Medical technology company iRhythm Holdings disclosed a cyberattack involving certain third-party-hosted business applications that resulted in the theft of patient protected health information, proprietary data, and other personal data.
The company discovered unauthorized activity on June 8, 2026, and launched an investigation with the assistance of external cybersecurity experts.
A day later, a threat actor claimed to have obtained “sensitive information, including proprietary data, patient protected health information and other personal information” and demanded payment in exchange for not publicly disclosing the data.
After confirming that data had been exfiltrated, iRhythm determined on June 10 that the incident was material because of the volume of potentially affected information.
The company has not disclosed how many individuals may have been affected, what types of information were accessed, or which third-party applications were involved.
The incident was attributed to a social engineering attack, and the company’s investigation into the scope of the breach remains ongoing.
According to iRhythm, the incident did not affect its clinical and medical device systems, manufacturing and distribution operations, financial reporting systems, or patient care services.
“The Company maintains cybersecurity insurance that may cover certain losses associated with the incident, although there can be no assurance that such coverage will be sufficient to cover all losses the Company may incur,” it added.
No known ransomware or extortion group has claimed responsibility for the attack.
Novo Nordisk breach exposes clinical trial data
The disclosure comes less than a week after drugmaker Novo Nordisk revealed that attackers had copied patient data from some clinical trials, adding another healthcare organization to a growing wave of data theft and extortion incidents.
Novo Nordisk , best known for its Ozempic and Wegovy weight-loss drugs, disclosed on June 11 that attackers gained unauthorized access to a limited number of internal IT systems and copied certain data, including information related to patients participating in some clinical trials.
The company said the exposed data included patient IDs, year of birth, sex, biomarkers, health and immunogenicity data, and lifestyle factors, but did not contain names or other direct identifiers.
“Based on the nature of the exposed data as pseudonymized, knowledge of patient identity would require access to further information, which was not part of the incident. We therefore do not consider the incident to bear any immediate risks for our patients,” Novo Nordisk said in its official statement.
The company nevertheless advised patients to remain vigilant and report any unusual activity they believe could be linked to the incident.
Responsibility for the breach was claimed by a threat group calling itself Dragonfly, which alleges it exfiltrated the following data:
- 16GB of trained model checkpoints
- 407MB of proprietary training datasets
- Full source code, including modeling_novopert.py and the training pipeline
- Logs from 113 training runs
- Internal infrastructure maps covering HPC, Slurm, and SSH environments
- 53GB+ of container images
- Developer identities and internal hostnames
- A private GitHub repository URL
Novo Nordisk has not publicly confirmed the claims.
