Digital healthcare company iRhythm Holdings said hackers stole patients’ personal and health information from third-party-hosted business applications, according to an SEC filing on Monday. The company said it discovered the incident on June 10 and that the breach involved data tied to more than 12 million patients.
KEY FACTS
- Discovery iRhythm found the incident on June 10 and launched an investigation with outside cybersecurity experts.
- Extortion The company said the threat actor contacted it on June 9 and demanded payment to stop public disclosure of stolen information.
- Impact iRhythm said certain data was exfiltrated from third-party-hosted business applications.
- Scope The company said it has no evidence that products, medical device systems, patient safety or financial reporting systems were affected.
The disclosure said the stolen material may include proprietary data, patient protected health information and other personal information. iRhythm said the attackers gained access through social engineering.
The company said it does not store patients’ payment card or financial account information. It also said the breach does not involve its clinical or medical device systems.
iRhythm said the incident was material in light of the volume of potentially affected data. The company did not say how many people were impacted, and it had no immediate response to follow-up questions.
WHY IT MATTERS
The breach adds to a series of recent incidents affecting health care and pharmaceutical companies that handle sensitive patient data. For patients, the main concern is the possible exposure of medical and personal information, even when clinical systems and care services are said to be unaffected.