
Cardiac-monitoring firm iRhythm says attackers took patient health data, proprietary data and personal information from third-party-hosted business applications, not from its clinical systems. For third-party risk teams the lesson is that regulated data often lives with a vendor, and that is where it leaves.
Patient health data does not have to sit in a hospital's own systems to be stolen. On 8 June 2026 the cardiac-monitoring company iRhythm detected an intrusion. In a filing with the United States Securities and Exchange Commission (SEC), it said the stolen data came from third-party-hosted business applications, the outside software services it uses to run the business, and not from its clinical or medical-device systems. A threat actor contacted the company on 9 June 2026 demanding payment. The lesson for third-party risk teams is plain: sensitive data often lives with a vendor, and that is where it can leave.
What happened
iRhythm Holdings is a digital-healthcare firm whose Zio cardiac-monitoring service has, by the company's own account, analysed more than two billion hours of heartbeat data from over twelve million patients. It disclosed the incident in an SEC filing, according to reporting by BleepingComputer and Healthcare Dive. The company identified unauthorised activity on 8 June 2026 and activated its incident-response plan. On 9 June 2026 a threat actor claimed to hold proprietary data, patient protected health information (health data covered by United States privacy law) and other personal information, and demanded payment to keep it private.
iRhythm later confirmed that certain data was exfiltrated from the affected applications. It said the access was gained through social engineering, the manipulation of people rather than the breaking of a technical control. The company has not named a threat actor, and it says the number of affected individuals was still under investigation, so that figure is unconfirmed. iRhythm added that no payment-card or financial-account information was stored, and that its products, clinical and medical-device systems, patient safety, and manufacturing and distribution operations were not affected.
Why it matters for third-party risk
The clinical systems held. The business applications around them did not. That is the pattern worth naming. Many organisations map risk to the systems they build and run, then treat the software-as-a-service tools that hold day-to-day data (customer platforms, support desks, file stores) as background plumbing. Patient and corporate records often sit inside those third-party-hosted applications, and a vendor's environment is outside the organisation's own walls. When social engineering opens that door, the data leaves through the supplier, not through the hospital-grade defences.
For healthcare in particular, protected health information held by a data processor (a vendor that handles data on your behalf) is exactly the exposure that regulators expect covered organisations to identify and control. The register that lists signed suppliers is not enough on its own if it does not also record which suppliers hold regulated data.
What teams should take from it
Two moves follow. First, extend the vendor register to record where regulated data actually resides, not only which suppliers are contracted. A support tool or business application that stores patient or personal data belongs on the register with the same weight as a core system. Second, harden the human path: the reported entry here was social engineering, so verification steps for help-desk and account-recovery requests, plus monitoring for unusual bulk access inside vendor-hosted applications, address the route that was actually used.
For third-party risk teams, this is where continuous vendor monitoring earns its place over a once-a-year questionnaire, because a supplier that holds your data can turn from routine to breach in a single day.
FAQ
What was breached at iRhythm?
iRhythm says attackers took data from third-party-hosted business applications it uses, not from its clinical or medical-device systems. The company reports that proprietary data, patient protected health information and other personal information were exfiltrated, and that no payment-card or financial-account data was stored.
Why is this a third-party risk story?
The stolen data was held inside outside software services, so the exposure came through a supplier's environment rather than iRhythm's own core systems. That is the defining feature of data-processor and supply-chain risk. For the fundamentals, see what third-party risk management covers.
How many people were affected?
As of its disclosure, iRhythm said the categories and number of individuals involved were still under investigation. That figure was unconfirmed at the time of writing.
Want this applied to your supplier ecosystem? See the platform in action and map your top vendor risks live in one walkthrough.


