What happened
Digital healthcare company iRhythm Holdings disclosed a data breach after hackers stole patients’ personal and health information from third-party-hosted business applications.
iRhythm said its cardiac monitoring service has been used to analyze more than two billion hours of curated heartbeat data from more than 12 million patients.
The company disclosed the incident in a filing with the U.S. Securities and Exchange Commission. iRhythm said it discovered the breach on June 15, 2026, and then launched an investigation with external cybersecurity experts. The company also activated its cybersecurity response plan to contain the incident.
The attackers contacted iRhythm on June 9, 2026, claiming they had obtained sensitive information, including proprietary data, patient protected health information, and other personal information. The threat actor demanded payment in exchange for not publicly disclosing the stolen information.
Since receiving the communications, iRhythm confirmed that certain data had been exfiltrated from the affected applications. On June 10, the company determined that the incident was material because of the volume of potentially affected data.
iRhythm said it has no evidence that the incident affected its products, clinical or medical device systems, patient safety, manufacturing and distribution operations, or financial reporting systems. The company also said the attackers gained access to the data through social engineering.
The company said it does not store patients’ payment card or financial account information, and the breach does not involve its clinical or medical device systems.
iRhythm has not disclosed how many individuals had their personal or patient data exposed in the breach.
Who is affected
Patients whose personal and protected health information was stored in the affected third-party-hosted business applications may be impacted.
The company has not disclosed the number of affected individuals or the specific categories of patient data exposed beyond describing the stolen information as patient protected health information and other personal information.
iRhythm is also affected as a healthcare technology provider handling cardiac monitoring data at scale. The incident involved third-party-hosted business applications, not clinical or medical device systems, and the company said it has no evidence that patient safety was affected.
Why CISOs should care
This incident highlights the risk of social engineering against third-party-hosted business applications that contain sensitive healthcare information. The breach did not involve iRhythm’s clinical or medical device systems, but attackers were still able to exfiltrate patient protected health information and other personal data from business applications.
For CISOs, the materiality determination is also important. iRhythm determined the incident was material because of the volume of potentially affected data, even though the company said there was no evidence of impact to products, patient safety, manufacturing, distribution, or financial reporting systems.
The case also reinforces the need to plan for extortion involving healthcare data. The threat actor contacted iRhythm and demanded payment in exchange for not publicly disclosing stolen information. Even without confirmed disruption to clinical systems, data theft involving patient information can create regulatory, legal, reputational, and notification pressure.
3 practical actions
- Harden third-party-hosted business applications against social engineering: iRhythm said the attackers gained access to data through social engineering and stole information from third-party-hosted business applications. CISOs should review access controls, user verification procedures, vendor-hosted app permissions, and support workflows that could be abused by attackers.
- Separate clinical system risk from business application exposure without minimizing either: iRhythm said the breach did not involve clinical or medical device systems and that patient safety was not affected. Security teams should still treat business applications containing protected health information as high-risk systems requiring strong monitoring, logging, and access governance.
- Prepare extortion response workflows for stolen healthcare data: The threat actor demanded payment in exchange for not publicly disclosing sensitive information. Healthcare organizations should define decision-making roles, legal escalation paths, communications plans, and evidence preservation steps for incidents involving stolen patient data.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.