iRhythm discloses data breach, says hackers stole patient info

At a glance:

• iRhythm discovered a material data breach on June 10, 2026 after hackers exfiltrated information from third‑party business applications.
• The attackers contacted the company on June 9, 2026 demanding a ransom to keep the stolen health data private.
• The breach potentially impacts health and personal data of more than 12 million patients whose heartbeat records have been analyzed by iRhythm’s cardiac monitoring service.

What happened

iRhythm Holdings, a digital‑health firm that provides cardiac monitoring and analysis, filed a report with the U.S. Securities and Exchange Commission on Monday indicating that a cyber‑incident had occurred. The company said it first learned of the breach on June 9, 2026, when a threat actor reached out demanding payment in exchange for not publishing the stolen information. The communication explicitly referenced “patient protected health information, proprietary data and other personal information.”

The next day, June 10, 2026, iRhythm confirmed that data had indeed been exfiltrated from several third‑party‑hosted business applications. The breach was deemed material because of the sheer volume of data involved – the firm’s platform has processed more than 2 billion hours of curated heartbeat data from over 12 million patients. While iRhythm did not attribute the attack to a specific group, it noted that the intruders gained entry through a classic social‑engineering tactic.

Response and impact

Immediately after the incident, iRhythm activated its cybersecurity response plan, engaged external experts, and began a forensic investigation. The company emphasized that there is no evidence the breach affected its core medical‑device systems, patient safety, manufacturing, distribution, or financial reporting processes. Moreover, iRhythm clarified that it does not store patients’ payment‑card or banking details, limiting the exposure to health‑related records.

The firm also disclosed that, as of the filing, it could not confirm the exact number of individuals whose data was compromised. BleepingComputer reached out for clarification but did not receive a response at the time of writing. iRhythm’s SEC filing underscores the regulatory pressure on digital‑health providers to disclose material cyber events promptly, especially when protected health information (PHI) is involved.

Industry context

The iRhythm breach follows a similar incident at Danish pharmaceutical giant Novo Nordisk, which announced a data breach affecting patient information from clinical trials after its internal IT systems were compromised. Together, these events highlight a growing trend where attackers target the health sector’s rich trove of personal and biometric data, often leveraging third‑party services as the weakest link.

Healthcare organizations are increasingly required to adopt a “defense‑in‑depth” posture, routinely testing each layer of their infrastructure. According to recent industry surveys, only 14 % of security alerts are acted upon, while 54 % of successful attacks go unnoticed until after data loss. Experts recommend continuous breach‑and‑attack simulation (BAS) to validate SIEM and EDR rules, a practice that could have mitigated the iRhythm exposure.

What to watch next

Regulators are likely to scrutinize iRhythm’s response, especially its notification timeline and the adequacy of its third‑party risk management. Investors may also monitor any potential financial fallout, as material breaches can trigger stock volatility and class‑action lawsuits. Finally, the broader digital‑health market will be watching how firms bolster social‑engineering defenses and whether new standards emerge for securing outsourced applications.