healthcare · BleepingComputer
iRhythm Holdings, a digital healthcare company providing cardiac monitoring services, disclosed a data breach on June 10, 2026, after confirming that attackers had exfiltrated sensitive information from third-party-hosted business applications. The company stated that patient protected health information and other personal data were stolen, though the exact number of affected individuals was not immediately disclosed. iRhythm received extortion communications from the threat actor on June 9 demanding ransom in exchange for non-disclosure, but the company has not attributed the attack to a specific threat actor. The company emphasized that its clinical and medical device systems were not compromised and that patient safety and manufacturing operations were unaffected. iRhythm also noted it does not store payment card or financial account information, and that the threat actors gained access through social engineering.
Healthcare organizations subject to HIPAA must treat this incident as a cautionary case: unauthorized access to patient protected health information triggers notification and reporting obligations regardless of ransom demands. Regulated healthcare providers should review their vendor risk management frameworks and assess whether third-party application security assessments are sufficiently rigorous, particularly for systems processing sensitive data. Additionally, organizations handling controlled unclassified information (CUI) in clinical research or defense healthcare contexts must ensure incident response plans account for both notification timelines and potential CMMC compliance implications if breached data touches covered defense networks. An Omniware engagement can scope third-party risk controls, HIPAA breach notification procedures, and incident response governance in detail.
Source: BleepingComputer - https://www.bleepingcomputer.com/news/security/irhythm-discloses-data-breach-says-hackers-stole-patient-info/
Source: BleepingComputer
All briefings