Healthcare technology company iRhythm has confirmed a cyberattack involving third-party business applications. The breach resulted in the theft of patient and proprietary data, along with an extortion demand from the attacker.
What happened
According to Security Affairs, healthcare technology company iRhythm Technologies has confirmed that it was hit by a cyberattack involving unauthorized access to third-party-hosted business applications. In a disclosure filed with the U.S. Securities and Exchange Commission (SEC), the company detected suspicious activity on June 8, 2026, and immediately launched an investigation with external cybersecurity experts.
Shortly after, on June 9, a threat actor contacted the company claiming to have stolen proprietary corporate information, patient-protected health information (PHI), and other personal data, and demanded payment in exchange for not releasing the data publicly.
The company has since confirmed that some data was exfiltrated during the incident, although the full scope of the breach is still under investigation.
Going deeper
The attack originated through social engineering techniques, where attackers manipulate human or procedural weaknesses rather than directly exploiting technical flaws in core systems. Instead of breaching iRhythm’s clinical infrastructure, the attackers targeted third-party business applications connected to the company’s operations.
At this stage:
- No ransomware group has publicly claimed responsibility
- The number of affected individuals has not been confirmed
- The exact type and volume of stolen patient data remains unclear
What was said
According to its SEC filing, iRhythm noted that it “promptly activated its cybersecurity response plan and launched an investigation with the support of external advisors and cybersecurity experts to assess and contain the threat.” This investigation found that “(1) the Company has not identified any impact to its products, clinical or medical device systems, patient safety, manufacturing and distribution operations, financial reporting systems, or the Company’s ability to meet patient needs and (2) the affected data was obtained through social engineering and is from certain third-party-hosted business applications. The incident does not involve the Company’s clinical or medical device systems or connections to customers and the Company does not store or retain individual financial account information or payment card information.”
The Company is still investigating the details and scope of the incident to determine “the categories and volume of the data involved and the individuals affected.”
See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)
The bigger picture
According to Paubox’s 2025 Healthcare Email Security Report, healthcare organizations have seen a “264% increased surge of ransomware attacks.” This is evident in the number of attacks, which “doubled from 369 to 663” between 2018 and 2020. The trend has continued in recent years. For example, in February 2026, the University of Mississippi Medical Center (UMMC) was hit by a ransomware attack that disrupted access to electronic health records, forced the temporary closure of approximately 35 clinics, and led to the cancellation of elective procedures.
Go deeper: Ransomware attack closes clinics statewide at UMMC
FAQS
What is a ransomware or extortion attack?
This type of cyberattack involves stealing or encrypting data and then demanding payment to either restore access or prevent the public release of the stolen information.
Why are healthcare organizations common targets?
Healthcare data is highly valuable on the black market because it can be used for identity theft, insurance fraud, and phishing attacks, making healthcare providers frequent targets for cybercriminals.
How can healthcare organizations reduce the risk of being successful targets?
Strong vendor security assessments, employee training, multi-factor authentication (MFA), and continuous monitoring of third-party systems can significantly reduce exposure to similar attacks.
