Zoll alerts 1M wearable defibrillator users to data breach that exposed Social Security numbers

The names, addresses, birthdates and Social Security numbers of more than 1 million users of Zoll Medical’s wearable cardioverter defibrillators may have been exposed in a recent hacking attack.

In an email sent to Fierce Medtech on Wednesday, the company confirmed that a “cybersecurity incident” affected current and former users of the LifeVest device. However, it specified that the incident “does not affect the safety or operation of the LifeVest device or any other Zoll medical device or related software.”

Zoll said its investigation into the attack is still in progress, but, so far, it hasn’t found any indication that any of the data breached by hackers have been misused. The company is still in the process of notifying all patients who may have been affected by the cyberattack.

“Protecting sensitive information is a top priority for Zoll. We deeply regret any concern or inconvenience this situation may cause any of our LifeVest patients,” the devicemaker said in the email.

A data breach notification filed with Maine’s attorney general by Zoll’s outside legal counsel provides more details about the attack. According to the filing, a total of 1,004,443 individuals’ personal information may have been accessed by the hackers.

In a letter sent to those individuals March 10—a copy of which was attached to the filing—Zoll described how it “detected unusual activity on our internal network” on Jan. 28. Though the company said it acted immediately to close off the vulnerability, the breach lasted into the following day, according to the filing.

Zoll said it tapped third-party cybersecurity experts to help remedy the issue and has alerted the necessary law enforcement agencies.

In the meantime, as the company’s investigation into the attack continues, Zoll is offering all affected LifeVest users free access to credit bureau Experian’s IdentityWorks identity theft protection service for two years. The company directed its customers to contact Experian for help if they believe their information has been used fraudulently. It also advised them to “be careful when receiving emails or other communications from unknown individuals, including any communications with your medical details.”

As Zoll noted in its letter to affected customers, not only did the breach potentially expose a wealth of personal data, but it also reveals a piece of health information about each of the individuals: that they either used or were considered for use of the wearable defibrillator.

The LifeVest system is meant to be used by people whose doctors have determined they’re at risk of sudden cardiac death. It includes a vest that’s worn under clothing and features a belt dotted with electrodes to track the wearer’s heart rhythm. If the rhythm speeds up to a potentially life-threatening rate, the electrodes automatically deliver an electric shock to help the heart resume a normal rhythm.

The vest connects to a separate monitor that’s worn either around the waist or across the body. The monitor continuously records the wearer’s heart rate and also emits a variety of alerts as the system detects a rapid heart rate and prepares to deliver a treatment shock—though patients can choose to delay the treatment using buttons on the monitor.