iRhythm Says Data Exfiltrated From Third‑Party Business Apps; Devices, Patient Care Unaffected

iRhythm Holdings disclosed a material cybersecurity incident after confirming that data was exfiltrated from certain third-party-hosted business applications, while saying its medical devices, clinical systems and patient care operations were not affected. In a Form 8-K filed with the Securities and Exchange Commission on Monday, the San Francisco-based company said a threat actor claimed the stolen information included proprietary data, patient protected health information and other personal information, but iRhythm has not publicly confirmed the specific categories of exfiltrated data.

The company said it identified unauthorized activity on June 8 involving data maintained on certain third-party-hosted business applications. On June 9, it received communications from a threat actor claiming to have obtained sensitive information and demanding payment to avoid public disclosure. iRhythm said that “since receipt of the communications, the Company has confirmed that certain data was exfiltrated from those applications.” The company determined on June 10 that the incident was material “in light of the volume of the potentially affected data,” and disclosed it in an Item 1.05 Form 8-K filed June 15.

iRhythm said it activated its cybersecurity response plan and began an investigation with external advisers and cybersecurity experts. The company said that, as of the filing date, it had “not identified any impact to its products, clinical or medical device systems, patient safety, manufacturing and distribution operations, financial reporting systems, or the Company’s ability to meet patient needs.” It also said the incident does not involve its clinical or medical device systems or connections to customers. According to the filing, the affected data was obtained through social engineering. The company added that it does not store or retain individual financial account information or payment card information.

Important details remain unclear. iRhythm did not identify the third-party application or applications involved, did not disclose how many people may be affected and did not specify the exact data fields exposed. The investigation is ongoing, and the company said it is still assessing the categories and volume of data involved, as well as the individuals affected. As of the filing, it said it had not identified evidence of ongoing unauthorized access. It also said it does not believe the incident is reasonably likely to have a material impact on its financial condition or results of operations, though that assessment could change as the investigation continues.

iRhythm is best known for its Zio ambulatory ECG monitoring system and related diagnostic services. If unsecured patient protected health information was involved, federal health privacy rules can require notice to affected individuals and the U.S. Department of Health and Human Services when a breach is confirmed.