Material Cybersecurity Incidents.


 

On June 8, 2026, iRhythm Holdings, Inc. (the "Company") identified unauthorized activity involving data maintained on certain third-party-hosted business applications. The Company promptly activated its cybersecurity response plan and launched an investigation with the support of external advisors and cybersecurity experts to assess and contain the threat.


 

On June 9, 2026, the Company received communications from a threat actor claiming to have obtained sensitive information, including proprietary data, patient protected health information and other personal information. The communications from the threat actor demanded payment in exchange for not publicly disclosing this information. Since receipt of the communications, the Company has confirmed that certain data was exfiltrated from those applications. On June 10, 2026, the Company determined that the incident is material in light of the volume of the potentially affected data.


 

Based on its investigation as of the date of this Current Report on Form 8-K, (1) the Company has not identified any impact to its products, clinical or medical device systems, patient safety, manufacturing and distribution operations, financial reporting systems, or the Company's ability to meet patient needs and (2) the affected data was obtained through social engineering and is from certain third-party-hosted business applications. The incident does not involve the Company's clinical or medical device systems or connections to customers and the Company does not store or retain individual financial account information or payment card information.