iRhythm says its cardiac monitoring service has been used to analyze "more than 2 billion hours of curated heartbeat data from over 12 million patients." That scale underscores what the company described in an SEC filing this week after disclosing a ransomware-style intrusion that led to the theft of patients' personal and health information held on third‑party business applications.
iRhythm’s public disclosure and timeline
In a filing with the U.S. Securities and Exchange Commission on Monday, iRhythm Holdings reported that it discovered the incident one day earlier and immediately launched an investigation with external cybersecurity experts while activating its cybersecurity response plan to contain the breach. According to the filing, attackers first reached out on June 9, 2026, demanding payment in exchange for not publicly disclosing stolen health information.
"On June 9, 2026, the Company received communications from a threat actor claiming to have obtained sensitive information, including proprietary data, patient protected health information and other personal information," the company said in the filing. "The communications from the threat actor demanded payment in exchange for not publicly disclosing this information."
iRhythm said it confirmed that "certain data was exfiltrated from those applications" and on June 10, 2026 determined that the incident is material "in light of the volume of the potentially affected data." The company did not attribute the incident to any named threat actor or extortion group in the filing.
Scope and character of the data exposed
iRhythm said the attackers stole patients' personal and health information stored on third‑party‑hosted business applications. The company described the stolen material in its filing as including "proprietary data, patient protected health information and other personal information." iRhythm also stated that it does not store patients' payment card or financial account information.
While the filing confirms exfiltration, the company did not provide a specific count of affected individuals in the notice BleepingComputer reviewed. BleepingComputer reached out to an iRhythm spokesperson for further information about the number of individuals impacted, but a response was not immediately available.
Attack vector and operational impact
iRhythm reported that the threat actors gained access to the data through social engineering. The company emphasized in its filing that it has no evidence the incident affected "its products, clinical or medical device systems, patient safety, manufacturing and distribution operations, [or] financial reporting systems." It also reiterated that the breach does not involve its clinical or medical device systems.
In response to discovery of the incident, the company said it activated its response plan and engaged external cybersecurity specialists to investigate and try to contain the intrusion.
How patients, security teams, and regulators are positioned
- Patients and trial participants: Individuals whose protected health information may have been taken will likely be the primary concern of this disclosure. The filing indicates patient protected health information was among the allegedly stolen data; iRhythm also told investors it does not retain payment card or financial account data.
- Security teams and technologists: iRhythm's immediate engagement of external cybersecurity experts and activation of an incident response plan illustrates the operational steps enterprises take after a claim of exfiltration. The company specifically identified social engineering as the method used to gain access, a detail security teams will scrutinize when hardening user- and process-level defenses and third‑party application controls.
- Regulators and securities overseers: The company filed with the SEC and characterized the incident as material on June 10, 2026, signaling the disclosure met the company’s reporting threshold and drawing regulatory attention to the incident and how it is being managed.
Conclusion: confirmed exfiltration, unanswered scale
iRhythm's SEC filing confirms a ransom demand, social‑engineering access to third‑party‑hosted business applications, and that "certain data was exfiltrated." It also asserts no impact to clinical devices or patient safety systems and says it does not store payment card or financial account information. The concrete details left pending in the record are the number of individuals affected, the specific third‑party applications involved, and whether the alleged stolen data will be published by the extortionists — questions the company has not answered publicly as of the filing.
