IRhythm disclosed Monday that certain data was stolen from third-party-hosted business applications in a cyberattack.
The cardiac monitoring maker identified the attack on June 8, according to a securities filing, and activated its cybersecurity response plan. The next day, iRhythm received a message from a threat actor claiming to have stolen sensitive information, including “proprietary data, patient protected health information and other personal information.”
The threat actor has demanded payment in exchange for not publicly disclosing the information, according to the filing. After receiving the communication from the threat actor, iRhythm confirmed that “certain data was exfiltrated from those applications.”
IRhythm did not respond to MedTech Dive’s request for comment by publication on whether a payment was made to the threat actor or if a payment was planned.
Data was obtained through social engineering and is from certain third-party-hosted business applications, according to the securities filing. The attack does not involve the company’s clinical or medical device systems. As of Monday, iRhythm has not identified evidence of ongoing unauthorized access to its systems, and there has been no impact on its ability to manufacture or distribute products.
“We have not identified any impact to our products, our clinical or medical device systems, our connections to customers, our manufacturing and distribution operations, patient safety, or our ability to meet patient needs,” iRhythm said in a statement posted to its website. “In addition, we do not store or retain individual financial account information or payment card information.”
The company believes that the incident is not likely to have a material impact on its financial condition or results of operations, as of Monday. IRhythm has cybersecurity insurance that may cover certain losses.
Along with enacting its cybersecurity response plan, iRhythm has launched an investigation with cybersecurity experts and external advisers.
“[iRhythm] is continuing to investigate the nature and scope of the incident, including the categories and volume of the data involved and the individuals affected,” the company said in the securities filing.
IRhythm is the latest medtech company to be hit by a cyberattack this year. In March, Stryker suffered an attack that shut down ordering, shipping and manufacturing for weeks and cut into its first-quarter results.
The same week Stryker disclosed its attack, surgical robotics company Intuitive said it was hit by a phishing incident where an unauthorized third party accessed information including customer business and contact information, as well employee and corporate data.
Meanwhile, Medtronic reported in April that an unauthorized party accessed data in certain corporate IT systems.
