third-party platform. The company activated its cybersecurity incident response plan and launched an investigation to determine the nature and scope of the unauthorized activity. On June 9, 2026, one day after the unauthorized access was identified, the company received communications from a threat actor who claimed to have exfiltrated sensitive data from its applications and demanded payment to prevent the data from being publicly released.
San Francisco, CA-based iRhythm makes cardiac monitoring devices that are used by approximately 8 million patients in the United States and Europe, and cloud-based data analytics for diagnosing and tracking patients with heart arrhythmias. The threat actor claimed to have exfiltrated proprietary data and patient data from iRhythm applications.
The internal investigation confirmed that the threat actor had exfiltrated sensitive data, including personal and protected health information. While the number of individuals affected by the incident has yet to be confirmed by iRhythm, the company said in the Form 8-K filing that this was a material incident due to the volume of data potentially stolen in the attack.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
iRhythm has not identified any impact on its products, clinical, or medical device systems as a result of the incident. The incident has not had any impact on patient safety, manufacturing, its distribution operations, financial reporting systems, or the company’s ability to meet patient needs.
The threat actor gained access to certain third-party hosted business applications through social engineering. The company’s medical device systems and connections to customers were not affected, and the company does not retain any individual financial account information or payment card information. iRhythm is still investigating the data breach and has yet to announce the number of affected individuals or the types of data compromised in the incident.
The SEC filing does not state whether payment was made to the attacker or if the company is negotiating payment. While this was a material cybersecurity incident, the company does not believe it will have a material impact on its financial condition or results of operations, although the company warned that the attack could cause significant harm to the company’s brand, reputation, and patient trust in its devices. The company holds a cyber insurance policy, which may cover certain losses incurred as a result of the incident.
Several cyberattacks have recently been reported by medical device manufacturers, including UFP Technologies in February 2026, which involved either the theft or destruction of company data; Stryker, which involved the exfiltration of around 50 terabytes of data in March; and Medtronic experienced a major data theft incident in March, involving around 9 million patient records.
