Healthcare Firm Hit Days After Novo Nordisk Breach

Just days after pharmaceutical giant Novo Nordisk disclosed a breach involving clinical trial data, medical technology firm iRhythm Holdings has now reported a cyberattack that compromised sensitive patient and proprietary information. The incident, discovered on June 8, 2026, involved unauthorized access to certain third-party-hosted business applications, leading to the exfiltration of protected health information (PHI), proprietary data, and other personal details.

Upon detecting suspicious activity, iRhythm immediately launched an investigation with the help of external cybersecurity specialists. By the following day, a threat actor had already contacted the company, claiming possession of the stolen data and demanding payment to prevent public disclosure. The company confirmed on June 10 that data had indeed been taken and deemed the incident material due to the potential volume of affected information.

iRhythm has not yet specified the number of individuals impacted, the exact types of data accessed, or which third-party applications were involved. The attack has been attributed to a social engineering scheme, and the investigation into its full scope remains active. The company stressed that its clinical and medical device systems, manufacturing and distribution operations, financial reporting, and patient care services were not compromised.

“The Company maintains cybersecurity insurance that may cover certain losses associated with the incident, although there can be no assurance that such coverage will be sufficient to cover all losses the Company may incur,” iRhythm stated. Notably, no known ransomware or extortion group has claimed responsibility for this breach.

The iRhythm disclosure comes less than a week after Novo Nordisk revealed that attackers had copied patient data from some clinical trials. The drugmaker, famous for its Ozempic and Wegovy weight-loss drugs, reported on June 11 that unauthorized parties accessed a limited number of internal IT systems and exfiltrated information related to clinical trial participants. Exposed data included patient IDs, year of birth, sex, biomarkers, health and immunogenicity data, and lifestyle factors. However, Novo Nordisk emphasized that names or other direct identifiers were not included.

“Based on the nature of the exposed data as pseudonymized, knowledge of patient identity would require access to further information, which was not part of the incident. We therefore do not consider the incident to bear any immediate risks for our patients,” the company said in its official statement. Despite this reassurance, Novo Nordisk advised patients to remain vigilant and report any suspicious activity possibly linked to the breach.

A threat group calling itself Dragonfly has claimed responsibility for the Novo Nordisk attack, alleging it exfiltrated 16GB of trained model checkpoints, 407MB of proprietary training datasets, full source code including modeling_novopert.py and the training pipeline, logs from 113 training runs, internal infrastructure maps covering HPC, Slurm, and SSH environments, 53GB+ of container images, developer identities and internal hostnames, and a private GitHub repository URL. Novo Nordisk has not publicly confirmed these claims.