iRhythm says social engineers stole patient data from business apps

iRhythm Technologies said attackers stole patient health information and company data after they used social engineering to access third-party business applications.

The California cardiac monitoring company disclosed the incident in a U.S. Securities and Exchange Commission filing after it detected unauthorized activity June 8. iRhythm said a cybercriminal contacted the company June 9 and claimed possession of proprietary data, protected health information and other personal information.

The attacker demanded payment to keep the data from disclosure, iRhythm said. The company confirmed data theft and determined June 10 that the incident met its materiality threshold because of the volume of information involved.

iRhythm makes wearable cardiac monitors that collect heart data and support clinical reports. The company said attackers reached business applications, but its investigation found no access to clinical systems, medical devices or customer connections. iRhythm said patient care and operations continued during the incident.

The company has not said how many patients or employees face exposure. It also has not identified the data fields involved, the applications attackers accessed or the group behind the extortion attempt.

For compliance teams, the missing details matter. Protected health information can include names, dates of birth, patient identifiers, insurance details, diagnostic data and contact information. Each data element changes the notification analysis, the risk assessment and the support that affected individuals may need.

Health care companies should treat this disclosure as a third-party application and identity-control problem. iRhythm said attackers used social engineering, which points compliance and security teams toward help desk procedures, account recovery flows, multifactor authentication resets, vendor access and employee verification scripts.

Under the Health Insurance Portability and Accountability Act, covered entities and business associates must assess whether an incident compromised protected health information. They must examine the nature of the data, the person who used it or received it, whether the attacker viewed or acquired it and the extent of risk mitigation. If the analysis shows a breach, organizations must notify affected individuals and, in some cases, regulators and media outlets.

Public companies face a second clock. SEC cybersecurity rules require companies to disclose material cybersecurity incidents on Form 8-K within four business days after they determine materiality. iRhythm said it made that determination June 10, after it reviewed the amount of information that attackers may have affected.

iRhythm said it had found no ongoing unauthorized access as of the filing date. The company also said it does not expect the incident to have a material effect on its financial condition or operating results. It said cyber insurance may cover some costs.

Compliance officers should still assume more work follows. iRhythm will need to finish its forensic review, identify affected people, decide whether HIPAA or state breach notice laws require notices, coordinate with vendors and preserve evidence for regulators, insurers and possible litigation.

The company’s disclosure also shows how extortion cases now reach health care suppliers that do not suffer device outages or clinical downtime. Attackers can steal sensitive data from business systems, pressure the company through a payment demand and leave the clinical environment intact. Patients still face privacy risk when attackers copy health data.

Security teams should review employee verification steps for support desks and application administrators. They should require phishing-resistant multifactor authentication for privileged accounts, restrict third-party app access by role, log administrative changes and test procedures for suspicious password resets or device enrollments.

Legal and compliance teams should map vendor-hosted applications that store protected health information. They should confirm who owns breach notification duties, how fast vendors must provide logs and whether contracts require support for regulator inquiries.

The iRhythm incident follows a wave of health care data theft and extortion cases. Attackers target medical data because victims cannot rotate it like a password, and health care companies face tight legal duties once thieves copy patient information.

The next deadline depends on the facts iRhythm confirms. If the company determines that attackers compromised protected health information under HIPAA, affected individuals will need clear notices that explain the data involved, the discovery date, the steps iRhythm took and the actions patients can take to reduce risk.