Cyber Incident Victim: iRhythm
Date:
Jun 2026
Location:
—
Summary
iRhythm, a health company specializing in wearable cardiac monitoring technology, disclosed a cyberattack in which unauthorized activity was detected on certain third‑party‑hosted business applications. The attack involved social engineering, and a threat actor claimed to have stolen proprietary data and patients’ protected health information while demanding a ransom to prevent public release. The company confirmed that some data was exfiltrated from those applications but did not verify the actor’s description of the compromised data. It stated that its clinical or medical device systems, manufacturing and distribution operations, patient safety, and financial reporting were unaffected, and that it does not store individual financial account or payment card information. External cybersecurity experts are investigating the nature and scope of the incident, including the categories and volume of data involved and the number of individuals affected. It remains unclear whether a ransom was paid, and no known ransomware or extortion group has claimed responsibility.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 8, iRhythm detected unauthorized activity involving data maintained on certain third‑party‑hosted business applications and determined that the intrusion involved social engineering techniques. The following day, June 9, a threat actor contacted the company claiming to have stolen sensitive information, including proprietary data and patients’ protected health information, and demanded a ransom to prevent the compromised files from being leaked. After receiving the claim, iRhythm confirmed that certain data had been exfiltrated from the affected applications. The company has not disclosed the name of the targeted application or the specific data elements that were taken. iRhythm stated that its clinical or medical device systems, manufacturing and distribution operations, patient safety, and connections to customers were not impacted by the incident. The firm also noted that it does not store or retain individual financial account information or payment card information. As of the Monday filing, iRhythm had not identified evidence of ongoing unauthorized access to its systems. The company is still working to determine how many individuals are affected and what type and volume of data were stolen.
iRhythm activated its cybersecurity response plan and engaged external cybersecurity experts to investigate the breach. The firm is continuing to investigate the nature and scope of the incident, including the categories and volume of the data involved and the individuals affected. It has not yet confirmed whether the threat actor’s description of the stolen data is accurate. No known ransomware or extortion group has taken credit for the attack, and it remains unclear whether iRhythm has agreed to pay a ransom or engaged in negotiations with the hackers. The company believes that the incident is not likely to have a material impact on its financial condition or results of operations as of the filing date. iRhythm reports that it has cybersecurity insurance that may cover certain losses arising from the breach. In the broader context, iRhythm is the latest medtech company to experience a cyberattack this year, following incidents at Stryker in March, Intuitive Surgical in the same week, and Medtronic in April.