iRhythm Holdings filed a material 8-K with the SEC Monday after hackers demanded ransom for patient cardiac data stolen through a social engineering attack on third-party-hosted business applications.
The company’s cardiac monitoring service has analyzed more than 2 billion hours of heartbeat data from over 12 million patients. A threat actor contacted iRhythm on June 9, claiming to have taken proprietary data and protected health information, demanding payment to stay quiet. The company confirmed the exfiltration the next day and called the incident material in an SEC 8-K filed June 16.
iRhythm reported $747 million in 2025 revenue and is guiding for $870-$880 million in 2026. HIPAA penalties for large-scale protected health information breaches can reach tens of millions; HHS’s Office for Civil Rights has levied multi-million-dollar settlements against healthcare companies for far smaller incidents.
The attack vector here mirrors a pattern that has hit healthcare repeatedly since Change Healthcare in 2024: social engineering into third-party cloud applications, not the core clinical systems. What makes iRhythm’s exposure distinct is the data type. Cardiac rhythm strips can’t be rotated like passwords, and the long-tail liability under HIPAA and state privacy statutes extends well beyond the initial breach disclosure.
The company said no clinical or medical device systems were affected. It doesn’t store payment card data. iRhythm hasn’t disclosed how many individuals had data exposed.
Marcus Webb