June 15 (Reuters) – iRhythm Holdings on Monday reported unauthorized activity involving data maintained on some third-party applications last week, but said it has not identified any impact on products, patient safety or medical device systems from the cyber attack.
Here are some details from the company’s filing:
• The medtech firm said it identified unauthorized activity on June 8 and launched an investigation with external cybersecurity experts.
• The company added that on June 9 it received a payment demand from a “threat actor” claiming to have obtained proprietary data, patient protected health information and other personal information.
• iRhythm deemed the incident material on June 10 due to the volume of potentially affected data.
• Based on current investigations, the incident does not have any impact on manufacturing and distribution operations, financial reporting systems or the company’s ability to meet patient needs, iRhythm said.
• The affected data was obtained through social engineering and is from certain third-party-hosted business applications, it added .
• iRhythm said the incident did not involve its clinical or medical device systems or customer connections, and that it does not store individual financial account or payment card information.
• The company has not identified evidence of ongoing unauthorized access to its systems and continuing to investigate the nature and scope of the incident and who was affected, it added.
• The incident is not likely to materially affect its financial condition or results, and cybersecurity insurance may cover some losses, The company said.
(Reporting by Kunal Das in Bengaluru; Editing by Joyjeet Das)
