iRhythm Holdings disclosed a material cybersecurity incident after attackers used social engineering to access certain third-party-hosted business applications and exfiltrate sensitive data. According to the company’s SEC filing, unauthorized activity was identified on June 8, and on June 9 a threat actor contacted iRhythm claiming to possess proprietary company information, patient protected health information, and other personal data, while demanding payment to stop the information from being publicly released.
The company said the intrusion was confined to third-party business applications and that there is no evidence its products, clinical or medical device systems, customer connections, patient safety, manufacturing and distribution operations, or financial reporting systems were affected. iRhythm has not named a responsible group or disclosed how many individuals were impacted, and said it is still investigating with external cybersecurity experts whether the attacker’s claims fully match the data stolen; it also stated that payment card and financial account information were not involved and that it has not found evidence of ongoing unauthorized access.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
On June 10, 2026, iRhythm determined the incident was material and disclosed it in a Form 8-K. The filing said stolen data came from third-party-hosted business applications, that products and clinical systems were not impacted, and that no ongoing unauthorized access had been identified as of the filing date.
On June 9, 2026, a threat actor contacted iRhythm claiming to possess sensitive information, including proprietary data and patient protected health information, and demanded payment to prevent public disclosure. The company later confirmed that certain data had been exfiltrated.
On June 8, 2026, iRhythm identified unauthorized activity involving data stored in certain third-party-hosted business applications. The company said the intrusion involved social engineering.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
10 references tracked. Mallory keeps watching after this page renders.
teiss.co.uk
Open sourcebankinfosecurity.com
Open sourcegovinfosecurity.com
Open sourcesecurityweek.com
Open sourcesec.gov
Open sourcesec.gov
Open sourceirhythmtech.com
Open sourced18rn0p25nwr6d.cloudfront.net
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.