Cardiac Monitor Maker iRhythm Breached, Patient Data Stolen in Social Engineering Attack

Cardiac monitoring provider iRhythm disclosed on June 16 that attackers used social engineering to breach its third-party business applications, stealing patient health information and demanding payment to prevent public disclosure. The California based company detected unauthorized activity on June 8 and received extortion messages a day later.

According to iRhythm's filing with the U.S. Securities and Exchange Commission, the attackers exfiltrated proprietary company data, protected health information, and other personal data. The company determined the incident was material on June 10 due to the volume of potentially affected data, though it has not yet disclosed how many individuals are impacted.

Attackers Targeted Business Apps, Not Clinical Systems

iRhythm emphasized that the intrusion was confined to business applications and did not reach its clinical systems, medical devices, or customer connections. Patient care and day-to-day operations were unaffected. The company has not identified the threat actor or specified which third-party hosted applications were compromised.

• Attackers used social engineering, likely phishing or help desk impersonation, to gain access.
• iRhythm maintains cyber insurance that may cover some losses.
• The company believes the incident is unlikely to have a material impact on its financial condition.
• No ongoing unauthorized access has been identified as of the filing date.

Healthcare Sector Under Siege: Novo Nordisk Also Hit

The iRhythm breach comes less than a week after pharmaceutical giant Novo Nordisk revealed that attackers copied patient data from some clinical trials. The hack-and-leak group FulcrumSec claimed responsibility, stating it stole 1.3TB of data from the company. These incidents highlight a growing trend of cybercriminals targeting healthcare organizations for sensitive patient information, often followed by extortion demands.

Healthcare entities have increasingly faced phishing campaigns and social engineering tactics designed to bypass technical defenses. The iRhythm breach underscores the vulnerability of third-party business applications, which may not have the same security posture as core clinical systems. As attackers shift focus to data theft and extortion rather than ransomware, healthcare providers must reassess their security strategies.

iRhythm has not disclosed whether it paid the ransom or negotiated with the attackers. The company said it is cooperating with law enforcement and third-party cybersecurity experts. For now, affected patients await notification, and the healthcare industry watches for the next breach.