iRhythm says data breach hit third-party apps, not medical devices

Unauthorized activity at iRhythm Holdings was limited to third-party-hosted business applications, but the company said the intrusion still exposed proprietary data, patient protected health information and other personal information, underscoring how a medtech breach can spread through vendor systems rather than the devices themselves. iRhythm said its products, patient safety and clinical or medical device systems were not affected.

The company identified the activity on June 8 and activated its cybersecurity response plan, bringing in external advisors and cybersecurity experts. A day later, it received a communication from a threat actor demanding payment in exchange for not disclosing the information. iRhythm decided on June 10 that the incident was material because of the volume of potentially affected data, then disclosed it Monday, June 15.

iRhythm said it had found no evidence of ongoing unauthorized access as of the filing. It also said the incident did not affect manufacturing, distribution, financial reporting systems or its ability to meet patient needs. The company does not store individual financial account information or payment card information, and it said cybersecurity insurance may cover some losses, though not necessarily all of them.

The breach lands in the middle of a business built around cloud-linked cardiac monitoring. iRhythm’s Zio service uses a patch-based ambulatory ECG monitor that can record heart signals continuously for up to 14 days, making the security of surrounding data systems critical even when the device itself is untouched. In the first quarter of 2026, iRhythm reported revenue of $199.4 million, up 25.7% from a year earlier, and $549.6 million in unrestricted cash, cash equivalents and marketable securities as of March 31.

For patients and providers, the lingering issue is not whether the monitor kept working but what information passed through third-party applications and who may have seen it. That trust gap has become a defining risk for connected health companies, where cyber incidents can shake confidence in data handling even when clinical operations stay online.

The case also arrives amid a wider string of medtech cyber incidents involving Stryker, Intuitive Surgical and Medtronic. As iRhythm continues its investigation, the company is trying to reassure the market that its core operations are intact while the more consequential question remains unresolved: how much data left the vendor environment, and which protections failed before the company found the breach.