iRhythm, one of the largest providers of ambulatory cardiac monitoring, has disclosed that attackers stole sensitive data, including patient health information, and are now trying to extort the company to keep it from being published. The firm makes the Zio patch, a wearable heart monitor, and says it has processed more than two billion hours of heartbeat data from over twelve million patients.
In a filing with the U.S. Securities and Exchange Commission, iRhythm said it was contacted on June 9 by someone who claimed to have stolen proprietary data, protected patient health information, and other personal details, and who demanded payment in exchange for not releasing it. The company said the data was taken through social engineering targeting "certain third-party-hosted business applications," and stopped short of detailing how much information was involved.
What iRhythm says happened
iRhythm has tried to reassure patients that the breach did not reach its medical devices or care operations. "We have not identified any impact to our products, our clinical or medical device systems, our connections to customers, our manufacturing and distribution operations, patient safety, or our ability to meet patient needs," the company said, adding that it does not store payment card or financial account information. In the same filing, though, it called the incident significant "in light of the volume of the potentially affected data," and the extortionist claims to be holding patients' medical records.
Why a health data breach matters
Even without stolen credit card numbers, healthcare breaches have a long tail. Criminals can use intimate medical details to craft convincing scam emails, texts, or phone calls (for example, referencing a recent Zio patch recording) to trick patients into handing over more information or paying fake bills. The same data fuels medical identity theft and insurance fraud, and it tends to circulate on criminal markets for years, long after the headlines fade.
What patients should do
If you have used iRhythm's services, watch your mail, email, and patient portals for an official breach notice from iRhythm or your healthcare provider. When a notice arrives, verify it through a separate channel before acting: go directly to iRhythm's official site or call a known number rather than clicking links. Be especially wary of messages offering compensation or refunds tied to the incident. Change passwords on any iRhythm-linked and hospital portals, particularly if you reused them elsewhere, and check your health insurer's claims regularly for activity you do not recognize.
The breach was reported by researchers at Malwarebytes, drawing on iRhythm's own SEC disclosure. It lands amid a steady run of extortion attacks on the health sector, from a new ransomware crew claiming a wave of healthcare victims to data-theft extortion hitting large institutions.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.