Digital healthcare company iRhythm Holdings has disclosed a data breach in which threat actors gained unauthorized access to business applications hosted by third-party vendors and exfiltrated patients' personal and protected health information (PHI).
The San Francisco-based company, known for its Zio cardiac monitoring patches used to detect arrhythmias and other heart conditions, confirmed that the intrusion affected data stored on externally hosted platforms used to support its business operations.
What Was Exposed
According to iRhythm's disclosure, the compromised information may include:
- Patient names and dates of birth
- Health insurance information
- Medical record numbers
- Diagnostic and cardiac monitoring data
- Contact information including addresses and phone numbers
- Social Security numbers for a subset of affected individuals
iRhythm has not publicly confirmed the total number of patients affected as of the time of writing, but the company stated it is working with cybersecurity experts to assess the full scope of the incident.
Third-Party Hosting Increases Exposure Risk
The breach highlights the growing risk posed by shadow IT and enterprise reliance on third-party Software-as-a-Service (SaaS) applications. iRhythm indicates the attackers targeted applications hosted by external vendors — platforms that may operate outside the company's direct security perimeter.
Healthcare organizations are frequent targets of cybercriminals due to the high value of PHI on dark web marketplaces. Medical records can sell for significantly more than financial credentials, as they contain immutable personal identifiers that enable identity fraud, insurance scams, and social engineering attacks.
iRhythm's Response
The company says it:
- Promptly launched an internal investigation upon discovering unauthorized access
- Engaged third-party cybersecurity forensics specialists
- Notified law enforcement agencies
- Is in the process of notifying affected patients directly
- Has taken steps to further secure its vendor application ecosystem
iRhythm has also indicated it is reviewing its third-party vendor security controls and will implement additional safeguards to prevent recurrence.
Healthcare Sector Under Sustained Attack
This disclosure comes amid a broader wave of healthcare data breaches in 2026. The sector has faced relentless pressure from ransomware groups, financially motivated threat actors, and state-sponsored adversaries who recognize that patient data is both valuable and often accessible through legacy systems and third-party integrations.
Under the U.S. Health Insurance Portability and Accountability Act (HIPAA), iRhythm is required to notify affected individuals and the Department of Health and Human Services (HHS) within 60 days of discovering a breach involving more than 500 individuals.
Patients whose data may have been exposed are advised to:
- Monitor their health insurance statements for signs of fraud or unauthorized claims
- Place a credit freeze with major credit bureaus if SSNs were involved
- Watch for phishing attempts — attackers often follow breaches with targeted email or phone scams
- Request a free credit report and review it for unfamiliar accounts
What to Watch For
iRhythm is expected to file a formal breach notification with the HHS Office for Civil Rights. This will provide more detail on the number of affected individuals and the specific data categories compromised.
CosmicBytez Labs will continue to monitor and update this story as more details become available.