Digital healthcare company iRhythm Holdings has disclosed a data breach after hackers stole patients' personal and health information stored on third-party-hosted business applications.
The company says its cardiac monitoring service has been used to analyze more than 2 billion hours of curated heartbeat data from over 12 million patients.
In a filing with the U.S. Securities and Exchange Commission (SEC) on Monday, iRhythm said it discovered the incident one day earlier, prompting it to launch an investigation with external cybersecurity experts and activate its cybersecurity response plan to contain the breach.
It added that the attackers reached out one week ago, on June 9, demanding a ransom to prevent the disclosure of stolen health information online, but didn't attribute the attack to a specific threat actor or extortion group.
"On June 9, 2026, the Company received communications from a threat actor claiming to have obtained sensitive information, including proprietary data, patient protected health information and other personal information. The communications from the threat actor demanded payment in exchange for not publicly disclosing this information," iRhythm said.
