Data Breach Notification , Data Privacy , Data Security

A cardiac monitoring firm that helps millions of patients diagnose and track cardiac arrhythmias says hackers stole proprietary data and patient health information and demanded a ransom. The company didn't say whether it paid.

See Also: Know Thy Enemy: Threats to Cyber Resilience

San Francisco-based iRhythm Technologies told the U.S. Securities and Exchange Commission that hackers stole the data from "certain" third-party-hosted business applications. An SEC filing on Monday said the company discovered "unauthorized activity" on the hosted systems on June 8.

The following day, iRhythm received demands from a threat actor for an undisclosed payment in exchange for not publicly releasing the stolen data, including proprietary data, patient protected health information and other personal information, the company said.

"On June 10, the company determined that the incident is material in light of the volume of the potentially affected data," iRhythm told the SEC.

The company in a public statement about the incident posted on its website said it has not identified "any impact" to its products, clinical or medical device systems, connections to customers, manufacturing and distribution operations, or patient safety.

"We do not store or retain individual financial account information or payment card information," iRhythm said.

iRhythm did not immediately respond to ISMG's request for additional details about the incident, including whether the company paid a ransom demand, the number of people affected by the data breach and clarification about the type of third-party hosted applications compromised.

iRhythm, which reported revenue of $747.1 million in 2025, offers wearable biosensors, remote monitoring and cloud-based data analytics "with powerful proprietary artificial intelligence algorithms" to help diagnose and track patients with cardiac arrhythmias. The company says it serves more than 8 million patients in the U.S. and Europe.

In a year-end filing last year with the SEC, iRhythm admitted that it had been subject to cyber incidents and data compromises in the past, "and expect that we will be subject to additional cyberattacks in the future and may experience future data breaches and other security incidents."

"Such incidents may impact the integrity, availability or confidentiality of the data we maintain or disrupt our information systems, devices or business, including our ability to deliver our services," the company told the SEC.

"As cyberthreats continue to evolve, we may be required to expend significant additional resources to continue to modify or enhance our protective measures or to investigate and remediate any cybersecurity vulnerabilities," the company said.

iRhythm also told the SEC that its Zio brand cardiac monitoring devices "are subject to cybersecurity vulnerabilities leading to potential harm to patients or compromises data security and confidentiality."

In case of an incident affecting those Zio products, "we may be required to initiate field actions, including device recalls, or subject to government inspections, investigations or enforcement actions," the company told the SEC.

The company also said a breach could "cause significant harm to our brand reputation and consumer trust in our devices."

iRhythm is among several other medical device companies hit with hacks in recent months, most notably a March 11 wiper attack on medical technology manufacturer Stryker, which was claimed by Iranian hacktivists Handala. The group, which widely suspected of being a front for Iran's Ministry of Intelligence, boasted of exfiltrating 50 terabytes of "critical data" for Stryker. The attack also disrupted Stryker ordering, distribution and manufacturing operations for several weeks (see: Stryker Hack Affects First Quarter Results).

In April, ransomware gang ShinyHunters posted a claim on a Tor network site alleging it had hacked into a database of medical device maker Medtronic, stealing 9 million records containing patient information as well as additional terabytes of internal corporate data (see: Medtronic Already Facing Federal Lawsuits in Recent Hack).

Also, in February, UFP Technologies, a Massachusetts-based maker of single-use medical devices and other healthcare supplies, also notified the SEC about a cyber incident discovered on Valentine's Day that involved the theft or destruction of some company data (see: Medical Device Maker Reports Data Theft Hack to SEC).