Medical technology company iRhythm reported Monday that it experienced unauthorized access to data stored on certain third-party applications last week, though the company says it has found no evidence that its products, medical devices, or patient safety have been compromised.
According to a regulatory filing by the company, here is what is known so far:
iRhythm first detected the unauthorized activity on June 8 and immediately brought in outside cybersecurity specialists to investigate the breach.
The very next day, on June 9, the company received a demand for payment from a so-called “threat actor” who claimed to have taken proprietary company data, protected patient health information, and other personal details.
By June 10, iRhythm determined the incident was significant enough to be considered material, citing the large volume of data that may have been compromised.
The company says that based on its ongoing investigation, the cyberattack has not disrupted its manufacturing or distribution operations, its financial reporting systems, or its ability to continue serving patients.
Investigators found that the stolen data was obtained through social engineering tactics and came from certain business applications hosted by third-party providers. iRhythm stressed that its clinical systems, medical device infrastructure, and customer connections were not involved in the breach, and that it does not retain individual financial account or payment card data.
As of now, the company has not found any evidence that unauthorized access to its systems is continuing, though the investigation into the full scope of the incident and who may have been affected remains ongoing.
iRhythm also indicated it does not expect the incident to have a material impact on its financial condition or results, and noted that its cybersecurity insurance coverage may offset some of the losses stemming from the attack.
