Medical device maker iRhythm has been hit by a cyberattack, but the company said the incident has not affected its core products, operations or ability to meet patient needs.
In a new SEC filing, the company said it first identified “unauthorized activity” on its systems June 8. The following day, iRhythm was contacted by a “threat actor” who claimed to have obtained “proprietary data, patient protected health information and other personal information.”
The threat actor demanded payment in exchange for not publicly disclosing the information, iRhythm said. The company later confirmed that certain data had been taken from the affected applications and determined June 10 that “the incident is material in light of the volume of the potentially affected data.”
Based on its investigation so far, iRhythm said the data were obtained “through social engineering” and came from certain third-party-hosted business applications. The company said the incident did not involve its clinical or medical device systems or customer connections.
The company also said it has not identified evidence of ongoing unauthorized access to its systems and does not believe the incident is reasonably likely to have a material impact on its financial condition or results of operations.
iRhythm markets cardiac monitoring services, notably its Zio product franchise.
Several medtech companies have been hit by cyberattacks this year, including Medtronic and Stryker.
Medtronic, the largest medical device maker in the world, said in April that it had contained a cyberattack on its corporate IT systems and that the breach had not affected its products or patient safety.
Stryker was less lucky. The company suffered a global cyberattack in early March claimed by the pro-Iran group Handala Hack Team, in response to U.S. and Israeli military strikes on Iran.
That incident left Stryker scrambling for weeks and wiped data from employee electronic devices. The company also reported that some surgeries had to be temporarily postponed because of delivery delays.
In Stryker’s first-quarter earnings release, CEO Kevin Lobo said he was “pleased with our team’s ability to recover quickly from the cyber incident and continue delivering for our customers and their patients,” as the company reported net sales up 2.6% to $6 billion and adjusted earnings per share down 8.5% to $2.60. In its quarterly filing, Stryker also pointed to higher manufacturing and supply chain costs tied to idle production time from the cyberattack.