iRhythm Holdings Inc., a publicly traded manufacturer of heart monitoring devices, disclosed a cybersecurity incident involving unauthorized access to business applications hosted on a third-party platform. The incident was first identified on June 8, 2026 and was reported to the U.S. Securities and Exchange Commission through a regulatory filing.
The company implemented its cybersecurity incident response plan after discovering the unauthorized access and started an investigation to determine the scope and nature of the activity.
Discovery and Initial Response
The unauthorized access involved certain business applications hosted externally. After detection, iRhythm implemented its internal incident response procedures and began examining affected systems to assess potential exposure.
On June 9, 2026, one day after the initial identification of the unauthorized activity, the company received communications from a threat actor. The communication included claims that data had been exfiltrated from iRhythm systems and included a demand for payment to prevent public release of the information.
Data Exposure and Investigation Findings
The internal investigation confirmed that the threat actor exfiltrated sensitive data from the affected applications. The compromised data included personal information and protected health information (PHI) covered by HIPAA laws.
The number of individuals affected has not been confirmed by the company. iRhythm stated in its filing that the incident qualifies as material due to the volume of data that may have been involved in the unauthorized access and exfiltration.
The investigation remains ongoing, and the company has not yet disclosed the categories of all affected data or the total number of impacted individuals.
Operational and System Impact
iRhythm reported that its core medical device systems were not affected by the incident. No disruption occurred to product functionality, clinical systems, or medical device operations.
The company does not store individual financial account information or payment card data, limiting exposure to those categories in its systems.
Threat Actor Activity and Access Method
The threat actor gained access to the affected applications through social engineering techniques targeting third-party hosted systems. The breach only affected external business applications and not core medical device infrastructure.
The communications from the threat actor included claims of data theft and a demand for payment in exchange for preventing public disclosure of the alleged stolen data.
Regulatory Filing and Risk Assessment
iRhythm submitted the disclosure through a Form 8-K filing with the SEC. The company characterized the incident as material due to the scale of potentially impacted data.
Despite this classification, the company stated that it does not expect the incident to have a material impact on its financial condition or results of operations. The filing also noted potential risks related to reputational harm and reduced patient trust in its devices.
Insurance Coverage and Ongoing Review
The company maintains a cyber insurance policy that may cover certain costs associated with the incident. Investigation efforts continue to determine the full scope of unauthorized access, the types of data compromised, and the number of affected individuals.
Industry Context
Recent cybersecurity incidents affecting medical device manufacturers have included multiple large-scale events. UFP Technologies experienced an incident involving theft or destruction of company data in February 2026. Stryker reported data exfiltration involving approximately 50 terabytes of data in March. Medtronic also disclosed a separate incident involving the theft of approximately 9 million patient records during the same period.
These events reflect continued exposure risks within the medical device and healthcare technology sector, particularly where third-party systems and large-scale patient data environments are involved.
Image credit: 1943996297 – SUPERARTMAN, AdobeStock / logo©iRhythm
